Last Week in DDoS...

Summary

DDoS attacks aren’t something to be taken lightly... 

We at Netscout Arbor have seen our share of excitement over our more than two decades of researching, observing, and mitigating DDoS attacks across the global Internet. We’ve been engaged to protect highly visible sporting events and key elections; we’ve participated in tracking down botnet operators; and as Andy Greenberg shared in his excellent book “Sandworm", we’ve reported on malware later used in prominent campaigns attributed to nation-state actors. In March of 2018, we reported the then-largest recorded DDoS attack – 1.7tb/sec, directed at a network operator, exploiting misconfigured and abusable memcached servers. And earlier this year, we published an exhaustive analysis of the various reflection-amplification vectors we’ve observed in use across the landscape, including details on potency and prevalence. In the past few months, we predicted a surge in attack as we entered the Covid era and then have backed that up with reporting on global attack trends. 

DDoS Attack Activity Review

Last week, we reported on attack trends specifically impacting the UK. Bottom line – attacks have grown. 

And then last week gave us a plethora of events, both real and imagined, as relates to DDoS. We welcome the attention to the subject, given how we know that effectively countering and managing DDoS is key to the health of the global Internet. And the landscape is especially active right now. Consider these facts: 

• So far in 2020, we’ve observed ~4.6m DDoS attacks. By way of comparison, we observed ~8.4m attacks in all of 2019; if the increased cadence of attacks seen during the onset of the Covid-19 pandemic continues, we anticipate a statistically-significant increase in DDoS attacks for 2020 as a whole. 
• The single largest attack we’ve observed so far this year is 1.12tb/sec in size. We announced the onset of the Terabit Era in 2018 with the rise to prominence  of memcached reflection/amplification attacks.  While attacks of that scale are not a daily occurrence, they’re no longer considered to be rare or unusual, as reported by multiple network operators and mitigation providers.  
• CLDAP reflection/amplification has become an increasingly popular DDoS vector. We’ve seen it used in a number of ways, including as a vector in Carpet Bombing attacks. This year alone, it has been a factor in at least 360k attacks, most of which appear to be related to online gaming; we’re unsurprised to see it cited as a major component of the largest DDoS attacks publicly reported, to date.   

CLDAP stands for Connectionless Lightweight Directory Access Protocol; it is a Microsoft-specific derivation of standards-based LDAP, and is intended to serve as a mechanism to query Active Directory on Microsoft Windows Servers.  Unfortunately, there are ~330K misconfigured Windows servers which are exposed directly on the public Internet, and which can be abused by attackers who spoof the IP addresses of their intended targets to send streams of CLDAP queries to the exposed servers and cause them to send multiple unsolicited ‘replies’ to the target hosts/networks.   

While we have seen significant industry-driven cleanup efforts make a significant dent in the population of other types of reflectors/amplifiers such as abusable ntp and memcached servers, a similar effort is needed to reduce the number of CLDAP servers which are available for abuse by attackers.  As the groups which deploy and administer these Windows-based servers are often distinct from the networking and security teams within their respective organizations, cross-functional teamwork is necessary in order to overcome departmental siloing.  This phenomenon may at least partially account for the slower pace of CLDAP reflector/amplifier cleanup, and it is imperative that all relevant groups are engaged in reducing the resources available to attackers. 

As for recent rumors purporting to link apparently non-existent attacks to actual, yet completely unrelated temporary network outages, we’re still somewhat baffled by this transient spate of unsupported and overhyped assertions. Indeed, we see it as our responsibility to make our data and analysis publicly available in many forms – blog posts, threat reports, visualizations, live maps and specific reports via the NETSCOUT Cyber Threat Horizon portal, presentations at industry conferences, as well as supplying data to partners. Given the extremely active DDoS landscape, in which we frequently observe more than 30,000 attacks within a single 24-hour period, we receive a constant stream of requests to make our information and analysis available in various forms, and we’re happy to oblige. Taken as a whole, this adds up to what we believe to be the single most comprehensive body of work directly related to DDoS attacks which is available in the public domain.   

Empowerment through education is the cornerstone of our commitment to the Internet operational community, and we remain focused on providing factual, reality-based assessment and analysis of the DDoS threat landscape to the community at large.  While we’re often approached for comment in the wake of reported attacks and asked to speculate as to the provenance of various service and network outages, it remains our policy to comment on purported DDoS attacks only after public acknowledgement of said attacks, and then only in those cases where we are in a position to add useful and educational context.  

Conclusion

By all indications, the events of last week have brought the importance of DDoS defense into focus for many individuals and organizations; we have been inundated with requests for information about the true scope, nature, and impact of DDoS attacks, and sign-ups for the NETSCOUT Cyber Threat Horizon portal have reached an all-time high.  The more information made publicly available on both the threat of DDoS attacks as well as strategies for successful DDoS defense, the better. 

We take DDoS attacks very seriously — and so should you.