10 Disruptive DDoS Attack Trends To Watch In 2021
From targeting nontraditional infrastructure and using novel protocols to exploiting weak IoT device credentials and taking over devices with Mozi botnets, here are the most alarming DDoS attack trends.
Perpetrators of Denial-of-Service attacks attempt to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet. This is typically accomplished by flooding the targeted machine or resource with superfluous requests to overload the system and prevent some or all legitimate requests from being fulfilled.
A Distributed Denial-of-Service attack occurs when multiple systems flood the bandwidth or resources of a targeted system, often from thousands of hosts infected with malware. Since the incoming traffic flooding the victim originates from different sources, it becomes difficult to distinguish legitimate user traffic from attack traffic, especially when it is spread across multiple points of origin.
As part of Cybersecurity Week 2021, CRN spoke with 10 vendor executives about the evolution of DDoS attacks from an ideological weapon wielded by hacktivists to an easily monetizable tool used by cybercriminals. From targeting nontraditional infrastructure and using novel protocols to exploiting weak IoT device credentials and taking over devices with Mozi botnets, here are the most alarming DDoS attack trends.
Device Takeover With Mozi Botnet
Botnets like Mozi try to infect machines with malware and get devices under their control so that they can be used for malicious activities, said Paul Nicholson, A10 Networks’ senior director of product marketing. The botnet exploits documented vulnerabilities in unpatched systems such as Netgear and D-Link to take over those devices and use them to launch attacks against other devices, Nicholson said.
Botnets like Mozi exploit well-known vulnerabilities with malware and frequently reuse code in an effort to spread and compromise systems for gain, according to Nicholson. DDoS weapons like Mozi can result in monetary loss to the victim organization since compromised systems would be rendered unavailable when attackers are taking advantage of them, Nicholson said.
Threat actors typically attempt to take control of a system by attacking multiple different protocols and networks, which can leave defenders scrambling since the attackers only have to succeed once to carry out a malicious activity, Nicholson said. Adversaries often turn to amplification-style DDoS attacks to exploit internet-facing DNS and authentication services by overwhelming the systems out there, he said.
New Protocols That Stymie Defenses
Adversaries have taken advantage of the asymmetry inherent to DDoS campaigns where it’s relatively inexpensive to launch an attack once a device vulnerability has been found but expensive to defend against, especially for companies with lots of on-premises equipment, said Patrick Donahue, Cloudflare’s director of product management. Payments are frequently made with cryptocurrency to reduce traceability.
Threat actors have embraced novel types of DDoS attacks such as using new protocols that are more difficult to defend against and having the browser speak to the web server to receive the latest content from webpages, Donahue said. DDoS attacks are also accessible to a broader base of threat actors since it’s easier to launch a DDoS operation than it is to infiltrate a company’s network and launch malware.
Ninety-seven percent of DDoS attacks last for under an hour, meaning that businesses need to have defenses that can kick into high gear very quickly, according to Donahue. Organizations can save substantial amounts of money by defending DDoS attacks as close to the source as possible, Donahue said.
Weak Credentials On IoT Devices
Many IoT devices have vulnerabilities that can be exploited out of the box and defenders often don’t even realize that these devices can be accessed directly from the internet, according to Nick Biasini, head of outreach for Cisco Talos. For instances, many businesses and consumers might not even realize that the smart device they last used three years ago is still connected to the internet, Biasini said.
Adversaries have built botnets that can be used as a paid service to launch DDoS attacks against whatever target they choose, according to Biasini. It’s trivial for adversaries to take over devices with weak or default username and password combinations through brute force attacks, Biasini said.
Big players and high-end manufacturers have made a lot of security improvements, but those enhancements haven’t trickled down to smaller or less prestigious IoT device makers, Biasini said. From cameras to routers to network-attached storage devices, opportunistic hackers will take advantage of anything with a login prompt that’s connected to the internet and not fully locked down.
Going After Nontraditional Targets
Sophisticated DDoS actors are increasingly going after infrastructure that is less likely to have resiliency such as an application server, file server, network-attached storage array or virtual server farm, said Matt Radolec, head of Varonis’ Incident Response team. By going after the hypervisor rather than just a couple of servers, adversaries can hold a victim’s entire backup infrastructure hostage, Radolec said.
Application servers will by design allow connections in and out, while virtual server farms have traditionally been seen as a piece of infrastructure rather than an attack point, Radolec said. If an entire virtual server farm is being held hostage following a ransomware attack, Radolec said the victim is much more likely to pay the ransom.
Similarly, organizations that aren’t sure whether or not they can bring their application server up safely on their own have a higher sense of urgency to pay to avoid that scenario, according to Radolec. More than 70 percent of DDoS attacks, though, are focused on data, with adversaries encrypting data, stealing it and threatening to post it online unless they receive a ransom payment, Radolec said.
Prove Credibility And Then Extort
Adversaries have turned to carrying out a small DDoS attack that lasts just seconds and then attempting to extort the victim by threatening to do a larger-scale attack if they don’t receive payment within a week, said Maya Horowitz, Check Point Software Technologies’ vice president of research. Horowitz first saw this tactic used a few years ago against banks in Greece to help the hackers prove their credibility.
Threat actors will claim to belong to sophisticated APT groups like Lazarus and Fancy Bear in an effort to monetize their DDoS attacks, which is tough to do short of taking down certain services or websites, Horowitz said. DDoS attacks are becoming both larger and less frequent since adversaries don’t actually have to carry out an attack if they’re able to successfully extort the victim to pay a ransom, she said.
Outside extortion, DDoS attack are largely about ego and settling scores with rivals, according to Horowitz. Many campaigns start with a Mirai IoT botnet that can be bought using bitcoin on the dark web and used to help carry out a DDoS attack of a certain size, Horowitz said.
Attack Corporate Network, Not Website
Users increasingly have all kinds of malware sitting on the laptops they’re using, which provides botnets with a lot more endpoints they can target in a DDoS attack, according to Jonathan Couch, ThreatQuotient’s senior vice president of strategy and corporate development. As a result, Couch said the size and amount of traffic these botnets can generate has dramatically increased.
By cycling through different types of requests, threat actors can now hit commercial organizations with more volume during a DDoS attack, which increases the likelihood of long-term effects, Couch said. The growth in DDoS capability means adversaries can now target the business network of an organization rather than just the company’s website, according to Couch.
Taking down a company’s webpage through a DDoS attack doesn’t typically impact business operations, according to Couch. But by targeting the corporate network, adversaries can impact operations by thwarting attempted interactions between the victim and third parties. This change in methodology has helped cybercriminals extract money across a wider variety of organizations and targets, Couch said.
Target Network Misconfigurations
Software engineers and intelligent bots alike are adept at probing how a network is configured to quickly determine where a potential victim is vulnerable, according to Michael Maggio, Reciprocity’s executive vice president of product. DDoS attacks can go after every layer of the application stack, making it vital that defenders be able to determine where the bottleneck is occurring and who’s doing it.
Organizations looking to prevent DDoS attacks should create a cyber program that puts tools in place to simulate an attack and understands the specific ways an adversary could get into assets in the victim’s systems, Maggio said. Businesses need to have a firm grasp on where they could be attacked in order to avoid incurring an incident in the first place, according to Maggio.
DDoS attacks tend not to get as much attention as other types of cyber incidents since they typically don’t result in as much bad publicity or long-term business impact for the victim, Maggio said. Companies that understand where their vulnerabilities are located are much less likely to experience a serious DDoS attack, according to Maggio.
Taking Advantage Of Unprotected Assets
Organizations can’t implement DDoS protection for assets they don’t know about, meaning that unprotected assets are the most vulnerable to DDoS attacks, according to Greg Pollock, UpGuard’s vice president of product. Increasing digitization and the standing up of additional websites and services is the Achilles’ heel of DDoS protection, making attack surface management even more vital, Pollock said.
Creating a website is far less specialized nowadays, meaning that the marketing group within a larger company is able to stand up and run their own tests on a landing page without approval from IT or security, Pollock said. In addition, Pollock said some businesses have portions of their website that are managed by a separate organization, which makes taking a unified approach to security more difficult.
Assets need to be managed or else they can be brought down more easily, according to Pollock. Anything being stood up that’s significant such as a webpage to run marketing campaigns or tests also need to be protected from DDoS attacks, Pollock said.
Interconnectivity Of SaaS Services
DDoS attacks are a multivariable problem, and the ease with which adversaries can leverage networks that enable these campaigns continues to be a problem, according to Heath Anderson, LogicGate’s vice president of information security and IT. The rise in internet-accessible endpoints coupled with the interconnectivity of SaaS services has made carrying out a DDoS attack much easier, Anderson said.
There are specific tools in on-premises environments that provide initial protection and reduce the likelihood that a DDoS attack will be successful, while public cloud vendors have also built in DDoS protection capabilities, according to Anderson. DDoS attacks continue to be a major problem for security teams and aren’t going to go away, so organizations need to invest time and money into their defense.
Using Infrastructure To Orchestrate Attacks
Traditional DDoS has evolved to be more ransomware-focused as adversaries increasingly leverage infrastructure to orchestrate DDoS strikes, according to Petko Stoyanov, Forcepoint’s global chief technology officer. Distributed workforces in the wake of COVID-19 have made it harder to carry out traditional DDoS attacks, with victims of DDoS ransomware focused primarily on getting their data back.
Threat actors have begun using private clouds to attack Amazon Web Services and Microsoft Azure, which has contributed to a significant increase in alerts, according to Stoyanov. But the adoption of cloud computing means that organizations still have access to critical functions and services even if their website goes down, increasing resiliency and allowing business units to maintain operations, he said.