Jonathan Greig
| November 5, 2021
| Topic: Security
Cloudflare released its Q3 DDoS Attack Trends report this week, capping a record-setting quarter that saw a number of devastating attacks on VoIP services.
Cloudflare researchers said they saw the several “record-setting HTTP DDoS attacks, terabit-strong network-layer attacks and one of the largest botnets ever deployed (Meris),” noting the emergence of ransom DDoS attacks on voice over IP (VoIP) service providers. The attack on Bandwidth.com left dozens of companies scrambling to deal with outages.
Despite its power, Meris did not actually cause significant damage or outages, according to Cloudflare.
The company noted that its customers on the Magic Transit and Spectrum services were targeted with network-layer attacks by a Mirai-variant botnet that “launched over a dozen UDP- and TCP-based DDoS attacks that peaked multiple times above 1 Tbps, with a max peak of approximately 1.2 Tbps.”
The report notes that the number of attacks peaked in September but throughout the quarter, the number of large attacks increased, both in volume of traffic delivered and in the number of packets delivered.
“QoQ data shows that the number of attacks of sizes ranging from 500 Mbps to 10 Gbps saw massive increases of 126% to 289% compared to the previous quarter. Attacks over 100 Gbps decreased by nearly 14%. The number of larger bitrate attacks increased QoQ (with the one exception being attacks over 100 Gbps, which decreased by nearly 14% QoQ). In particular, attacks ranging from 500 Mbps to 1 Gbps saw a surge of 289% QoQ and those ranging from 1 Gbps to 100 Gbps surged by 126%. This trend once again illustrates that, while (in general) a majority of the attacks are indeed smaller, the number of ‘larger’ attacks is increasing. This suggests that more attackers are garnering more resources to launch larger attacks,” the report found.
“Most attacks remain under one hour in duration, reiterating the need for automated always-on DDoS mitigation solutions. As in previous quarters, most of the attacks are short-lived. To be specific, 94.4% of all DDoS attacks lasted less than an hour. On the other end of the axis, attacks over 6 hours accounted for less than 0.4% in Q3 ’21, and we did see a QoQ increase of 165% in attacks ranging 1-2 hours. Be that as it may, a longer attack does not necessarily mean a more dangerous one.”
Cybercriminals typically use SYN floods as their method of attack but there was a 3,549% QoQ increase in attacks over DTLS.
Vishal Jain, CTO at Valtix, told ZDNet that it’s not surprising to learn DDoS attacks are breaking records. For years, the cybersecurity community has been talking about how IoT devices will lead to larger botnets capable of stronger DDoS attacks, Jain said, adding that as the volume of vulnerable, compromised, and misconfigured IoT devices continue to grow — cloud service providers will be challenged to protect their customer’s services.
“Organizations need to have an incident response plan in place that involves a DDoS mitigation service,” Jain said.
“Being alerted to a possible DDoS attack and identifying what is impacted allows security teams to take a proactive approach instead of reacting to downed services. Businesses should use edge-based, volumetric L4 DDoS protections complementing L7 DDoS protections close to internet facing applications.”
Digital Shadows cyber threat intelligence analyst Stefano De Blasi said that while DDoS attacks are commonly associated with technically unsophisticated attackers, recent events are a reminder that highly skilled adversaries can mount high-intensity operations that may result in severe consequences for their targets.
In the past two years, De Blasi noted that Digital Shadows has frequently observed attackers combining DDoS attacks with cyber extortion tactics, potentially offering a glimpse into how the future of this cyber threat will look.
“With the introduction of extortion, leading to a higher likelihood of financial gain, financially motivated threat actors likely see DDoS attacks as viable options, especially with success experienced by ransomware operators. In the coming years, cybercriminals will likely begin leveraging DDoS attacks to conduct financially motivated campaigns, while hacktivist groups will continue to use DDoS attacks for disruption purposes,” De Blasi said.
“Nation-state groups primarily conduct attacks to gather competitive intelligence, which is more attainable through unauthorized network access through phishing, vulnerability exploitation, and ransomware deployment when coupled with data exfiltration.”
Security
The best phishing target? Your smartphone
Why you need this $29 security key
FBI: Ransomware groups tying attacks to ‘significant financial events’
Signal reveals how far US law enforcement will go to get people’s info
The 10 worst hardware security flaws in 2021
Cybersecurity 101: Protect your privacy from hackers, spies, the government
Security TV
|
Data Management
|
CXO
|
Data Centers