Though they might get lost in all the other security threats exacerbated by the Covid-19 pandemic, DDoS attacks, unsurprisingly, ticked up during the first part of 2020, most handily absorbed by the internet backbone – and the defensive efforts of targeted companies.
Disruptions at AT&T, Sprint, T-Mobile and Verizon and streaming companies in mid-June stoked concerns that coordinated DDoS attacks were under way. Speculation swirled that China was behind a broader attack, but ultimately the disruption was largely blamed on misconfigurations by T-Mobile rather than a malicious attack on the internet backbone.
Then during the second half of June, Amazon Web Services reported that it mitigated a 2.3-terabit attack in mid-February, the largest DDoS attack ever recorded. According to the AWS report, the attack was approximately 44 percent larger than any network volumetric event previously detected on AWS. CLDAP reflection attacks of this magnitude caused three days of elevated threat during a single week in February 2020 before subsiding.
Akamai also reported on June 21 that it mitigated an attack on a European bank of 809 million packets-per-second (PPS). Most DDoS attacks are measured in bits-per-second (BPS) in which the attacker tries to overwhelm the inbound internet pipeline, sending more traffic to a circuit than it’s designed to handle. In contrast, PPS attacks try to overwhelm network gear and/or applications in the customer's data center or cloud environment. Both are volumetric, but PPS attacks exhaust the resources of the gear, rather than the capability of the circuits – and are much less common than BPS attacks.
Roger Barranco, Akamai’s vice president of global security operations explained that Akamai also mitigated a 1.44Tbps attack during the first week of June. Barranco said while the attack Akamai mitigated was similar to the Amazon attack in that they were both volumetric DDoS attacks, they are much different. The 2.3-terabit AWS- managed attack leveraged one vector CLDAP while the attack managed by Akamai included nine different vectors and actually had a significantly higher packet-per-second rate.
Kacey Clark, threat researcher at Digital Shadows, pinned the increased DDoS activity on an increased dependency on remote-access solutions during the COVID-19 period, which has increased the potential impact of cyberattacks overall.
“Internet traffic likely rose during the COVID-19 outbreak, so successful denial of service attacks are more likely to cause significant disruptions if critical services are impacted,” Clark said. “As constant availability is crucial for many companies during this time, organizations should assess their infrastructure's fault tolerance to identify weak endpoints and increase their reliability. Other organizations may consider implementing a managed DDoS protection service to help protect against these types of attacks.”
The Nexusguard report released on July 3 found that DDoS attacks went up 542 percent from Q42019 to Q12020, which confirms the many press reports of increased attacks.
On top of that, Alexander Gutnikov, system analyst at Kaspersky DDoS prevention service, added that increases in DDoS attacks from Q1 2020 and Q2 2020 grew about 5 percent, but noted that the small growth numbers are misleading.
“DDoS attacks are usually high in Q1 and in Q2 the number drops” Gutnikov said. “Therefore, it’s unusual that Q1 and Q2 are almost equal. In addition, compared to the same period of Q2 2020, DDoS attacks grew more than threefold, so that can be considered dramatic.”
Tony Miu, research manager at Nexusguard, pointed out that the vast majority of eventss are so-called “invisible attacks” that depending on the service provider, hold features that the provider would tend to ignore, disregard or not take note of when they happen. For a large ISP that typically serves Over the Top (OTT) providers, Miu said these might be attacks up to 5G. For smaller ISPs, attacks of up to 1Gbps in size are more normal.
At least for now, there’s little cause for concern, Miu said.
“These ‘smaller attacks can be absorbed by the ISP, or rather, simply passed through to the customer,” Miu said. “The ISPs themselves are probably not impacted, but the customer would most likely suffer if they do not have any DDoS mitigation in place.”
Akamai’s Barranco agreed with Miu that the Internet infrastructure can absorb the vast majority of the recent DDoS attacks.
“While the size of DDoS attacks have been doubling every two years…the core of the Internet has the capacity to be largely unaffected by DDoS, but subsequent downstream links can be impacted resulting in spotty services levels as the malicious traffic gets closer to the victim’s site,” Barranco said. “This is why it’s important to fight DDoS and other types of cyber-attacks in a distributed fashion as close to the attack source as possible, versus closer to the target. The best way to protect yourself is to build a strong defensive posture, which requires an in-depth traffic analysis – this isn’t a trivial effort and takes time.”
Miu said companies can defend themselves by purchasing more bandwidth, but said while a larger pipe works to a certain extent, it will not fully solve a company’s bandwidth security issues.
“The same can be said for tools or appliances,” explained Miu. “The point is that organizations need to take an integrated approach to implement defense-in-depth and breadth, putting together best-of-breed solutions so that they can have a comprehensive and effective solution.
It also depends on the company. For companies where employees have to access company resources remotely, Miu said the security team should ensure that these remote resources are adequately protected. If the company relies on SaaS or other third-party services, they have to make sure these third party services are redundant and have taken into consideration such issues.
Stephen Boyce, principal consultant at the Crypsis Group, added that organizations can experience legitimate DDoS issues because of increasing demand on their web page; or they can experience malicious, targeted attacks carried out to overwhelm the server and prevent legitimate access.
“DDoS interruptions can be mitigated by creating a DDoS response plan, implementing a secure and redundant network architecture, leveraging the cloud, and having the ability to scale bandwidth as needed,” Boyce said. “We also recommend using an up-to-date load balancer, network firewall, and web application firewall.”