Attackers Are More Determined
The deluge of DDoS attacks is a sign of success for the bad guys. They know they’re winning and are bolder than ever in raising the power of their attacks. One area of interest revealed in Neustar’s 2017 Worldwide DDoS Attacks and Cyber Insights Research Report covers the nature of new attacks. If I were to characterize them with one word, it would be determined.
The days of DDoS attacks belonging only to pranksters are long over for DDoS assaults often have serious objectives. The headlines about DDoS attacks tend to dwell on size – that they’re bigger than ever and poised to become humongous. I wrote about those findings in another blog. The enabler is the Internet of Things, which entails hundreds of millions and soon to be billions of connected devices. Most IoT devices are inherently insecure. Attackers breach these devices and turn them into a global army of “bots” that together marshal monster waves of data to crush vulnerable websites.
Our research found that 78% of respondents have IoT in active use, up 24% from 2016 (p. 16). Of the organizations using IoT devices that were attacked, 32% suffered network compromises or physical equipment damage during DDoS attacks.
The scary numbers, however, show IoT users may be asleep at the wheel. Here are their DDoS mitigation strategies (p. 17):
Sounds like most respondents are thinking about the problem. And not much more. And that leaves IoT as a very vulnerable enabler of complex DDoS attacks. Complexity is also appearing in other DDoS attack vectors. Neustar’s Security Operations Center reports the following emerging threats (pp. 38-50):
Connectionless Lightweight Directory Access Protocol (CLDAP) – so-called “reflection attacks” originate from botnets that target exposed public-facing LDAP servers. The largest we saw had a peak size of 20.9 Gbps/2.1 Mpps, targeted 9 different ports, used UDP protocols and lasted 14 minutes. Neustar believes they will increasingly be used to saturate and neutralize authentication systems and security infrastructure components.
Generic Routing Encapsulation (GRE) – these target private connections to disrupt a DDoS target’s connection to its protection provider. Stopping a GRE flood without shutting down legitimate traffic requires surgical rate limiting or specific white/black lists.
Mirai Attacks – Last year (and into March 2017) there were 103,429 IP addresses (bots) involved in the Mirai attacks, which were mitigated by Neustar’s DDoS defense platform. They generated about 4.8 Mbps of DDoS traffic per bot with a peak of 680 Gbps. Data came in 12- to 24-hour bursts. Variants appear to be emerging for attacks this year.
More Vector Activity, More Targeted Attacks – Neustar continues to see prevalent use of TCP, ICMP and UDP attack vectors. The prevalent use of TCP continues unabated, up more than 50% over Q1/2016, with the ongoing rise of NTP.
Complex DDoS attacks like these are difficult to detect. They often appear to be legitimate traffic. And they pose a dangerous threat to organizations without effective DDoS mitigation capability. IoT devices are only complicating the problem and threats faced by offering tremendous quantities of conscripted attack resources and tempting network targets.
Please download our report here and read the data. You must understand these threats and deploy effective DDoS protection. If you don’t, the headlines may not scream “Monster Attacked XYZ Corporation.” But after the fallout eventually becomes visible, these smaller intrusive attacks will prove to be highly profitable to your company’s detriment.