Security News

8 DDoS Attack Trends To Watch For In 2020

Michael Novinson

CRN asks technical and research experts at A10 Networks, Akamai, and Radware about new and emerging threats in the DDoS space and what businesses need to do to ensure their survival.


DDoS Doldrums

A rise in multi-vector DDoS attacks has caused traffic congestion by flooding networks with numerous illegitimate network packets. Organizations are therefore looking for services to protect websites, networks, and critical infrastructure devices from distributed denial-of-service (DDoS) attacks, which typically overwhelm bandwidth by drowning a system with requests for data.

The DDoS protection and mitigation market is expected to grow to $4.7 billion by 2024, up from $2.4 billion this year, which represents a compound annual growth rate of 14 percent, according to research firm MarketsandMarkets. SMBs have become key targets for threat actors due to gaps in their security systems that slow down the performance of their servers.

As part of CRN's Cybersecurity Week 2019, here's a look at eight new and emerging attack trends in the DDoS space identified by A10 Networks, Akamai, and Radware, and what businesses need to do to ensure their survival.

Application Layer Attacks

DDoS attacks historically attempted to cause issues with volumetric network flows in hopes of creating service disruption, according to Ron Winward, security evangelist at Mahwah, N.J.-based Radware.

As recently as two or three years ago, networks were almost entirely in the data center and one gigabit uplinks in the data center meant that infrastructure could be easily filled by using volumetric attacks, Winward said. But given the extra capacity provided by cloud-based services, Winward said attackers have needed to get creative in how they go after businesses.

As a result, Winward said these application layer DDoS attacks have overtaken network-based attacks for the first time. That's because an infrastructure-focused approach dedicated to filling up internet capacity is simply less effective today than disrupting applications themselves, according to Winward.

Burst Attack

Attacks that last for only 30-to-60 seconds often cause major disruption but are gone before organizations can come up with a mitigation strategy, Winward said. These burst attacks constantly change in both duration and frequency, making it like guerrilla warfare on a company's network, according to Winward.

In order to catch burst attacks, Winward said businesses are often stuck waiting for the next wave to come. Catching the attack is real-time is vital to coming up with filters and collecting the intelligence needed to come up with a mitigation strategy, Winward said.

Creating a firewall to filter log traffic, and then creating a policy to block specific traffic is a very manually-intensive process, according to Winward. Organizations can therefore best safeguard themselves against burst attacks by obtaining a tool that helps them determine in real-time which traffic is good and which traffic is bad, Winward said.

Exposed Servers

The move to improving user experience by moving protocols over to UDP and having back-end web servers sitting on the internet has exposed additional weapons for attackers to exploit, according to Don Shin, senior product marketing manager at San Jose, Calif.-based A10 Networks.

By leaving millions of servers out in the open to be exploited, Shin said businesses have made things so easy for attackers that they often don't even have to write malicious code. By attempting to make the internet experience better for users, Shin said companies have left a backdoor open for attackers.

Most recently, attackers are leveraging the more than 800,000 LAN-based Web Service Discovery servers mistakenly exposed to the internet as a reflector, Shin said, creating attacks that are extremely powerful in nature.

Bigger Impact With Fewer Resources

Ongoing attacks that attempt to continuously circumvent processes and techniques historically required more servers and were more difficult to spin something up, according to Lisa Beegle, senior manager of information security at Cambridge, Mass.-based Akamai Technologies.

Today, Beegle said companies can have a bigger impact with fewer servers, with victim organizations sometimes struggling to identify when an attack is even happening. And the amplification factor based on the services adversaries are leveraging is much greater today, with threat actors often looking for publicly-available vulnerabilities that are easily accessible.

Organizations frequently struggle with sharing information across the network, intelligence, and operations teams, Beegle said, meaning that the right person often doesn't get the information until the event has already passed. Businesses also struggle with getting applicable adversaries that use a sufficient number of sources and are easy to consume, Beegle said.

Overlaid On Other Attacks

DDoS attacks have become an overlie of sorts over the past two or three years, with threat actors adding additional components and leveraging ancillary services to maximize monetary gain, Beegle said.

The overlapping of events has made attribution far more difficult, Beegle said, with threat actors leveraging network events that have already happened to steal information and sell it elsewhere. As recently as a decade ago, Beegle said attacks were much more distinct in terms of what's being seen and where it's coming from.

But given the multitude of factors, variables, and actors involved in threat events today, Beegle said a forensic evaluation of each individual event is necessary. As monetary gain has become a more central goal of DDoS attacks, Beegle said the industries such as banking and hospitality have increasingly found themselves in the crosshairs.

Reflective Amplification

Roughly 21 million IoT addresses, servers, and cloud agents have been configured and made available for adversaries to launch DDoS attacks, according to A10's Shin. Attackers are therefore able to use a very small pool of servers and send a spoofed IP address of the victim they want to attack, and the servers will respond with a hugely amplified attack on the victim, Shin said.

The march to speed up the online experience has led to an array of weapons being left open for DDoS attackers to exploit, Shin said. Some newer communication protocols omit the controls that ensure the packets arrive in the right sequence, instead blasting the information as quickly as possible, Shin said.

But the lack of a checking or "handshake" mechanism in stateless-type protocols leaves people open to spoofing-type attacks, Shin said. This can take the form of adversaries using fake source IP addresses so they can't be discovered or capitalizing on reflection techniques to use the IP address of the intended victim, according to Shin.

Increase In Volume

The DDoS market has seen a huge increase in the volume of attacks due to their continued success, with threat actors embracing the DDoS for Hire underground market to purchase services, proxies, or botnets, according to Akamai's Beegle.

Although DDoS attacks are not complicated to protect against, Beegle said they remain an easy target for attackers since organizations too often fail to properly set up and protect their environment. Organizations often feel a false sense of security that they won't be targeted with DDoS attacks within certain environments because they have a third party servicing their DNS (Domain Name System).

Even though redundancy isn't built into the solution, Beegle said DNS isn't at the top of the list as a priority from a security perspective.

Web-Based Botnets

Web-based botnets are designed specifically to interact with websites, and have advanced in recent years to become more human-like, according to Radware's Winward. These botnets are now capable of doing everything from collecting and scraping intelligence to doing credential stuffing attacks or initiating HTTP interactions that result in DDoS attacks, Winward said.

Web-based botnets can do inventory manipulation, Winward said, where they collect a massive amount of a company's items into a cart before eventually abandoning the cart. This ultimately takes a financial toll on companies since they're unable to sell things that are stuck in a customer's cart.

Customers struggle to tell which traffic on their network is good and which is bad, meaning that they're unable to simply block the bad traffic, according to Winward. As a result, Winward said businesses typically end up overbuilding their infrastructure and letting both the good traffic and the bad traffic in.


Learn More: Current Threats
Sponsored Post