Distributed denial-of-service (DDoS) attacks have been a staple of adversary toolkits longer than perhaps any other attack technique. Yet it's popularity among cybercriminals shows no signs of abating.
In fact, 2020 witnessed what some vendors are describing as a renaissance of the venerable attack technique. Amid major changes fostered by a global pandemic, cybercriminals deployed more DDoS attacks against more organizations in more industries than any time before. DDoS attacks became larger in volume, and the number of attacks exceeding 50 Gbps increased sharply as well.
Organizations targeted in DDoS attacks not only had to contend with volumetrically larger campaigns, but also attacks that combined multiple vectors at the same time — and in some cases lasted longer than ever before. One example is an attack that Akamai encountered last year, which topped 1.4 Tbps and 809 million packets per second.
The attacks, targeted at a large European bank and an Internet hosting company, combined as many as nine different attack vectors, including ACK Flood, NTP Flood, SYN Flood, UDP Flood, and SSDP Flood. Akamai says 65% of the DDoS attacked it mitigated in 2020 involved multiple vectors — one involved 14.
One of the most troubling trends for organizations that vendors reported observing was an increase in so-called ransom DDoS attacks (RDDoS), where adversaries tried extorting money from organizations by threatening them with massive DDoS attacks. Multiple vendors, including Akamai, Cloudflare, and Neustar, reported an uptick in these attacks starting around mid-2020.
"DDoS attacks are a more prevalent threat than ever," says Michael Kaczmarek, vice president of product management at Neustar, which Thursday released a report summarizing DDoS activity it observed in 2020.
Neustar's data shows a 154% increase in the overall number of DDoS attacks between 2019 and 2020. The vendor observed an increase in the use of existing DDoS attack vectors, as well as an increase in RDDoS attacks.
The sheer quantity of attacks in 2020 was surprising, Kaczmarek says.
"We always expect the number of attacks to increase year over year and quarter over quarter, but we didn't expect that the quantity would increase by over 150%," he says. "This truly reflects the impact of the pandemic and the challenging precedent the 'new normal' has set for cybersecurity."
The number of DDoS attacks that involved two or more vectors increased from 40% in 2019 to 72% in 2020, Kaczmarek added. "This means that the attackers as well as the tools they are using are improving," he says.
According to Neustar, while the use of DDoS to try and extort ransoms is not new, these attacks grew in persistence, sophistication, and targeting in 2020. Cyber extortionists purporting to belong to well-known nation-state groups went after organizations in industries they have not regularly targeted previously, such as financial services, government, and telecommunications.
"RDDoS attacks surged in Q4 2020 as groups claiming to be Fancy Bear, Cozy Bear, and the Lazarus Group attempted to extort organizations around the world," says Omer Yoachimik, product manager, DDoS protection at Cloudflare, another vendor that observed the same trend.
With many workforces continuing to be remote, cybercriminals are focusing on attacking organizations' back-end infrastructure, which is being used to keep employees connected and productive while working from home, Yoachimik says.
Unlike some vendors, Cloudflare says it observed a decline in the overall number of DDoS attacks targeted at the network layer during Q4 2020 compared to the prior quarter. At the same time, though, there was a sharp uptick in network layer attacks that averaged over 500 Mbps and 50,000 packets per second and in attacks that lasted over 24 hours.
"While the total number of L3/L4 DDoS attacks decreased, the number of larger attacks saw a surge," Yoachimik says. This might be an indication that bad actors are launching fewer but larger attacks — attacks that are distributed, longer-lasting, and employing multiple attack vectors.
It's hard to say for sure why large attacks have begun increasing in number, Yoachimik says. But he points to a couple of potential reasons. In Mauritius, the country with the highest level of DDoS attacks, a series of anti-government protests may be linked to the increased DDoS activity, he says. Romania, which ranks No. 2 in the list of countries where most DDoS attacks are launched, has the cheapest, super-fast broadband Internet anywhere. This has made it much easier for adversaries to launch volumetric attacks from within Romania, he says.
In another twist, in 2020 adversaries also ramped up abuse of Microsoft's RDP protocol for DDoS attack amplification/reflection, a study by Netscout uncovered. When enabled on UDP port 3389, the RDP service can be abused to amplify attacks by a ratio of almost 86:1, the company noted in a recent report.
Besides causing problems for targeted organizations, attacks leveraging the RDP protocol also inflicted collateral damage on organizations whose servers were used to launch the attacks, Netscout said. This included partial and even full interruption of remote-access services and other service disruptions caused by capacity consumption issues.
"We have seen this vector used as far back as [the second half of] 2019, says Richard Hummel, Netscout's manager of threat intelligence. "But the number of attacks increased 17% in just the [second half] of 2020. In total, we observed almost 12,000 attacks utilizing this vector in 2020."
One factor driving interest in this attack vector is the easy access to Internet-exposed RDP services, he says.
"In recent weeks, we've seen a significant uptick in attacks leveraging this vector, leading us to believe it has been weaponized in such a way that automated tools and services can now take advantage of this protocol to abuse targets of DDoS attacks," Hummel says.
He recommends that network operators conduct reconnaissance to identify Windows RDP servers that can be abused on their networks or of their downstream customers. "[They] should be accessible only via VPN services in order to shield them from abuse," he says.
If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is strongly recommended that RDP via UDP/3389 be disabled as an interim measure, he advocates.
Kaczmarek points to several improvements that have been made on the mitigation front to help organizations minimize disruption from DDoS attacks. Among them are capabilities for identifying attacks sooner — such as the small test attacks that bad actors launch before the real one — so defensive measures can be implemented more quickly. Similarly, the availability of always-on mitigation services and advances in application security and Web application firewalls have made a difference, he says.