DDoS Attacks Are Becoming More Advanced With the Aim to Obfuscate Network Processes
Distributed denial-of-service (DDoS) is considered one of the ‘original’ network-based cyberattacks and for good reason. One of the earliest known DDoS attacks occurred 20 years ago and was targeted at the University of Minnesota. It used a script that caused more than 100 computers to send junk packets out to the network, which overwhelmed it and knocked out the university computer. With the success of this attack, it was not long before we saw copycat attacks occur at websites like Yahoo, Amazon and CNN.
Fast forward to 2019 and DDoS is still here. We’ve seen some large scale attacks in the ensuing years, with some of the more famous ones including Spamhaus in 2013, the massive GitHub outage in 2018 and the attack on DNS provider Dyn, which used the Mirai botnet and took Twitter, Netflix, CNN, Reddit and many other big name sites offline. These attacks targeted network services and were broad scale in their effect.
More recently, we’ve seen a shift as attackers move away from simply sending out broadcast traffic for massive disruption toward more complex and targeted attacks operating at the application layer of the network, with the ability to take down specific applications or services. These attacks are more complex to detect since the traffic looks legitimate but they can be more damaging because the end result is loss of business due to application unavailability.
To properly protect your network from DDoS attacks, there needs to be both automated network monitoring at the edge to detect abnormal activity and perimeter protection through firewalls. This combination is the best way to ensure networks stay up and running, while keeping harmful traffic at bay.
Attacked from all angles
Advanced DDoS attacks can come from distributed sources rather than a single IP, making them challenging to identify. For example, in a Layer-7 DDoS attack, the botnet used will make many thousands of requests to an application service – such as the login page – but not necessarily try to authenticate. Each of these requests must be serviced by the application APIs, taking up compute power. The result is that the application API is overwhelmed with requests, fails and takes the service offline. However, a scalable monitoring system at the network edge can quickly adapt to the size of the attack and route to the appropriate security infrastructure.
Information at risk
Another consideration is that a DDoS attack may not just be launched to take services offline but to compromise information. Attacks are becoming more complex – they may be smokescreens intended to cause confusion and provide attackers with the opportunity to steal data from the network. This theft may not be noticed until after the DDoS has been mitigated or stopped and, by that time, it is too late. The damage has been done.
As these attacks become more advanced with the aim to obfuscate network processes, it’s critical that the proper detection tools are in place to reveal malicious behavior. This can be achieved through real-time filtering that separates normal network activity from at risk behavior.
CAPTCHA isn’t a catch-all
As mentioned, the Mirai botnet was first used in 2016 for a number of high-profile DDoS attacks and is still in use today. It relied on weak usernames and passwords to gain access to IoT devices, which could then be used to generate massive scale DDoS attacks. For user applications, such as email or social media, it’s possible to use techniques such as CAPTCHA or Text Message Verification to prevent unauthorized access. However, there are many hundreds of millions of IoT devices, controlling everything from electricity to hospitals, for which these methods are not suitable.
These are not user-interfaced devices and cannot be treated as such. Leveraging data from the network makes it possible to monitor the behavior of IoT devices. If the devices start behaving unusually – for example, by broadcasting the network or attempting to send connection requests to application services – then security policies can be applied automatically and the security team alerted.
Developing your DDoS strategy
Businesses today need a DDoS prevention strategy that accounts for these attack vectors and provides protection in places where there is little to no human interaction. At minimum, this includes automated detection and threat routing. As DDoS attacks continue to grow, manual intervention is no longer an option.
With the opportunity and capacity that’s now being offered by the transition to cloud and upcoming 5G networks, there will also be even more chances for cybercriminals to launch massive scale DDoS attacks on online services. Whatever the target, no matter the intended result, all traffic that’s involved in an attempted DDoS attack must traverse the network and gain entry through network devices. The network needs to be better protected against these volumetric scale attacks and the best place to start is by leveraging intelligence at the network itself.