4 New Trends in the DDoS Threat Landscape

The now infamous October 21 distributed denial of service (DDoS) attack on Domain Name Service (DNS) provider DYN broke records for the sheer size of the attack: 1.2 Tbps. Unfortunately, the scale of that attack is likely to become commonplace in the near future because of a perfect storm of trends brewing in cyberspace.

1. Larger Targets

The first troubling trend is that the attack on DYN represents a change of tactic for hackers. In the past, most DDoS criminals have usually targeted one website to take it offline. As a DNS provider, DYN basically serves as a switchboard for website traffic for thousands of customers, including some of the largest websites in the world. The attack on DYN caused more collateral damage, and thus was a game changer.

Granted, many Internet Service Providers and Hosting Providers experience DDoS attacks on a daily basis, and if not mitigated those attacks can seriously compromise, if not cripple, a network, causing major outages for a provider’s customers. Just ask OVH, the France-based hosting provider that was hit by the previous record-breaking DDoS attack of 779Gbps just a few weeks ago. Similarly, StarHub, a Singapore broadband provider, was hit by a large DDoS attack on October 22 and October 24, which blocked many of its users from getting online; in that case the botnet attack was comprised of infected webcams and the company’s broadband routers that it had sold to its customers.

2. More IoT devices

This leads to the second trend, which is that there are increasing numbers of insecure devices—such as webcams, routers, and DVRs—connected to the Internet of Things (IoT). Hackers can search for these devices on the Internet, and if the device is not secure it can be recruited into a botnet to send a spam attack, spread malware or launch a distributed denial of service (DDoS) attack. The more Internet-connected devices there are, the greater the potential for extremely large botnets. Some companies are recalling or issuing patches for their products that have security flaws, but those steps are not enough to stop the flood of DDoS attacks.

3. The Mirai Code

Third, the recent release of the “Mirai” code, a malicious code that can infect IoT devices. The first big Mirai code attack that made news was the attack on Krebsecurity.com. Since then it’s been unleashed countless times, including on OVH and DYN, and has enslaved nearly half a million IoT devices.

4. New Amplification Vectors

Last but not least, hackers have found new techniques to launch their attacks. Corero’s SecureWatch Research Team recently discovered that hackers have begun to use a significant new zero-day DDoS attack vector. The new technique is an amplification attack, which utilizes the Lightweight Directory Access Protocol (LDAP), which is one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in most online servers.

According to my colleague Dave Larson, CTO/COO at Corero Network Security,

“This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison. When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. It’s not hard to foresee a worst case scenario in which a 665 Gbps attack like Krebs Security experienced might be amplified by as much as 55x. This would make terabit scale attacks a common reality, which could significantly impact the availability of the Internet, or at least degrade it in certain regions.”

What’s the Solution?

The combination of these four trends spells huge trouble on the near horizon for IT security teams. What can be done in response? First of all, many DDoS attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network. Specifically, following the best common practice, BCP 38, described in the Internet Engineering Task Force (IETF) RFC 2827, which describes router configurations that are designed to eliminate spoofed IP address usage by employing meaningful ingress filtering techniques. This would reduce the overall problem of reflected DDoS by at least an order of magnitude.

We also know from our customer experience that Internet Service Providers, who can position an anti-DDoS solution at a suitable peering point upstream in their network, can defend their customers against DDoS attacks.

For more information, contact us.