The past month has seen a spate of record-breaking and intensely long distributed denial-of-service (DDoS) attacks leveled at hosting providers and enterprises, suggesting a shift in tooling and botnet sourcing among the most advanced professional threat actors.
The latest attack was revealed by researchers at Akamai, who today reported another high-water mark. On June 21 its team mitigated the largest-ever packet-per-second DDoS attack that they'd ever recorded on their platform, one that was double the volume of the previous packets-per-second peak.
At its height, the attack sought to overwhelm its target, a large European bank, with 809 million packets per second. The attack ramped up very quickly, moving from normal traffic patterns to its peak volume within two minutes and lasting just under 10 minutes. Packet-based DDoS attacks work on the same general principle as more common bits-per-second attacks, as both try to overwhelm the target company's infrastructure, just in slightly different ways. Whereas bits-per-second volumetric attacks try to overload the inbound pipeline, packets-per-second volumetric attacks work to exhaust internal network resources.
"One way to think about the difference in DDoS attack types is to imagine a grocery store checkout. A high-bandwidth attack, measured in bps, is like a thousand people showing up in line, each one with a full cart ready to check out," explains Tom Emmons in a blog post today. "However, a PPS-based attack is more like a million people showing up, each to buy a pack of gum. In both cases, the final result is a service or network that cannot handle the traffic thrown at it."
According to his colleague Roger Barranco, vice president of global security operations at Akamai, for just over a year now attackers have been starting to mildly shift toward attacks with lower bits per second and higher packets per second, likely looking for weak spots in enterprise DDoS mitigation measures, which are often best-equipped for frequent bandwidth attacks.
"Since bps-focused attacks were historically more commonplace, more defenses were built to defend that vector, resulting in comparatively fewer pps attack defensive postures being built, which in some cases was a chink in the armor of many enterprises," he says. "Related, the recent 809-million-pps attack we mitigated set a new bar for enterprises to consider when performing a risk assessment."
The truth is that criminals have been turning up the heat with higher and higher volumes of both varieties of attack lately. The announcement of this packet-based DDoS comes just a week after Akamai came forward with news that it had recently rebuffed the largest-ever bandwidth attack as well. Targeted against a website of a major hosting provider, that attack in early June clocked in at 1.44 terabits per second. That particular attack had actually closely followed up on a 500 gigabits-per-second attack against a different website hosted by the same provider, which may not have been as groundbreaking for many well-equipped organizations like that provider, but it was massive in its own right.
"Context is important here. For example, those with a massive infrastructure and associated skilled resources may not get too excited about a 500-Gbps attack, but I guarantee you that it is an infinitesimal percentage of enterprises that have the pipe and gear in place that can block a 500-Gbps attack while allowing healthy traffic to still reach them," Barranco says. "We may be looking at a new normal where a terabit-plus attack is no longer considered an extreme exception."
Like the packet-based attack revealed today, the landmark bandwidth attack lasted just around 10 minutes. This is de riguer for most DDoS attacks of all volume size. According to research from Imperva, approximately 26% of all attacks last just under 10 minutes and 29% last only one to six hours. In May some 70% of attacks lasted less than 24 hours. This is mostly a function of the fact that it usually only takes that long for the bad guys to achieve their DDoS attack objectives.
"As methods to carry out DDoS have become more advanced, leading to increased accessibility to those with no technical skills, we have historically seen that most attackers would rather not waste time and resources on achieving their proof of impact," explains Nadav Avital, head of security research at Imperva.
However, Avital's team this week highlighted findings of some exceptionally long application DDoS attacks Imperva mitigated in May that have some striking similarities to the high-volume attacks found by Akamai. Imperva Research Labs reported that two unusually long attacks last month lasted five to six days in duration.
"Longer attacks — such as the ones conducted in May — suggest they are the work of more professional bad actors who use their own botnets to carry out persistent assaults," Avital says.
Imperva reported that these two very long attacks were perpetrated by botnets using as many as 10 times the number of malicious IP sources as found in average attacks recently. This echoes Akamai findings about the malicious sources of traffic fueling the record-breaking attack announced today, which used 600 times the number of source IPs per minute than what it normally sees.
"Over the last couple years, while DDoS frequency has been increasing, it has not increased in size and complexity at the same rate as IoT being added to the Internet," explains Barranco, who says that after the Mirai Internet of Things (IoT) attack was disabled, a lot of the most intense DDoS started to dry up. These recent attacks indicate that this lull could be coming to an end.
"This leads me to believe there is newly leveraged DDoS tooling available – possibly to a smaller group of bad actors, but those tools always end up being generally available to a wider audience which, understandably, is concerning to many," he says.
Barranco says his team is still investigating the tooling used in both record-breaking attacks, but they suspect they aren't necessarily brand new — they're just being used in more organized and focused fashion.
"I think the tools themselves may not have been novel, but the coordinated use of the tools and, of high importance, the dramatic increase in attack sources being leveraged by the tool is novel," he says. "The fact that many of these attacks are at full power within a couple minutes is impressive."
- Stay-at-Home Orders Coincide With Massive DNS Surge
- Majority of Network, App-Layer DDoS Attacks in 2019 Were Small
- Huge DDoS Attacks Shift Tactics in 2019
- Massive DDoS Attack Generates 500 Million Packets per Second
- How Cybersecurity Incident Response Programs Work (and Why Some Don't)