Trend cycles don’t just impact the fashion world. A few years ago, distributed denial-of-service attacks, or DDoS, made headlines on a regular basis, aided by the open availability of Mirai malware source code. This was later overshadowed by the emergence of ransomware actors collecting sizable profits, but we find ourselves coming full circle. DDoS is back in the news, either alongside ransomware attacks or as a standalone cyberwarfare tactic. What is it about these relatively basic attacks that cause such a commotion, and why are they a popular choice (again) for threat actors and hacktivists alike?
Already got your headphones? Need a quick summary? Watch our video below for an explanation on DDoS attacks and mitigation tactics. For our traditional coverage, keep reading:
Denial-of-service attacks (DoS) are where a cybercriminal uses a single system to overwhelm their target victim’s system or network with a large amount of network traffic, preventing legitimate traffic from accessing the targeted website. The impacted systems are still technically up and running, but they can’t keep up with the influx. Think of your local UPS distribution center. Most of the year they might only need one driver to cover their area. But in the lead-up to the holidays, package volume rises by a factor of 10 or more — if they stick with that one employee the system is going to break down from the sheer number and weight of incoming packages.
As technology typically goes, we saw significant advancements with hosting and content delivery systems that made DoS attacks a lot less successful. Hardware and applications became more powerful and sorted through the noise more effectively, which made it harder for one connection to single-handedly overrun a server. But we all know hackers are resourceful — enter distributed denial-of-service attacks.
It’s the same concept as a Denial-of-service attack (DoS), but instead of sending traffic from a single system, there is an army of systems that coordinate an overwhelming amount of network traffic to one target. How can a single cybercriminal find that kind of artillery? Botnets. Through the use of malware, hackers are able to enlist thousands of infected systems to wait for their command, then send them all in the direction of their target at the same time.
Vulnerable IoT devices are a common choice by hackers when creating botnets. They’re convenient: they are internet-facing and often lack strong security features. Mirai malware makes it even easier for attackers. Since many IoT devices are only protected by factory default passwords — which Mirai recognizes — it can spread quickly and make quite the arsenal of botnets. Through a command of Internet-connected devices, such as webcams, thermostats, and smart appliances, large-scale DDoS attacks are relatively easy to accomplish.
Somehow, it all comes back to ransomware. Many DDoS attacks have been crippling in their own right, such as the 2016 attack against Playstation Network’s gaming platform, featuring a variant of the Mirai botnet. This resulted in revenue losses of up to $2.7 million for Sony — and to add insult to injury, it was conducted by a teenager. But threat actors have started incorporating DDoS attacks on top of ransomware, piling on the victim until they pay up. If an organization is already scrambling to get their systems in order from the initial blow, a well-timed attack can stall remediation efforts and create further confusion.
Critical infrastructure is a prime target for DDoS attacks perpetrated by nation-state operators or hacktivists. In these scenarios, it serves a primary purpose to create immediate chaos and disruption for an organization as opposed to long-term harm or financial loss. Russia’s invasion of Ukraine involved a hybrid warfare model. A key staple of the attacks involved DDoS attacks against Ukraine’s public and private sectors. The largest DDoS attack in the country’s history came before troops invaded, serving as a “large-scale stress test.” Additionally, DDoS may be the attack of choice for hacktivists choosing to retaliate due to its affordable and straightforward nature.
Protecting an organization and minimizing the impact felt from a DDoS attack requires the completion of four stages: Detect → Divert → Filter → Adapt.
Ideally, organizations that have stiff uptime requirements for their services should implement DDoS mitigation measures before an attack ever occurs to guarantee they are able to clearly pull out the “good traffic” — real human users — and block the malicious traffic. This way, you can dramatically decrease your downtime. The objective is to cycle through the stages as quickly as possible to keep pace with the DDoS attack.
Quickly identifying an unusual uptick in traffic flow can help your organization pinpoint the ramp-up period of a DDoS attack. It doesn’t take long — several minutes — for one to overwhelm your servers as the traffic spikes. The goal is to catch it instantaneously to prevent further progress. DDoS mitigation services will detect this spike for you automatically and kick in countermeasures. Those who do not have this established beforehand will identify it when their systems become unresponsive. That kicks off the process of engaging a DDoS mitigation vendor which can add hours if not days to the response efforts.
After you’ve identified the issue, it’s time to act. The secret sauce behind DDoS mitigation services is the ability to spot the bad traffic and stop it from reaching your systems. Let’s revisit our UPS distribution example. In that situation, a DDoS mitigation firm would remove all packages that aren’t holiday presents and put them to the side while they prioritize delivery of the good packages, like little Timmy’s new Radio Flyer wagon from his grandparents.
For organizations that prepared ahead of time, traffic may already be flowing through a DDoS mitigation vendor. If that’s the case, you head right to the filter stage. Others may have it configured where a flip of a switch can divert the traffic. Also, a good option as you can trigger this to minimize downtime of your systems. In either case, pat yourself on the back for thinking ahead and shift your focus to confirming whether the DDoS attack is hiding other malicious activity in your environment.
For those that don’t require a significant amount of uptime for their external applications or systems, it’s likely you don’t have DDoS protections set up ahead of time. No worries, we’ve got you covered. Step one is to identify a DDoS mitigation vendor who can support your application. Once the contracts are signed, you’ll work with that company to divert the network traffic through their filtration systems.
As the attackers shift the techniques to the DDoS attack, the filtration system will catch these efforts and incorporate countermeasures until the attacker realizes it is no longer effective and loses interest. Security analytics techniques can offer visibility to the attack so you can understand the details and prevent it in the future.
--
Prepare when you can, not when you have to. Not every company needs to have active DDoS mitigation ready to go, but you should have a plan of attack. If you run a business-critical application that has to be externally accessible, it’s a good idea to be proactive and set up relationships with DDoS mitigation firms ahead of time. For organizations that just have a marketing website, this is about awareness. Have a plan, know what to do, and be prepared to act quickly to minimize damage. Need help? Corvus can connect you with leading DDoS mitigation firms. Reach out at services@corvusinsurance.com.