DDoS attacks: Bigger, badder, and spreading faster
It’s been a record-breaking couple of weeks, and not in a good way. Cybercrime records are ominous warnings, not cause for celebration.
Security vendor Akamai reported what it called the largest distributed denial-of-service (DDoS) attack it had ever mitigated against a European customer. That attack came just a couple of months after what had previously been a record-breakingDDoS attack on the same customer. The latest attack hit the company’s primary data center plus six other data center locations in both Europe and North America 201 times, Akamai said.
Another security vendor, Imperva, reported last week that on June 27 it mitigated a single attack with more than 25.3 billion requests, setting a new record for its DDoS mitigation product.
If you’re not familiar with DDoS attacks, you’re not alone. They usually don’t get the level of attention that major data breaches or ransomware attacks do.
But perhaps they should. They can be just as malignant. And the majority of their targets (73%) are among the most important of a nation’s industry sectors — healthcare, government, finance, and education — according to a report from Comcast Business.
The trouble they cause is easy to explain. We’re all familiar with junk email or spam texts and phone calls. Most of the time they are more annoyance than major threat. We have time, if we want, to do the “block-this-caller” thing on our phones, even though we know it’s a bit like killing a mosquito in the summer. It accomplishes almost nothing since there are a billion more, but it still makes us feel good.
But what if your junk emails or texts jumped from dozens or even hundreds every day to millions every second? That’s way beyond annoyance. Nobody you wanted to hear from could get through.
Flooded with junk
That’s the goal of a DDoS attack. Flood a website with so much junk traffic that it crashes and none of the legitimate traffic can get through. In essence, it shuts down the capability of a business to function.
The motives are varied. It could be money — in some cases the attackers demand a ransom to call off the tsunami. It could be competition — you can quickly get the upper hand on a competitor that can’t function. It could be anger — a gamer doesn’t like what the maker of a game did. It could be political — a “protest” like that will definitely get an organization’s attention. Or in some cases it’s meant to divert the attention and resources of a victim so the attackers will have an easier time succeeding with a different attack — injecting malware, stealing data, or launching a ransomware attack.
Akamai didn’t specify a motive for the attack it just reported but said its customer was getting hit with 704.8 Mpps (million packets per second) of junk traffic — one of the ways DDoS attacks are measured.
Imperva measured the attack on its customer, a Chinese telecom, in requests per second (RPS). The company said the attackers directed 25.3 billion requests at the target with an average rate of 1.8 million RPS.
Akamai also didn’t directly say who the attacker was either, although it implied that Russia was involved. At the end of a company blog post on the attack were links directing readers to two alerts from the federal Cybersecurity and Infrastructure Security Agency — one on how to mitigate Russian state-sponsored threats to critical infrastructure and the second an overview of Russia’s malicious online activities.
DDoS attacks aren’t new — they’ve been around for more than two decades. By now there are millions of them each year — Comcast Business reported about 9.84 million in 2021.
And security vendor Gcore reported last week that it expects the number of DDoS attacks on its customers this year to be about double those in 2021, with the average size growing from 150–300 gigabits per second (Gbps) — yet another way to measure the size of attacks — to 500–700 Gbps.
A blunt instrument
They also keep getting bigger and badder on multiple levels. One of those levels is the damage they can cause. Jonathan Knudsen, head of global research within the Synopsys Cybersecurity Research Center (CyRC), notes that DDoS attacks have typically been a “blunt instrument — a cudgel you can use to deny access to resources for a limited time.” They generally haven’t focused on things like stealing data or money.
But if a DDoS attack takes down an organization that provides critical services, that obviously can have physical impacts on many more people than those within the targeted organization itself.
One of the most notorious and ominous examples was the attack in 2016 against domain name provider Dyn. That attack used a botnet of thousands of IoT devices to disrupt dozens of major websites including Twitter, Spotify, PayPal, GitHub, CNN.com and the New York Times.
The Synopsys CyRC recently issued an advisory about a vulnerability that could allow a DDoS attack on an open source implementation of 5G, the current network technology used by mobile phones.
It’s not hard to imagine the chaos that could result if the millions of customers of a major carrier, or perhaps multiple carriers, lost all mobile communications.
Another reason DDoS attacks are getting worse is that it’s easier for attackers to “enlist” other devices (that’s the “distributed” part of the attack) to create a botnet that they then use to try to overwhelm the victim with traffic.
For a decade or more, hacked computers were the main tool used to create botnets. More recently, attackers have turned to the billions of devices with embedded computers that make up the Internet of Things (IoT), most of which are notoriously unsecure.
While phone and computer vendors have security teams working to fix vulnerabilities in their software, that is much less the case with IoT devices, where the focus is on usability and features, not security.
Irresistible attack surface
Among the numerous vulnerabilities that most of them have are open and discoverable administrative controls, default passwords, and no capability to be patched or updated.
Experts have often warned that an attack surface that broad and vulnerable would prove irresistible to criminal hackers. These attacks are proof.
Imperva said the attackers on its customer created a botnet using routers, security cameras, and hacked servers connected to almost 170,000 different IP addresses in more than 180 countries, most in the U.S., Indonesia, and Brazil.
When an attack using all those conscripted devices is launched, it’s a “datapipe-size battle between attacker and victim,” according to Bruce Schneier, self-described public-interest technologist and chief of security architecture at Inrupt, who has written about DDoS attacks multiple times. “If the defender has a larger capacity to receive and process data, he or she will win. If the attacker can throw more data than the victim can process, he or she will win.”
Apparently Akamai and Imperva provide clients with a bigger pipe.
But it comes at a price. Security blogger Brian Krebs was the target of one of the biggest DDoS attacks at the time, six years ago. Akamai had been providing pro bono protection for his site and mitigated that attack, but then said it could no longer afford to do so for free.
Krebs was understanding. “I can’t really fault Akamai,” he wrote at the time. “I likely cost them a ton of money today.”
Secure the IoT
All of which means it’s past time to start paying more attention to DDoS attacks.
What to do? Craig Spiezle, president of Agelight Trust & Risk Advisory Group, said following the attack on Dyn, that while there is no such thing as perfect security, IoT devices could and should have vastly better security, and if they did, a DDoS attack like the one against Dyn would have been difficult to impossible.
But that’s not an easily solved problem. Individual organizations have little to no control over the security of the unsecure IoT devices used to create a botnet. And there are billions of them, created by developers for whom the primary pressure is speed to market and cool features, not security.
For the moment, the only option for organizations may be to hire vendors like Akamai and Imperva to mitigate them.
Spiezle and others say the only long-term solution will be pressure on the IoT market by the federal government. And if there’s any good news, it’s that such pressure is in the works.
President Biden’s May 2021 executive order (EO) “Improving the Nation’s Cybersecurity” contains multiple directives to implement better security practices — among them a software Bill of Materials (SBOM) and labeling to account for all the software used in apps and devices, where it came from, how it was built and tested, and how it’s being maintained.
Of course, presidential EOs are abundant and aren’t always followed to the letter, but what could be a game-changer is the requirement that, eventually, federal agencies will be forbidden to buy software products that don’t comply with the security practices the Biden EO calls for.
If that provision holds and vendors can’t sell to the federal government without complying with those requirements, the hope is that, given the enormous purchasing power of the feds, security will “trickle down” to the private sector.
“I’m hopeful that the SBOM initiative will gain traction,” Spiezle said, “but so far the uptake and disclosers have been limited.”
A couple of positive indications, he added, are that “NIST [National Institute of Standards and Technology] just released IoT Core Baseline guidelines, and in February released labeling guidelines. As with many multi-stakeholder efforts, these are the floor and voluntary. I still wish market-leaders such as Amazon and retailers such as Best Buy and Costco would require vendors to comply.”
The hope is that, in time, they will. “The federal government can make this happen as a customer requirement, and this will ‘roll over’ to commercial and consumer segments,” Spiezle said.
Knudsen shares that hope but doesn’t see it happening anytime soon. “I thought downstream customers and consumers would eventually demand better security from their suppliers and vendors, but I don’t see that happening,” he said. “Maybe it’s like expecting people to demand better nutritional value and healthier food from their fast-food restaurants.”
“We are moving toward a world where good security practices are a business differentiator, but we have a long way to go,” he said.