The year 2020 will be remembered for a lot of reasons, with the majority of those reasons been viewed with negative emotions. Another reason to be added to the “bad” pile was discovered by security firm Neustar, that being that Distributed Denial of Service (DDoS) attacks experienced somewhat of a boom in popularity. According to a report published by the firm DDoS attacks were the number one threat for respondents in their November 2020 survey. The survey was conducted by the Neustar International Security Council (NISC) and showed that the majority of those surveyed, 22%, believed the biggest threat they faced was a DDoS attack. Further, the number of respondents that acknowledged that they had suffered such an attack went up from 60% in 2019 to 74% in 2020.
Distributed Denial of Service, or DDoS, attacks can be seen as an attempt to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This can be done through the use of botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device. Hackers will connect thousands of infected devices to send requests to the target server to the point where the server cannot handle the traffic.
Returning to Neustar’s report, what was discovered is that many of those conducting DDoS attacks first demand that a ransom be paid by the intended victim. If no ransom is paid then the attacker will conduct a DDoS. Often to prove that the attacker is serious, they will also conduct a minor DDoS attack to prove that they will make good on their threat.
Called RDDoS in the report, the R standing for ransom, researchers point out that demanding a ransom in order not to carry out an attack is not new; however, the level of sophistication and persistence is unprecedented. Further, some of the attacks seen by respondents have been signed by infamous APT groups like Fancy Bear and Lazarus Group. This is most likely not the case, and hackers are looking to use an APT group's reputation for their own benefit and scare the victim into paying the ransom.
Typically, the ransom demands are received in a templatized form and demand the ransom be paid in Bitcoin. Researchers believe that the switch to DDoS attacks over other malware-based attacks is the ease at which they can be carried. It is also important to note that the infrastructure to conduct DDoS attacks can be rented out, with botnet owners advertising their services on underground hacker forums, dropping the barrier to entry to anyone willing to pay for the service, rather than an attacker having to develop an entire botnet themselves. Researchers further pointed out that,
“An INTERPOL assessment of cybercrime throughout the pandemic has shown “a significant target shift from individuals and small businesses to major corporations, governments, and critical infrastructure.” This dovetails with a Federal Bureau of Investigation (FBI) notification in July warning of cyber actors exploiting built-in network protocols to carry out larger, more destructive DDoS attacks. It is further validated by warnings from the Cybersecurity & Infrastructure Security Agency (CISA), which issued a warning about DoS and DDoS attacks against multiple sectors in September of 2020, saying that the agency is “aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against finance and business organizations worldwide.”
Same Old Attack Vectors
The report also went into detail regarding attack vectors favored by attackers. While there were no new attack vectors that were used on a large scale, the older attack vectors still proved just as effective as before. Built-in access protocols featured heavily in 2020, and respondents confirmed that Apple Remote Management Services (ARMS), Web Services Dynamic Discovery (WS-D), Constrained Application Protocol (CoAP) were being abused by attackers. One of the issues businesses might face by simply disabling these protocols is while they would prevent certain attacks from being carried out successfully, they would also possibly lose out in terms of productivity. According to the FBI, the better solution would be to “enroll in a denial-of-service mitigation service that detects abnormal traffic flows and redirects traffic away from your network.”
It was not just discovery protocols that were seen used in attacks, as researchers pointed out,
“…some DDoS threats are taking advantage of TCP-based attacks, including TCP SYN and fragmented packet floods. TCP floods are typically used to generate high-intensity attacks, measured in packets per second (or, more typically, millions of packets per second). High-intensity traffic used in DDoS attacks is not designed to saturate a network circuit but rather aims to overwhelm the infrastructure that has to process the packets. Because of the cycles required to go through a TCP handshake, these traffic floods are well suited to generate high-intensity attacks. Also because of the handshake process, TCP-based communications are more difficult to spoof, implying that large attacks may come from botnets derived from devices that have their own source IP address. Generic Routing Encapsulation (GRE) traffic is a similar protocol that has been seen in DDoS attacks this year.”
As has been seen throughout 2020, the drive towards remote work has left more avenues for attack. Regarding DDoS attacks, this seems to be no different. As many businesses placed more importance on staff using VPNs to connect to business networks, VPN vulnerabilities were soon discovered. For a DDoS attack, one method to carry out an attack targeting the VPN is via a blend of TCP packets, including those with the SYN flag checked, to make it look as if a remote session was being initiated; packets with the ACK flag checked, to make it look as if a session was already in process; some with a URG flag to raise the urgency.
Due to VPNs and VPN firewalls were not typically built to handle the huge volume of traffic that they have been forced to ingest along with increased demands due to the pandemic, the infrastructure can be overwhelmed relatively easily. IPsec VPNs can also be attacked via IPsec Internet Key Exchange (IKE) floods, in which spoofed IKE requests are sent to the VPN server, which is then forced to send an IKE response.
These attacks used to be more prevalent, but the advent of IKEv2 has eliminated many of them. It is vital to note that SSL VPNs are not free from the potential for DDoS attacks, either. SSL VPNs areas were as susceptible to SSL flood attacks as any web server. In these attacks, a high volume of SSL handshake requests is used to try to exhaust resources.
Other Types of DDoS Attack
One of the most prevalent types of DDoS attack is Domain Name Server (DNS) spoofing. The method makes use of abusing a DNS by making a large request. This in turn forces the victim's DNS server to open. This method is favored by some hackers as the requests are made by spoofing the victim's address, so it appears the victims themselves are making the request. This helps circumvent security controls placed on the server, then the attacker can bombard the server with as many large requests as they are capable of doing. Other attacks include:
- Network Time Protocol (NTP): This attack, which can yield an amplification factor of up to 200:1, makes use of open NTP servers.
- Connection-less Lightweight Directory Access Protocol (CLDAP): These attacks take advantage of exposed Active Directory servers. CLDAP uses the UDP version of this service, unlike LDAP, which uses TCP. Amplification factors can be over 50 times.
- Internet Control Message Protocol (ICMP): This attack makes use of the “ping” function to flood an attacker with echo-request and echo-reply messages. There have been incidences of “sympathetic” attacks are caused by pings that are intended to ensure the service is still functioning.