2020 was seen by many as a bumper year for DDoS attacks. The survey was conducted by the Neustar International Security Council (NISC) and showed that the majority of those surveyed, 22%, believed the biggest threat they faced was a DDoS attack. Further, the number of respondents that acknowledged that they had suffered such an attack went up from 60% in 2019 to 74% in 2020. 2021 promises to be no different and highly likely worse with the advent of Ransom Distributed Denial of Services attacks exceeding 800 Gbps.
Distributed Denial of Service, or DDoS, attacks are attempts to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This is done by using botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device. Hackers will connect thousands of infected devices to send requests to the target server to the point where the server cannot handle the traffic.
Last year's survey by Neustar noted how respondents were seeing the increased incidents of Ransom Distributed Denial of Service (RDDoS) attacks. Such attacks typically involve the attacker first demanding a ransom be paid or they will carry out the DDoS attack. Often a smaller attack is carried before the ransom demand is issued to prove that the attacker is capable of carrying out a larger attack.
According to a blog post published by Akamai, the security firm in February alone has had to deal with three of the six biggest volumetric DDoS attacks the company has seen. Two of the three peaked at 800 Gbps, with one of them being the most advanced DDoS attack the firm had seen. The victim, in this case, was a gambling company based in Europe. At the start of 2021, the company published a retrospective of the DDoS attacks they had seen in 2020. Some of the observations that were noticed then included,
- Attackers pick up the pace and raise the bar. In 2021 alone, we've already seen more attacks over 50 Gbps (as of 03/24/2021) than we saw in all of 2019. Keep in mind attacks of this scale can take almost anyone offline.
- DDoS attacks are getting bolder and meaner. Three of the six biggest volumetric DDoS attacks Akamai has ever recorded and mitigated have been in the past month, including the two largest known DDoS extortion attacks to date. The latest three attacks targeted an organization in Europe in the gambling industry and an organization in Asia in the video games industry.
- Threat actors continue to expand their sights. The number of customer attacks per month has continued at near-record volume, and we have continued to see diversification of attacks across geographies and industries. A recent analysis showed a 57% increase in the number of different customers attacked year over year.
Given the start of 2021 appears to have been no better. Given Akamai’s news, it would seem that such attacks have engaged a higher gear. Returning to the attack on the European gambling company. Researchers saw attacks been ramped up from 200 Gbps to 500 a few months later than to over 800 Gbps in February 2021. It was not only the size of the attack that was notable, but the attacks made use of a previously unknown attack vector. The attackers leveraged a networking protocol known as protocol 33, or Datagram Congestion Control Protocol (DCCP). By doing this the attackers bypassed defenses focussed on other protocols previously abused by attackers. Researchers further noted,
“In addition to the new DCCP attack vector described above, and also as part of a bigger trend, 2021 DDoS campaigns have become more targeted and much more persistent. Recently, we've witnessed several campaigns that targeted a range of IP addresses at two specific customers over an extended number of days. The attackers were relentlessly looking for weaknesses in defenses to exploit, as well as trying different attack vector combinations. In one attack, the threat actors targeted nearly a dozen IPs and rotated through multiple DDoS attack vectors trying to increase the likelihood of disrupting the back-end environments. In fact, 65% of DDoS attacks launched against customers were multi-vector.”
The attack on the European gambling company started in August 2020, this would indicate that attackers are looking to apply persistent pressure to get paid the ransom they demand. This trend is seemingly confirmed by another security firm’s findings. Radware recently published a report detailing other DDoS incidents applying similar tactics. This new wave of attacks began towards the end of 2020.
Radware noted that the organizations threatened with DDoS attacks in August and September of 2020 received new ransom letters asking for 10 bitcoins to stop the strike. Radware says that the organizations that received the new letters had not been disclosed to the media last year. Indications that the same actor was behind the new threats are present in the ransom note sent to the targets.
To prove that the attackers were not making empty threats the victims experienced nine hours of relentless DDoS attack. These attacks started at 200 Gbps and were ramped up to 237 Gbps. What’s more, is that the attacks began a few hours after the victim received the extortion demand. The demand included statements like,
“We asked for 10 bitcoin to be paid at <bitcoin address> to avoid getting your whole network DDoSed. It’s a long time overdue and we did not receive payment. Why? What is wrong? Do you think you can mitigate our attacks? Do you think that it was a prank or that we will just give up? In any case, you are wrong.”
“We can easily shut you down completely, but considering your company size, it would probably cost you more one day without the Internet then what we are asking so we calculated and decided to try peacefully again. And we are not doing this for cyber vandalism, but to make money, so we are trying to be make it easier for both.”
Further confirming what may become a new state of affairs for future DDoS attacks, Akamai witnessed several other incidents that would span over several days. This has led the firm to believe that RDDoS attacks are becoming far more targeted and persistent than before. In less than the first three months of 2021, Akamai witnessed more incidents than in the entirety of 2019. In many of these attacks seen in the first three months of 2021, researchers noticed that the majority of attacks were in excess of 50 Gbps. Compared with the 800 Gbps behemoth, which is still not the largest recorded that being in excess of 1 Tbps, 50 Gbps seem tame.
The reality is that even an attack of 50 Gbps can send through enough junk requests to collapse most online services offered by organizations. It was also discovered that in many of these attacks, the attackers were relentlessly looking for weaknesses in defenses to exploit, as well as trying different attack vector combinations. In one attack, the threat actors targeted nearly a dozen IPs and rotated through multiple DDoS attack vectors trying to increase the likelihood of disrupting the back-end environments.
Given that Akamai and Radware are seeing record numbers of DDoS attacks. Some of them at volumetric sizes that are hard to believe is possible 2021 will be that bumper year for DDoS attacks. Adding a ransom component to operations means that DDoS which was typically seen as a hacktivist’s operation or worse corporate espionage now moves firmly into the financially motivated hackers’ realm. It joins ransomware as a true modern-day scourge.