Imagine if you couldn’t access your bank account, or if your doctor couldn’t get to your medical records. What if you discovered that you couldn’t stop the progress of a threat campaign because network resources had been exhausted?
These are extreme examples of the damage a distributed denial of service (DDoS) attack can cause. Large scale attacks can result in reduced capability or complete loss of critical services, reputational damage, loss of productivity, and extensive remediation costs.
There’s more. While attacks have gotten shorter, they’ve become more frequent. As mentioned in a previous blog, frequent short attacks can do more harm than their longer less frequent counterparts. Internet reliability can depend on fractions of a second, and greater attack frequency means more work for network administrators and security practitioners.
DDoS may not be the most sophisticated threat on the block, but it’s no pushover.
Denial-of-service (DoS) attacks target a specific application or website with the goal of exhausting the system resources, and this renders the target unreachable or inaccessible to legitimate users. A DoS attack becomes a DDoS attack when the fake traffic originates from multiple unique IP addresses or machines. This often involves thousands of infected devices attacking in tandem.
First, the attackers gain control of multiple computers and other Internet of Things (IoT) devices, and install a type of malware called a bot. The bot converts the machines to the threat actor’s cause. Collectively, the compromised machines form a network called a botnet. The actor directs the botnet to overwhelm the intended target’s system with more connection requests than it can handle, and so that system becomes unresponsive or inaccessible to legitimate users.
As mentioned, a wide variety of internet-connected devices may make up a botnet, including IoT devices. According to the Cybersecurity and Information Security Agency (CISA), IoT devices often use default passwords and lack regular security updates, making them vulnerable to compromise and exploitation. Because the infection of IoT devices often goes unnoticed by users, an attacker could easily assemble a vast number of devices into a formidable botnet.
For example, the Fodcha DDoS botnet has over 60,000 active nodes, 40 command-and-control (C2) domains and can generate over 1 terabyte per second (Tbps). In just a single day, this one malware targeted 1,396 devices. Prominent targets of this botnet included healthcare organizations and law enforcement agencies.
The more traffic a DDoS attack produces the harder it is for an organization to effectively respond to and recover from the attack. The increase in traffic also makes it harder to attribute the attack because it makes the true source of the attack tougher to identify.
DDoS attack motives include ideology, marketplace competition, cyber vandalism, extortion, cyberwarfare and smokescreens. Let’s briefly unpack each of these motives.
Hacktivists, like the Killnet group, use DDoS attacks to target organizations – governments, politicians, companies, etc. – that they disagree with ideologically. Hacktivists, generally speaking, may not be the most technically savvy and they often rely on off-the-shelf tools. However, they can still have an impact on your operations. The notorious Anonymous collective attacks or one-off hacktivist attacks related to the pandemic are examples.
When the DDoS attack motive is a battle for business, they are often executed by professional threat actors. The purpose of the DDoS attack in this case is to disrupt a competitor’s website, for example, which can encourage their customers to switch to the perpetrator’s business while also causing financial and reputational damage.
According to one report, following a successful DDoS attack, small businesses could end up paying more than $100,000 to recover; larger companies may incur costs of up to $2 million per incident.
Cyber vandals are individuals or groups that execute cyberattacks without any obvious rational criminal, political, or ideological motive. This group also uses off-the-shelf tools – the Low Orbit Ion Cannon for example – in addition to DDoS-for-hire services.
In this case, cybercriminals use DDoS attacks — or the threat of one — to extort money from their intended targets.
Advanced persistent threats and nation-state-linked threat actors typically launch this type of DDoS attack. They often target a country’s critical infrastructure including financial, healthcare, transportation, and communication services.
Sophisticated threat actors sometimes use DDoS attacks to distract security and IT teams or weaken security systems. This helps them to artificially create vulnerabilities for a potentially larger attack campaign such as network infiltration, data theft, and malware infection.
The goal of an application-layer attack, or HTTP flood, is to exhaust network resources and create a denial-of-service situation. Attackers target the server layer where web pages are generated and delivered in response to HTTP requests. Then they flood the server with numerous requests, overloading it, which results in denial-of-service.
Protocol attacks, or state-exhaustion attacks, cause denial-of-service by overconsuming server or network resources. For example, the attacker sends many initial connection requests. Then, the target computer waits for the final step in the TCP handshake. But the connection is never finalized, and the target’s resources are exhausted.
In a volumetric attack, the attacker creates network congestion by consuming the available bandwidth between devices and the internet. Then large amounts of data are sent to the victim using a botnet. This kind of attack is also called DNS amplification or reflection amplification attack. According to CISA, the actors use a third-party server (the “reflector”) as an intermediary that hosts and responds to the given spoofed source IP address.
One of the biggest issues that defenders face with DDoS attacks is the separation of fake connection requests from legitimate ones. Advanced telemetry tools – like those in CylanceGUARD® from BlackBerry for example – can help spot signs of a DDoS attack. While specific signs exist, they vary based on the type of attack. However, here are some general signs to look for:
According to Verizon’s 2022 BDIR, DDoS was the most prevalent form of attack. When zero trust network access (ZTNA) is embraced, it can be effective mitigation against these cataclysmic attacks. A cloud native ZTNA solution that incorporates strong endpoint protection capabilities – like CylanceGATEWAY™ – can provide a trifecta of protection, detection and prevention against DDoS attacks.
Network Protection: A proper ZTNA solution to mitigate DDoS attacks protects the network as it doesn’t require any ports to be opened as it proxies traffic to enterprise network, so organizations are fundamentally protected from DDoS.
Threat Detection: The ZTNA solution utilizes intrusion detection systems to detect malicious traffic based on patterns of network flows at three independent layers: Domain Name System (DNS), Internet Control Message Protocol (ICMP), and Transport Layer Security (TLS). In addition, network traffic is continuously evaluated, and risk factors calculated over multiple vectors. Advanced solutions combine machine learning, IP reputation, and risk scoring, to create a dynamic blacklist of internet destinations to be, and are actively, blocked.
Prevention: Malicious intrusion attempt such as SQL Injection, spoofing the Address Resolution Protocol (ARP), Man-In-The-Middle (MiTM), and malicious Wi-Fi hotspots are all indicative of DDoS attacks. In addition to being an identity aware, multi-layer tunnel with continuous authentication and authorization, a proper ZTNA solution to DDoS also facilitates the implementation of segmented network access control, which together prevents ARP spoofing. ARP spoofing is a common segue to MiTM and so is also prevented. Lastly, layer-3 communication should be fully encrypted which decreases the possibility of a successful tunneled malicious intrusion attempt such as SQL Injection, malicious Wi-Fi hotspots etc.
Learn more about CylanceGATEWAY; CylanceGATEWAY documentation
While sometimes considered redundant if you use an advanced ZTNA solution, depending on budget constraints an alternative to consider is blackhole routing. With this strategy, network traffic is funneled into a “blackhole,” and is lost. The drawback of this method is that without proper restriction criteria, both legitimate and illegitimate traffic is dropped from the network. This effectively makes the DDoS attack successful as the network is now inaccessible.
Monitor social media, particularly Twitter, for threats, conversations, and boasts that may indicate that you have been targeted.
Here is a free resource you may find useful: Twitter-built v2 tools and libraries
Limit the number of requests a server will accept over a certain time window. This alone is typically insufficient to defend against more complex attacks but is a good component to have in a multipronged mitigation strategy.
Ensure that you understand your critical assets and services. Prioritize based on mission criticality and need for availability, and make sure that the WAF covers these critical elements.
A WAF can assist an organization’s efforts to mitigate application-layer attacks. A simplified way to think of a WAF is like a bouncer. It stands between internet users and the organization’s servers and polices requests for entrance.
In addition, organizations can create rules for their WAF which filter incoming requests. These rules can then be adapted to counter observed patterns of suspicious activity carried out by a DDoS.
Consider using a third-party penetration or pen testing service to simulate an attack against your IT infrastructure using real-world scenarios so you can be prepared for the real thing.
Regularly practicing your organization’s DDoS response plan with all internal and external stakeholders, will help identify gaps and issues, ensure all participants understand their roles and responsibilities during the DDoS attack, and build confidence in the DDoS response plan.
Learn more about BlackBerry® Penetration Testing Service.
Anycast is a network routing method that spreads incoming requests across various servers. The idea is that in the event of a DDoS attack, the added traffic is distributed and absorbed by the network. The effectiveness of this approach depends on the size of the DDoS attack and the size and competency of the network.
A joint guide by CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), recommends organizations enroll in a dedicated DDoS protect service. While many Internet service providers (ISPs) have DDoS protections, they may be insufficient to withstand large-scale or advanced DDoS attacks. A DDoS protection service, such as AWS Shield, can monitor traffic, confirm an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network. CylanceGATEWAY incorporates AWS Shield as an additional layer of protection.
It’s also recommended that organizations speak with a managed service provider (MSP) about specific managed services that guard against DDoS attacks. MSPs offering different technologies on the “edge” can assist with a customization of edge defenses.
Edge defense services can reduce downtime caused by DDoS attacks. Edge defense, detect, and mitigation services reduce the risk of malicious traffic reaching its target, and greatly increase the chances of legitimate users reaching your websites/web applications.
Sriram Krishnan is the Senior Director of Product Management at BlackBerry.
David Steinberg-Zwirek is an Editorial Intern at BlackBerry.
© 2022 BlackBerry Limited. All rights reserved.