Distributed Denial of Service Attacks – Does Size Equate to Impact?
When most people think about distributed denial of service (DDoS) incidents, the first thing that comes to mind are the huge attacks of the last few years that brought down major websites and DNS providers. There’s a good reason for that association. These are the attacks that make headlines, because it takes an impressive amount of traffic to saturate an enterprise link. Generating that traffic requires real ingenuity, too, as witnessed by words like “Mirai” and “Memcached,” which have become common parlance in the security world in the last few years. These two newsmakers are good examples of large volumetric attacks that featured many requests and large payloads.
Mirai was, in fact, not the first botnet, although it may have been the first used for DDoS. Most botnets before Mirai were generally used to send junk email, because the amount of traffic coming from a variety of different sources made it more difficult for spam blockers to do their job. Mirai itself was actually used years before its popular debut in 2016, when it took down Krebs on Security and DNS vendor Dyn—the botnet was purportedly used as early as 2014 in DDoS attacks against Rutgers University. Such a botnet, propagated by a self-perpetuating virus, is the perfect way to add numbers to your army, and an army is the right weapon to fill up a network pipe.
Memcached also had a history and purpose before it was used in last year’s 1.35 Tbps attack on GitHub. The free, open-source software was designed for general purpose use as a distributed memory caching system, meant to speed performance and reduce strain on external data stores. Memcached was never intended to be open to the internet, and therefore, it didn’t require authentication. Additionally, because a small query results in an enormous response, Memcached was—and remains—a great way to amplify an attack’s payload. If an attacker could spoof a target’s IP address to make it look like the initial query was coming from the target (a process called reflection), the attack on the target could be amplified so greatly that a botnet was not even necessary to saturate a circuit.
Mirai adds numbers, while Memcached adds payload, and both can create link-saturating volumetric attacks. But how many attackers out there have the sophistication necessary to pull off such an attack? Turns out that not only have attackers created unique new DDoS methods, it is now easier than ever for a bad actor to take advantage of that work. Rather than go through the hassle of creating their own botnet, today’s attacker can simply rent one for as little as $20 USD a day. And instead of figuring out their own attack methodology, cybercriminals can simply contract a booter or stressor service to do the work for them.
Given how simple and inexpensive it has become to launch them, are gigantic DDoS attacks the way of future?
The answer appears to be no. Analysis of Q1 2019 DDoS attacks mitigated by Neustar’s Security Operations Center (SOC) revealed that large attacks of 50 Gbps and over are only 12% of the mitigations seen this quarter. This finding is in keeping with industry norms, which tell us that while these large threats have grown in frequency when compared to the same time last year, the majority of DDoS attacks are much smaller. Which begs the question: Why?
You don’t need a cannon to shoot a flea
Volumetric DDoS attacks bring more than traffic with them; such offenses also garner press, scrutiny, and often law enforcement. The attention that resulted from Mirai’s is a good example, as the perpetrators narrowly avoided jail time. They may have made money by renting out their botnet, but they also raised their profile in such a way that they were ultimately caught.
The majority of DDoS attacks are designed for different purposes than simply making a point. Motives might include theft, distraction, competitive advantage, and more. It seems that the overarching idea is to create an attack that is not immediately detected, and a Tbps+ size attack is hard to miss. If the purpose of a DDoS attack is to deny service, it can attract less attention and achieve greater results at the same time if it is more carefully aimed.
There are several classifications in the DDoS world beyond the volumetric ones for which the category is best known. One such category is a protocol attack. While it’s similar to a volumetric attack in that it is designed to deny service with a volume of traffic, a protocol attack functions by directing that traffic at an intermediate device between the internet and the core of the target’s network. Some examples are attacks designed to eat up router CPU cycles, confuse load balancers, or fill up firewall state tables. In each case, the amount of traffic required to overwhelm such interim devices wouldn’t typically even register as a substantive percentage of the available circuit bandwidth. And there is often no need to generate enough traffic to disable a device or service completely; simply degrading performance is sometimes enough to achieve the attacker’s goals while the incursion remains under the radar.
Another DDoS category, and one growing rapidly in popularity, is for attacks directed still further into the network, at a specific server, application, or API. These attacks require even less traffic, because they are aimed at an even smaller target. The most successful application layer attacks may achieve their aim in disabling or degrading an application without even bringing down the server on which the app is running.
In conclusion, there’s more to DDoS than simple volume. In fact, volume may just serve to get an attacker noticed, which is seldom a good thing in the world of cybercrime. By planning carefully and knowing their target, attackers can achieve their goal—getting in and out without getting caught. Stay tuned for Part 2 in this series, “It’s the ones you don’t see that get you,” in which we’ll consider how the very nature of internet communications can pave the way for DDoS attacks.
To learn more about attack trends, download Neustar’s Q1, 2019 Cyber Threats and Trends Report at https://www.home.neustar/resources/whitepapers/cyber-threats-report-q1-2019