In summer 1999, the University of Minnesota found itself on the receiving end of a new kind of cyber-attack. A network of more than 100 computers, infected with a malicious script named Trin00, started flooding the university with junk data packets.
Like too many cars squeezing down a road that is too narrow to accommodate them, the massive influx of traffic overloaded the university’s computers. Legitimate requests from real users had no way of getting through. In the end, the University of Minnesota’s computer was knocked offline for two days — by nothing more than a hacker with some bad intentions.
DDoS attacks have gone mainstream
Since then, DDoS (distributed denial of service) attacks have gone mainstream. Compared to regular DoS (denial of service) attacks, which are sent from one computer, DDoS attacks are distributed attacks sent from multiple machines at once. This makes them far more powerful, as well as disguising the origins of the attacker and making them tougher to block. DDoS attacks are measured in two different ways: either the number of millions of packets sent per second or the number of gigabits sent per second. DDoS attacks can hit organizations of any size (or even, on occasion, individuals). Some notable attacks have attempted to take down big-hitters like the Bank of America, code repository GitHub, Sony, and others. Reasons for DDoS attacks can vary from underhanded businesses hitting out at competitors to extortion to hacktivism or plain cyber-vandalism. Without the right DDoS mitigation measures, the results can be — and frequently are — devastating.
Cyber-attacks evolve over time, and DDoS attacks are no different. Different techniques, vectors, and amplification methods are all constantly shifting. Popular attack vectors include UDP (User Data Protocol), which is used in large numbers of DNS amplification attacks, alongside SYN Flood, TCP, NTP, and DNS Response attacks. In recent years, Portmap has become an increasingly popular vector of DDoS attacks. A portmapper refers to the protocol responsible for mapping the number/version of an Open Network Computer Remote Procedure Call (ONC RPC) to an RPC program. While Portmap services can be blocked or disabled with the aid of firewalls, this is often not always done — thereby creating a potential vulnerability hackers can use to amplify attacks. Portmap attacks, SNMP attacks, and SSDP attacks make up the most common DDoS amplification vectors.
A cat-and-mouse game
For attackers, DDoS attacks are a cat-and-mouse game. As defenses increase against certain types of attack, attackers shift their approaches accordingly. For instance, while volumetric attacks (bombarding a targeted victim’s network with traffic to consume as much bandwidth as possible) remain very common, attackers have responded to added defensive capacity of cloud-based services by employing a great number of application layer — or layer 7 — DDoS attacks, rather than sticking solely to networked-based attacks. An application layer attack focuses on vulnerabilities in specific applications, the most common being web servers, with the goal of stopping that service from being accessed by users. These attacks target the top layer in the OSI model, where requests such as HTTP GET and HTTP POST are carried out.
Application layer attacks require less total bandwidth to cause disruption. These smaller attacks may therefore go unnoticed up until the point that they cause some serious damage. For example, knocking a web server offline may involve between hundreds and thousands of HTTP requests every second until the service is unable to handle them and goes offline. Alongside HTTP flooding, application layer attacks can include low-and-slow attacks, BGP hijacking, and others.
Another shift reflects where attacks are directed. As noted, organizations both small and large have been hit by DDoS attacks. But as the popularity of different sectors rises and falls, so too do certain market segments become disproportionately targeted. Gaming, gambling, adult and crypto-currency trading websites and services are among the most heavily targeted industries by DDoS attackers. But as the rise of DDoS-for-hire services have increased, allowing people to hire DDoS attackers for just a few dollars, the overall number of attacks continues to creep up. In short, no industry is completely safe from the risk of cyber-attacks.
One other big shift comes from the type of devices used to amplify DDoS attacks. The growing number of Internet of Things (IoT) devices has led to botnets of unparalleled size. Malware such as Mirai and its descendants work by infecting improperly secured IoT devices, ranging from home routers to smart security cameras, and using them to amplify DDoS attacks. An increasing percentage of these compromised devices are found in places like China, Taiwan and Vietnam, alongside more mature markets like the United States.
Protecting against DDoS attacks
An overview of the DDoS landscape in 2020 makes for grim reading. But while DDoS attacks are only getting more frequent and sophisticated, the tools designed to help deal with them are also advancing. DDoS protection is necessary to maintain the availability of websites and services, where unwanted downtime can have serious financial and reputational repercussions.
Cybersecurity experts can provide access to tools that will identify threats as they appear, detect malicious users, and stop attacks — whether these are volumetric, protocol, or application layer-based. While companies should be aware of the risks associated with DDoS attacks, the result is that they should not have to fear being targeted by them. Here in 2020, it would be foolish to bury your head in the sand and pretend that DDoS attacks are not a part of the cybersecurity landscape. Fortunately, it’s more possible than ever to protect against them. Doing so is the smartest decision any business can make.