DDoS Attacks, and Attackers, Continue to Evolve

Worldwide Infrastructure Security Report (WISR) finds attacks on firewalls and IPS devices almost doubled in 2018

Worldwide Infrastructure Security Report (WISR)

Evident in NETSCOUT’s 14th  Worldwide Infrastructure Security Report (WISR) findings is the ongoing game of whack-a-mole between defenders and attackers. Wait. Actually, almost every year’s findings show evidence of how the more things change, the more they stay the same.

Once a new exploit is identified, it never goes away. It gets used and abused in cycles in which activity spikes and then recedes, often for years, until it comes back to life again. There’s no better example than memcached servers and their potential for abuse.

The Rise of Memcached Attacks

In 2010, a presentation at the BlackHat USA Digital Self Defense conference indicated that there were many insecure memcached deployments internet-wide that could be abused and exploited. Not much happened—that is, until early 2018, when NETSCOUT’s Threat Intelligence Team warned that it “observed a significant increase in the abuse of misconfigured memcached servers residing on Internet Data Center (IDC) networks as reflectors/amplifiers to launch high-volume UDP reflection/amplification attacks.”

Weeks later, in February 2018, there was the first-ever terabit-size DDoS attack. This was followed days later by an attack nearly twice that big, measuring 1.7 Tbps.

While exploits are identified, abused, and abandoned, attackers continue looking for the easiest path to success. They’re searching for the weakest link, and the WISR has shown over the last 14 years how the game is played between attackers and defenders. As one area of defense is built up, attackers move on to something else. If an important new service is launched, they test its resilience. That’s how it goes. That’s how it will always go.

The Constant Evolution of DDoS Attacks:

  • The 2007 WISR reflected significant concern over DDoS flooding of links and hosts. As a result, ISPs made investments in their mitigation capabilities to stop these attacks. By the 2008 WISR, ISP concern over DDoS flooding of links and hosts had fallen in the rankings from 24% to 11%. Attackers then began targeting applications.
  • In 2009, network operators focused their defenses against lower-bandwidth and application-layer DDoS attacks. This led to a change in tactics and a return to volumetric attacks in 2010. “Based upon our experiences working with operators over the last year, we believe this large increase in attack-traffic bandwidth may be partially due to operators focusing their defenses against lower-bandwidth and application-layer DDoS attacks. Attackers may have had to ‘up the ante’ to overwhelm the defenses and bandwidth capacity of defenders,” said report authors.
  • By 2012, network operators had invested both in on-premises protection against low-bandwidth application-layer attacks and in cloud-based defenses for high-volume attacks. So, what did attackers do? They changed tactics again, unleashing complex, multivector offenses that included high-volume, application-layer, and stateful-infrastructure assaults all in a single sustained attack. 

“This year's results confirm that application-layer and multivector attacks are continuing to evolve while volumetric attacks are starting to plateau in terms of size,” read the 8th annual WISR. “While 86% reported application-layer attacks targeting web services, most concerning is that multivector attacks are up markedly. Attackers have now turned to sophisticated, long-lived, multivector attacks—combinations of attack vectors designed to cut through the defenses an organization has in place—to achieve their goals.”

This year’s WISR found attackers had once again shifted their focus to stateful infrastructure attacks targeting firewalls and IPS devices. These attacks almost doubled, from 16% in 2017 to 31% in 2018. One reason firewalls and ISP devices are targeted? The likelihood of success is fairly high. Of those who experienced stateful attacks in 2018, 43% reported that their firewall and/or IPS contributed to an outage during the attack.

Another interesting finding was that SaaS, cloud, and data center services were all increasingly targeted by attackers. Adversaries often target new services because they are viewed as less mature, more vulnerable targets. 

SaaS, Cloud, and Data Center DDoS Attack Trends

  • SaaS services: 2018 data showed a threefold year-over-year increase in the number of DDoS attacks against SaaS services, from 13% to 41%
  • Third-party data center and cloud services: The number of DDoS attacks against third-party data centers and cloud services also showed a threefold increase in 2018, from 11% to 34%
  • Service providers: Cloud-based services were increasingly targeted by DDoS attacks, up from 25% in 2016 to 47% in 2018

Looking ahead to next year, we know that the innovation will continue. Just since the close of the WISR survey period, NETSCOUT’s Threat Intelligence Team has disclosed the following:

  • Mirai DDoS attacks have moved from IoT to Linux: Threat actors are learning from their experience with IoT malware to focuse on commodity Linux servers. For instance, the Hadoop YARN vulnerability was initially used to deliver DemonBot, a DDoS malware, to IoT devices. Soon after, threat actors used the vulnerability to install Mirai on Linux servers, blurring the line between IoT and server malware.
  • Mobile phones increasingly used in DDoS attacks: “Attackers have recently begun launching CoAP reflection/amplification DDoS attacks, a protocol primarily used today by mobile phones in China, but expected to grow with the explosion of Internet of Things (IoT) devices. As with any reflection/amplification attack, attackers begin by scanning for abusable addresses, then launch a flood of packets spoofed with the source address of their target,” the team warned in January this year.  

DDoS attacks are constantly evolving, and attackers are always looking for new targets and adopting new techniques. This is why NETSCOUT has been advocating over the better part of the past decade for a multilayered defensive approach that incorporates on-premises protection for your stateful infrastructure and applications, with cloud-based protection from high-volume attacks.