In the beginning, attackers built their own botnets by scanning the Internet for vulnerable devices and then compromising them with malware that enabled attackers to remotely control the bots. Sadly, attackers don’t even need to build botnets anymore; they can rent DDoS-for-hire botnets from operators who charge very little money for short-term (but effective) attacks. Show
While a fair number of botnets are still made up of infected PCs, increasingly, today’s botnets consist of compromised Internet of Things (IoT) devices. As the number of these devices (from home appliances and toys to fitness devices and sleep aids) grows into the multi-billions, the problem of malicious bots being used by attackers is skyrocketing. Many IoT devices are perfect zombie candidates because they’re built without any security protections (for example, the same default password is used across thousands of devices), making them extremely easy for attackers to exploit. DDoS Attack TypesBecause there are literally dozens of different types of DDoS attacks, it’s difficult to categorize them simply or definitively. The three most common categories recognized industrywide are volumetric, protocol, and application layer, but there is some overlap in all of these. For example, some protocol attacks can also be volumetric. What’s more important than trying to perfectly categorize attacks is to understand the variety of methods attackers have at their disposal to perpetrate DDoS attacks. It’s just as important to understand that attackers will target any vulnerable part of your infrastructure, from the network all the way up to the application and its supporting services. (For a unique look at how modern apps are constructed and where they’re vulnerable to all types of attacks, not just DDoS, see Apps Are Like Onions; They Have Layers.)
Below we describe a few of the most common types of DDoS attacks:
Who’s Attacking and Why?DDoS attacks are launched by different types of attackers, each with their own motivations. Here are just a few:
Who Is a Target of DDoS Attacks?Regardless of size or industry, virtually any organization that has a public-facing website is vulnerable to DDoS attacks. By their very nature, public-facing websites are designed to invite visitors in—which inherently makes them a potential target for attackers. Unmonitored and poorly protected networks are especially vulnerable because there are no security mechanisms in place to alert administrators to intrusions, anomalous behavior, or fluctuations in traffic volume. But who will be targeted? Although all industries are warned to prepare for “when, not if,” some are more likely targets than others, simply because of the nature of their business. F5's own attack data indicates that financial services and web hosting and colocation facilities were targets in 55% of DDoS attacks investigated in 2018. In the case of financial services, DDoS attacks are often just one step in a multi-level attack—usually used as a distraction for a broader attack aimed at stealing account information or taking over accounts. In the case of web hosting providers and colocation facilities, their own customers, although not directly targeted, end up becoming collateral damage in such attacks. Other obvious targets are retail and ecommerce websites, whose revenue is highly dependent upon their websites being available and responsive. The Business Impact of a DDoS AttackThe business impact of a DDoS can vary widely based on the size and length of an attack (hours to days) and the nature of the victim’s business. And, the industries that feel the most impact of an attack don’t necessarily match up with those that are targeted the most. In an F5 Labs 2018 survey of security professionals, respondents in the Entertainment and Media, Industrial/Manufacturing, and Energy and Utilities industries reported that DDoS would be most devastating type of attack to their business. The most significant direct business impacts of a DDoS attack are described below. But it’s important to recognize that DDoS attacks are often used in combination with or as a smokescreen for other types of attacks where the ultimate goal is to steal data.
Signs and Symptoms of a DDoS AttackFrom a defender’s point of view, there may be few obvious indications of an attack. Often an organization is unaware of an attack until the customer service desk starts receiving numerous complaints about a website that is slow to respond or appears to be having technical issues, or is completely unreachable. Keep in mind, though, that not all types of DDoS attacks display these signs as some attacks are designed to appear as non-malicious, normal-looking traffic. These kinds of attacks, which often don’t consume a lot of bandwidth, doesn’t raise red flags, so they are much harder to detect and mitigate without doing traffic analysis. DDoS Protection: What You Can DoHow to protect against DDoS attacks? There’s no way to completely avoid being a target, but you can take steps to better protect your organization from becoming a victim.
DDoS Attack History and TrendsDenial-of-service attacks in one form or another have been around for more than four decades, although they wouldn’t become known as such until more than 20 years later. The first known incident resembling denial of service reportedly happened in 1974. A 13-year-old is said to have written a program that took down a room full of terminals connected to a learning management system at a University of Illinois computer learning lab.1 In 1999, the first attack that used over 200 compromised hosts (master and “daemons,” foreshadowing a modern-day botnet) shut down the University of Minnesota’s network for two days.2 It wasn’t until 2000 when so-called “MafiaBoy” Michael Calce launched attacks against several large companies, among them, Amazon, eBay, CNN, Amazon, and Yahoo!—the largest search engine company at the time—that these became known as “distributed denial-of-service” attacks. The takedown of these companies was believed to have been caused by zombies, as well, and highlighted the significant lack of security at such major companies.3 Recent High-Profile DDoS AttacksRecent highly publicized DDoS attacks can provide insight into the variety of attack types and methods attackers use to carry out some of the most devastating DDoS attacks and highlight the broad impact such attacks can have. For simplicity, the incidents below are arranged chronologically, but each one is included for some unique aspect of the attack. GitHub On February 28, 2018, GitHub suffered a 1.35 Tbps DDoS attack—the largest known attack at the time. Attackers pulled off this attack by exploiting misconfigured Memcached database caching servers that were exposed publicly to the Internet and had no authentication protection. Attackers spoofed the source IP address, which returned packets to GitHub that were significantly larger than the requests. In this case, the amplification factor was as much as 51,000. The attack reportedly originated from more than 1,000 autonomous systems (ASNs) across tens of thousands of unique endpoints.4 Fortunately, GitHub was able to quell the attack within about an hour. Dyn, Inc. (and other Mirai victims) In October 2016, Dyn, Inc., a DNS provider for hundreds of companies worldwide, suffered a series of three DNS DDoS attacks that occurred about four hours apart. The attacks affected nearly 70 well-known companies such as CNN, Amazon, Airbnb, GitHub, Netflix, Twitter, PayPal, Starbucks, Comcast, Xbox Live, Reddit, Spotify, Visa, Verizon, and countless others. Attackers used a botnet reportedly consisting of hundreds of thousands of IoT devices infected with the Mirai malware, which gave attackers remote control over the devices. Peaking at 1.2 Tbps, the attack was the first to highlight how vulnerable many IoT devices are and how easily they can be exploited—with monumental affects. As a result of the attack, Dyn reportedly lost 8% of the domains it hosted.5 Although several hacker groups claimed responsibility, the attack was never officially attributed to any single group. Previous victims of the same Mirai botnet included Krebs on Security, a 620 Gbps attack and French ISP and web hosting provider OVH. Both attacks occurred in September 2016. Underscoring the widespread effects a Mirai-driven DDoS attack can have, the bulk of the Internet infrastructure of an entire country, the African nation of Liberia, was also taken down by a 600 Gbps Mirai-based attack in November 2016. In January 2019, a UK man, who admitted to being hired by a competitor of the country’s largest telecom provider to launch the attack, was convicted and sentenced in the UK.6 ProtonMail Secure (encrypted) email service provider ProtonMail suffered DDoS attacks in both 2015 and again in 2018. At more than 100 Gbps, the 2015 attack was notable not just for its size (at the time) but because it affected ProtonMail’s ISP in several countries. Perhaps even more notable was that ProtonMail, citing pressure from the ISP and its customers, ultimately paid a ransom to the attackers, setting a questionable and dangerous precedent. However, bending to the attackers’ demands bought ProtonMail no long-term security. In 2018, the company suffered another DDoS attack that was reportedly “orders of magnitude” larger than the 2015 attack.7 Cloudflare In February 2014, content delivery network Cloudflare was hit with a 400 Gbps DDoS attack that took advantage of a vulnerability in the Network Time Protocol (NTP), which synchronizes computer clocks. The attack worked somewhat like a DNS reflected amplification attack in which the attacker sent small packets that each generated large responses directed to the victim’s spoofed IP address. The attacker, possibly from just a single server, used 4,529 publicly accessible NTP servers across 1,298 networks to generate the 400 Gbps attack, the largest on record at the time.8 Georgia In July and August of 2008, the country of Georgia was hit with numerous DDoS attacks on the country’s Internet infrastructure. The attacks shut down servers in media, communications, banking, and transportation companies as well as the government for various lengths of time. The attacks, believed to have been launched by pro-Russian hackers, were the first known cyber attacks to coincide with a military conflict.9, 10 Republic of Estonia In 2007, a series of DDoS attacks swept through the Republic of Estonia, effectively shutting down normal government, banking, and media operations within the country for weeks. Prompted by a dispute with Russia and Russian-speaking Estonians over the relocation of a 1947 war monument to Russian soldiers, the attacks are widely believed to be among the first state-sponsored (or state-sanctioned, through the use of “patriotic” hackers) acts of cyberwarfare, which also included information warfare (dissemination of fake news). Although the attacks originated from Russian IP addresses and contained instructions in Russian, they were never officially attributed to the Kremlin. The attacks led to the formation of the NATO Cooperative Cyber Defence Centre of Excellence, dedicated to cooperation and information sharing among member nations. The Future of DDoS AttacksAs DDoS protection mechanisms have improved over the years, attackers have gotten more innovative and aggressive by launching multi-vector DDoS attacks. Such attacks might begin with an attacker performing a network reconnaissance scan to discover network bottlenecks, backend servers, and resource-intensive application services. Next, the attacker might make an extortion demand and then begin a traditional network flood attack, perhaps in the tens of gigabits per second range, just enough to be a concern and a distraction for the network operations team. The “real” attack would follow with a massive layer 7 application-specific attack, perhaps against port 80, targeting things like content delivery servers that support the application or other resource-stressed application services. Such attacks can originate from thousands of individual IP addresses and can range in the hundreds of gigabits per second range or, as we’ve seen in examples above, in the terabits per second range. With the cheap, easy availability of DDoS tools and massive IoT botnets for rent, we expect DDoS attacks to continue for the foreseeable future—and they will likely grow in size, at least until the problem of highly vulnerable, unsecured IoT devices is addressed. All organizations are urged to take DDoS attacks seriously, expect to be attacked at some time in the future, and prepare in ways that make sense for their particular business to the extent they are able. Countermeasures for Mitigating DDoS AttacksThe following technical/preventative security controls are recommended to protect against DDoS attacks. |