Cloudflare has recently released their Q1 DDoS threat report [5]. Thus, this is a good point for a discussion on DDoS attacks and some of the newer techniques involved with them. First, we’ll get a little bit of a refresher on what DDoS attacks are, how they manifest and how things look when a service is being attacked, and how they can be detected. From there, we’ll go into the typical mechanics of how a DDoS attack takes place and what sort of techniques and methods tend to be involved. Then, we will get into describing the newer types of DDoS attacks known as hyper-volumetric attacks. These can differ significantly in their mechanics to more “traditional” or “standard” attacks, so we will try to clarify those things here. Then, we will give some overall considerations on the overall state of DDoS attacks in the first quarter of 2023.
DDoS, or distributed denial-of-service attacks, are attacks that attempt to disrupt traffic to a specific target. DDoS attacks can be divided into multiple classes, but generally these attacks will manifest in the form of a flood of network traffic attempting to overwhelm either the target specifically or the infrastructure surrounding the target. One common way to think about this is in comparison to a traffic jam. If there are too many cars on the road, then everyone is going to have trouble getting to where they’re headed. In a similar sense, if a system is expending its resources handling the requests from an attack, then the legitimate requests can either be delayed or not make it through at all [1, 2].
Unfortunately, it can be difficult to identify an attack for sure in some cases because of overlapping symptoms with a variety of networking issues. Typically, systems affected by DDoS attacks can suffer from atypical slow performance like long load times, an inability to load or serve files, or sudden connectivity losses. DDoS attacks can showcase a number of characteristics. For example, we can look for an unusually high amount of traffic coming from a specific source, or we can look for an unusually high amount of traffic coming from devices that share a certain profile, like location or device type. It can also be worth looking into unexplained surges to a specific point, or odd traffic patterns like surges occurring at odd times during the day [1, 2].
DDoS attacks are generally carried out using networks of internet-connected machines. A large proportion of these machines will be compromised computers but can also include a wide variety of other internet-connected devices. Individual devices in this use case are typically called bots, while networks or groups of these devices will typically be called botnets. Ideally, attackers will be looking to remote control these devices through malware, thus allowing them to designate a target of attack. Botnets under an attacker’s control will send spurious requests to the target to overwhelm the target server or network and “deny service” to legitimate traffic attempting to gain access. DDoS attacks can typically be divided into one of three categories, being either application layer, protocol, or volumetric attacks [1, 2].
The goal of application layer attacks is to exhaust the target’s resources thereby creating a “denial of service” situation. These attacks will target resources that respond to HTTP requests and serve web pages, like web servers and databases. The goal of protocol attacks is a little more general in the sense that service disruptions are still desired but will this kind of attack network resources like load balancers or firewalls can also be targeted. Volumetric attacks focus more on the bandwidth near the target with their goal of creating congestion with large amounts of data. Techniques like DNS amplification can be used here, where the attacker sends an open DNS server a lookup request with the response target set as the target of the attack [1, 2, 3].
Hyper-volumetric DDoS attacks aren’t necessarily a new kind of attack, but they do seem to have taken on new life in the first quarter of 2023. They have shifted from relying on compromised individual devices like personal computers or phones and are now looking to leverage breached cloud platform assets like virtual private servers, or VPS. By leveraging these cloud servers, attackers can seek to exploit fewer systems than one would previously think to achieve a high-performance level botnet. In many cases, these botnets can be built quicker and easier, and can even be up to 5,000 times more powerful [4, 5, 6].
Attackers will seek to gain access to these virtual private servers by compromising unpatched software or hacking into management consoles with leaked API credentials. During the first half of February 2023, Cloudflare detected dozens of hyper-volumetric DDoS attacks, many of which were achieving between 50 and 70 million requests per minute in performance. The largest that was detected exceeded 71 million requests per second. These attacks were targeting a gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms. Cloudflare also states that these attacks all originated from cloud providers [4, 5, 6].
As noted just a moment ago, there was a definitive uptick in hyper-volumetric DDoS attacks in the first quarter of this year. Cloudflare’s first quarter report indicates that large scale volumetric attacks in general increased by 6% over the previous quarter, with DNS-based attacks being the most popular attack vector. There were a number of attacks on Western organizations like banks, airports, and universities by the groups Killnet and AnonymousSedan. However, the country that was targeted the most by HTTP DDoS attacks was Israel, with the United States, Canada, and Turkey following closely behind. The country with the largest source of HTTP DDoS attacks was Finland, which was also the largest target for network-layer DDoS attacks.
There were a number of industries targeted by DDoS attacks in the first quarter of 2023. In North America, the most targeted industries were marketing and advertising. In Europe and Asia, the most targeted industries were gaming and gambling. Banking and finance was the most targeted industry in South America, Telecom was the most targeted in Africa, and Healthcare was the most targeted in Australia [5].
To sum things up, DDoS attacks are basically an attempt to disrupt traffic to a target and will generally be in the form of a flood of network traffic intending to overwhelm either the target specifically or the infrastructure surrounding the target. We pointed out that DDoS attacks are carried out using networks of internet-connected machines. Individual devices known as bots are used to form botnets. These devices then seek to send an overwhelming number of requests to the target in order to deny service to legitimate traffic. Hyper-volumetric attacks, while not new, have gained quite a lot of ground in the first quarter of 2023. These attacks are a little different from more standard attacks in the sense that they seek to take advantage of compromised VPS servers in the cloud rather than relying on high numbers of individual devices like personal computers or phones. This allows for a high level of performance with fewer devices to exploit. Lastly, we gave an overview on the kinds of industries are the most targeted by DDoS attacks in various regions, from banking and finance to marketing and advertising, to gaming and gambling, along with telecom and healthcare organizations. There was a clear increase in the number of hyper-volumetric attacks, and Israel was the country targeted the most by DDoS attacks.
[1] https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
[2] https://www.cloudflare.com/learning/ddos/glossary/denial-of-service/
[3] https://www.cisa.gov/news-events/alerts/2013/03/29/dns-amplification-attacks
[5] https://blog.cloudflare.com/ddos-threat-report-2023-q1/
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments