A DDoS (Distributed Denial of Service) is an attack that focuses on making the website unavailable to its legitimate users. DDoS attacks can produce service interruptions, introduce large response delays, and cause various business losses.

Denial-of-Service Attacks result in two ways —they either flood services or crash services. Attackers execute DDoS through computers and smart devices. Given this, it’s common for attackers to make use of IoT devices that are internet-accessible.  IoT devices refers to any electronic that can connect to the internet and transmit data, such as toys, smart TVs, and monitors of any kind.

Because these devices have limited processing and operating systems, they may not come with advanced security features. DDoS attackers leverage this via the IP addresses of these IoT devices, personal computers, and even servers to fake legitimate traffic. This makes quick detection harder or difficult to track the attacker’s starting point and IP.

According to TechRepublic, in Q1 2019, there was an increase of 967% for attacks sized 100Gbps or higher, compared to Q1 2018. The largest attack was 70% larger than the biggest one for the same period in 2018, with 587Gbps compared to that of 345Gbps.

The Top 4 Largest DDoS Attacks

Have you ever wondered what the top 4 largest DDoS attacks were? In this post, we will dive into what the largest DDoS attacks looked like.

Spamhaus – 2013

The Spamhaus Project is an international organization based in London and Geneva. This anti-spam organization, founded in 1998, is responsible for compiling anti-spam lists to reduce the amount of spam reaching their users who are usually internet service providers and email servers.

This particular attack took place on March 16th and shut down Spamhaus until March 23nd. The attackers seized SpamHaus’ IP addresses through a malicious BGP (Border Gateway Protocol) route using a DNS server at the IP. By doing so, it gave a positive result for every SpamHaus DNSBL (Domain Name Server-Based Blacklist) query.

This reported as a DNS Reflection or Amplification DDoS attack at 140Gbps in some instances and up to 300+Gbps in others. The attack affected their website, e-mail servers, and DNS IPs.

Performed by a hacker-for-hire, it took many networks and several website security providers to mitigate one of the largest DDoS attacks ever recorded. Spamhaus quoted this about the events and the attacker:

“A 17-year-old male from London has been charged with computer misuse, fraud, and money laundering offences. He was arrested in April 2013. On his arrest officers seized a number of electronic devices”.

Misconfigured, open recursors are a true threat for the internet because they run on big servers with fat pipes. There is an open list available of all of these recursors, which in the wrong hands, could be disastrous to the internet.

BBC – 2015

The BBC (British Broadcasting Corporation) is a public service broadcaster based in London and founded in 1922, which makes it the oldest national broadcasting organization in the world. This might be the reason why they are now one of the biggest ones and carry TV channels, radio and web portals for all of their subsidiaries.

During New Years Eve of 2015, a group called The New World Hackers took responsibility for executing a DDoS attack to the BBC website, saying it was “A test of their abilities”.

Though almost 600Gbps, neither this magnitude or the attack’s identity were ever confirmed by the BBC. At the time this attack took place it was the largest one recorded (if indeed it reached that scale) taking nearly two weeks to completely recover from the incident.

The entire BBC domain was taken down, including their on-demand television and radio player for a total of three hours worth of attack, plus experimenting residual issues for the rest of the morning. To this, The New World Hackers had to say:

“The reason we really targeted the BBC is because we wanted to see our actual server power”

and followed with:

” It was only a test. Our servers are quite strong”

The BBC DDoS Attack

Botnets performed this DDoS attack using DDoS tools such as Lizard Stresser and BangStresser. These hacktivists mentioned at the time that they didn’t intend to run the attack for that long.

Dyn – 2016

Dyn is an internet performance management and web application security company founded in 2001 (acquired by Oracle Corporation in 2016) and based in the U.S. It offers products to optimize, control, and monitor online infrastructure.

On October 21st, Dyn had a series of DDoS attacks targeting systems operated by this DNS provider. The attack affected a large amount of users in North America and Europe. The DDoS attack lasted roughly one day, with spikes coming and going up to 1.2Tbps. It affected several large businesses and websites with high authority and traffic, such as: Airbnb, Amazon.com, Fox News, HBO, The New York Times, Twitter, Visa and CNN.

The New World Hackers, Anonymous, and SpainSquad claimed responsibility for the attack, a hacktivist effort to retaliate for Ecuador’s rescinding internet access to WikiLeak’s founder Julian Assange at their embassy in London where he had asylum. No has confirmed this as the reason.

Dyn stated that according to risk intelligence firm FlashPoint, this was a botnet coordinated through a large number of IoT-enabled devices, including baby monitors, cameras, and residential gateways that had been infected with mirai malware.

Github – 2018

Founded in 2008, GitHub is a subsidiary for Microsoft based in the United States. It offers web-based hosting services for version control using Git  as a source-code management (SCM) tool.

On February 28th,  a large amount of traffic hit the developer platform spiking it to 1.3Tbps—the largest ever recorded. In total, GitHub was offline for five minutes, but the recovery took nearly a week.

GitHub stated they were not underprepared:

“Over the past year we have deployed additional transit to our facilities. We’ve more than doubled our transit capacity during that time, which has allowed us to withstand certain numeric attacks without impact to users. Even still, attacks like this sometimes require the help of partners with larger transit networks to provide blocking and filtering”. – GitHub

Memcached Server, a caching system to optimize websites relying on external databases, facilitated the attack. The attacks involved spoofing or phishing a target’s IP address to the default UDP (User Datagram Protocol) port on available memcached amplifiers. This returned much larger responses to the target.

Responsibility for this attack and the attacker is still unknown.

How to Prevent and Respond to a DDoS Attack

Whether a small or large website, everyone should prepare to face a DDoS attack. Having a website firewall protect your website is a great way to be ready for the worst case scenario. The Sucuri Web Application Firewall (WAF), filters all incoming traffic, impeding DDoS attacks from reaching your website. This way, your website will have enhanced performance along with website security.

Preparation is key, but it also helps to have a response plan:

  • Avoid single point of failure – spreading your servers across multiple data centers with a good load balancing system.
  • Have a secondary DNS server – attackers may try to bring your DNS servers down.
  • Consider managed website security – a professional on your side can help you work through an attack with minimal implications.
  • Don’t buy more bandwidth – Don’t feed the troll, use a professional WAF.
  • Limit your vulnerable or resource hungry end-points to the expected attention or traffic that your website has.
  • Outsource as much as possible off of your website components. Instead of having a built-in search system, consider using a professional search service integrated to your website.

Source: https://securityboulevard.com/2019/08/the-largest-ddos-attacks-what-you-can-learn-from-them/

As per Eric Muntz from Keone Software, malware and data breaches are not the only risks website owners face these days. DDoS attacks can be devastating enough to destroy your business. Read this post to find about major DDoS attacks.

The GitHub attack of 2018

The GitHub attack of 2018 remains the largest DDoS attacks of all times and targeted at GitHub that is a popular site for code management on the internet. The attack reached heights when it commenced at a rate of 1.3Tbps and sent packets at a rate of 126.9 million per second. In this attack, there were no bonnets involved and the attackers took resort to amplification effect of the database coaching system known as Memcached. GitHub, learning from its previous attack in 2015 was using a DDoS security system and was alerted within 10 minutes of the attack and let the attack last for only twenty minutes.

The Dyn Attack

The Dyn attack which took place on October 2016 was initiated by a DNS operator and aimed at dismantling and disintegrating the major websites that included PayPal, Amazon, Airbnb, Visa, The New York Times, Netflix, GitHub, and Reddit. The malware that was primarily used to achieve this target is known by the name Mirai that is capable of creating botnet from the vulnerable devices that are linked to the internet such as webcams, printers, monitors and others of the same genre. To launch the attack, all these devices were programmed to provide requests to one single victim at a time. The attack did not last long and Dyn bounced back from its clutches within a single day.

The Mafiaboy attack

The Mafiaboy attack was launched in 2000 by a boy of fifteen years only who came to be known as mafiaboy and here’s where the name came from. The websites that were attacked included eBay, Yahoo, Dell, CNN, E-trade which formed to be the group of the major search engines of that time. This attack did not only disrupt the major internet services but also brought about havoc loss in the stock market. The cybercrime laws that exist today came into being after this DDos attack.

The Spamhaus Attack

The Spamhaus attack was conducted in 2013 and is hailed as one of the most dangerous and largest attacks. Spamhaus, as the first part of the name, suggests is an organization that helps to recognize and filter the spam e-mails received by a user because of which they stand as the most targeted company by the hackers who have the intention to launch their attacks through spam e-mails. The attack was conducted with a speed of 300gbps and immediately after the process began, Spamhaus signed up for Cloudware’s DDoS protection which played a major role in saving the organization. Even though it was unable to cause major impacts, but still dilapidated the normal functioning of LINX and London Internet Exchange.

The GitHub Attack

This 2015 DDos attack was mainly focused on GitHub and researches have proved that this move was encouraged as a result of political rivalry; this one of those attacks that lasted for a while and adapted itself with the already existing DDoS mitigation strategies of GitHub. The attack was brought about to be injecting unknown JavaScript codes into browsers of users who browsed through China’s most famous search engine, Baidu. The sites that were using Baidu were also infected by this malicious code and were meant to send HTTP requests to GitHub pages.

Source: https://baltimorepostexaminer.com/top-5-ddos-attacks-of-all-times/2019/08/19

Various implementations of HTTP/2, the latest version of the HTTP network protocol, have been found vulnerable to multiple security vulnerabilities affecting the most popular web server software, including Apache, Microsoft’s IIS, and NGINX.

Launched in May 2015, HTTP/2 has been designed for better security and improved online experience by speeding up page loads. Today, over hundreds of millions of websites, or some 40 percent of all the sites on the Internet, are running using HTTP/2 protocol.

A total of eight high-severity HTTP/2 vulnerabilities, seven discovered by Jonathan Looney of Netflix and one by Piotr Sikora of Google, exist due to resource exhaustion when handling malicious input, allowing a client to overload server’s queue management code.

The vulnerabilities can be exploited to launch Denial of Service (DoS) attacks against millions of online services and websites that are running on a web server with the vulnerable implementation of HTTP/2, knocking them offline for everyone.

The attack scenario, in layman’s terms, is that a malicious client asks a targeted vulnerable server to do something which generates a response, but then the client refuses to read the response, forcing it to consume excessive memory and CPU while processing requests.

“These flaws allow a small number of low bandwidth malicious sessions to prevent connection participants from doing additional work. These attacks are likely to exhaust resources such that other connections or processes on the same machine may also be impacted or crash,” Netflix explains in an advisory released Tuesday.

Most of the below-listed vulnerabilities work at the HTTP/2 transport layer:

  1. CVE-2019-9511 — HTTP/2 “Data Dribble”
  2. CVE-2019-9512 — HTTP/2 “Ping Flood”
  3. CVE-2019-9513 — HTTP/2 “Resource Loop”
  4. CVE-2019-9514 — HTTP/2 “Reset Flood”
  5. CVE-2019-9515 — HTTP/2 “Settings Flood”
  6. CVE-2019-9516 — HTTP/2 “0-Length Headers Leak”
  7. CVE-2017-9517 — HTTP/2 “Internal Data Buffering”
  8. CVE-2019-9518 — HTTP/2 “Request Data/Header Flood”

“Some are efficient enough that a single end-system could potentially cause havoc on multiple servers. Other attacks are less efficient; however, even less efficient attacks can open the door for DDoS attacks which are difficult to detect and block,” the advisory states.

However, it should be noted that the vulnerabilities can only be used to cause a DoS condition and do not allow attackers to compromise the confidentiality or integrity of the data contained within the vulnerable servers.

Netflix security team, who teamed up with Google and CERT Coordination Center to disclose the reported HTTP/2 flaws, discovered seven out of eight vulnerabilities in several HTTP/2 server implementations in May 2019 and responsibly reported them to each of the affected vendors and maintainers.

According to CERT, affected vendors include NGINX, Apache, H2O, Nghttp2, Microsoft (IIS), Cloudflare, Akamai, Apple (SwiftNIO), Amazon, Facebook (Proxygen), Node.js, and Envoy proxy, many of which have already released security patches and advisories.

Source: https://thehackernews.com/2019/08/http2-dos-vulnerability.html

In July 1999, a set of computers infected with the Trin00 malware attacked and took down the network of the University of Minnesota. The episode marked the first recorded case of a distributed-denial-of-service (DDoS) attack.

20 years later, DDoS has evolved into one of the most serious security threats from the arsenal of both cybercrime gangs and nation-state actors.

What is DDoS?

As the name implies, the goal of DDoS attacks is to prevent the target website from providing service to its users by flooding its servers with bogus traffic and starving its resources.

Before engaging in DDoS, attackers typically assemble a “botnet”. Botnets are sets of computers compromised with a malware that enables the attacker, the “bot master,” to send them remote commands. After assembling their army of zombie devices, bot masters can launch DDoS attacks by commanding their botnet to simultaneously send fake requests to the target.

With a strong enough botnet, an attacker can overwhelm the targeted server and cause it to crash, preventing it from  responding to requests from legitimate users.

Threat evolution

Since the attack against the University of Minnesota, DDoS assaults by criminals have accounted for massive financial losses and damage to the reputation of targeted organizations.

In the past year alone, web hosting and content delivery giant Akamai recorded hundreds of DDoS attacks per week. A recent report by cybersecurity vendor Kaspersky Labs also found an 84% increase in the number of DDoS attacks in the first quarter of 2019, The Daily Swig reported.

Aside from frequency, DDoS attacks have grown in size and extent of damage that they can cause.

Domingo Ponce, director of global security operations at Akamai, has been on the front line of fighting DDoS for over ten years.

“When I started, we were protecting against hacktivism (like Anonymous), script kitties, and companies attacking each other (shady gambling sites),” he told The Daily Swig.

“Now DDoS is all grown up – attacks are state-sponsored, large criminal syndicates are involved, and DDoS is a very significant revenue-based black market industry.”

IoT insecurity fuels the fire

The expansion of the Internet of Things (IoT) has played a major role in the recent growth of DDoS attacks. Many of these devices forgo security because of reliance on default credentials, making them easy game for botnet viruses.

“Mirai was a turning point highlighting the power of DDoS botnets comprised of IoT devices,” Patrick Sullivan, Akamai’s senior director of security strategy, told The Daily Swig.

The Mirai botnet was behind a major DDoS attack against DNS provider Dyn, which caused a major internet outage in October 2016. The botnet comprised a large number of internet-connected cameras, home routers, and baby monitors.

“Not only do the sheer number of vulnerable IoT devices present a challenge, but attacker willingness to use these bots to perform Application Layer Attacks leads to higher levels of sophistication,” Sullivan said.

Protect and survive

Shortly after the Dyn attack in 2016, the hackers behind the Mirai botnet declared they would rent out their massive botnet for $7,500, marking the rise in DDoS-as-a-service, where cybercriminals need little or not technical knowledge to implement an attack.

The spread of DDoS attacks has also given rise to a market for DDoS mitigation.

“The only viable option is to deploy mitigation in even more distributed architectures,” Akamai’s Sullivan said.

“Even a massively scalable cloud solution deployed to a small number of locations and ISPs will struggle to contain the truly massive attacks. Peering points aren’t designed to handle huge spikes in traffic, and congestion will occur before traffic can route to mitigation points.”

Source:https://portswigger.net/daily-swig/20-years-of-ddos-attacks-what-has-changed

The number of DDoS attacks detected by Kaspersky jumped 18% year-on-year in the second quarter, according to the latest figures from the Russian AV vendor.

Although the number of detected attacks was down 44% from Q1, the vendor claimed that this seasonal change is normal as activity often dips in late spring and summer. However, the spike was even bigger when compared to the same period in 2017: an increase of 25%.

Application attacks, which the firm said are harder to defend against, increased by a third (32%) in Q2 2019 and now constitute nearly half (46%) of all detected attacks. The latter figure is up 9% from Q1 2019, and 15% from Q2 2018.

Crucially, the seasonal drop in attacks has barely touched targeting of the application layer, which fell just 4% from the previous quarter.

These attacks are difficult to detect and stop as they typically include legitimate requests, the firm said.

“Traditionally, troublemakers who conduct DDoS attacks for fun go on holiday during the summer and give up their activity until September. However, the statistics for this quarter show that professional attackers, who perform complex DDoS attacks, are working hard even over the summer months,” explained Alexey Kiselev, business development manager for the Kaspersky DDoS Protection team.

“This trend is rather worrying for businesses. Many are well protected against high volumes of junk traffic, but DDoS attacks on the application layer require them to identify illegitimate activity even if its volume is low. We therefore recommend that businesses ensure their DDoS protection solutions are ready to withstand these complex attacks.”

Kaspersky also recorded the longest DDoS attack since it started monitoring botnet activity in 2015. Analysis of commands received by bots from command and control (C&C) servers revealed one in Q2 2019 lasting 509 hours, which is nearly 21 days. The previous longest attack, observed in Q4 2018, lasted 329 hours.

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-jump-18-yoy-in-q2/