02

DDoS Global Attack Trends

Threat actor innovation tends to be methodical, as adversaries wring a full measure of value from every opportunity before changing tactics or targets. However, the unprecedented opportunities triggered by the COVID-19 pandemic have presented adversaries with an embarrassment of potential riches, so a much longer cycle of innovation seems likely.

Case in point: Bad actors launched approximately 5.4 million DDoS attacks in 1H 2021—yet another record-breaking number. In particular, attackers launched unprecedented numbers of DDoS attacks in the first quarter, boosting attack frequency by 20 percent over the same time period in 2020. Meanwhile, adversaries discovered or weaponized seven UDP reflection/amplification DDoS attack vectors and developed adaptive multivector attacks specifically tailored to exploit vulnerabilities of their targets. Vital components of the connectivity supply chain came under increased attack, while ransomware gangs added triple-extortion DDoS tactics to their repertoire and the Fancy Lazarus DDoS extortion campaign kicked into high gear.

Even innovation isn’t always a good thing.

Global Stats: Number of Attacks

0

11% increase in 1H 2021 compared with 1H 2020

Average Attack Duration

50 minutes (31% increase)

Largest Attack

0 Tbps

169% increase in 1H 2021 compared with 1H 2020

Date

June 18

Target

German ISP

Vectors Used

DNS reflection/amplification

Fastest Attack

0 Mpps

16.17% increase in 1H 2021 compared with 1H 2020

Date

March 22

Target

Brazilian wireline broadband internet user (likely related to online gaming)

Vectors Used

DNS reflection/amplification, TCP ACK flood, TCP RST flood, and TCP SYN/ACK reflection/amplification

After an astonishingly busy first quarter of DDoS attack activity, things calmed down slightly in the second quarter of 2021. Unfortunately, “calmed down” is a relative term. Think of a toddler throwing a full-blown temper tantrum versus one whining constantly and loudly. One is certainly calmer, but neither scenario could be called great. Although attack frequency has dropped, we are still well above the numbers that were considered normal prior to the onset of the COVID-19 pandemic.

The Normalization of Terabit-Class Attacks

In the first half of 2021, we witnessed at least four terabit-class attacks.

The 1.5 Tbps attack in Germany was the largest attack in terms of bandwidth we observed in 1H 2021.

Despite the fact that the DDoS attack vectors leveraged in these attacks are all commonplace in the modern threat landscape, it’s important to remember that quantity has a quality all its own. The good news is that organizations with up-to-date DDoS defense plans, including sufficient organic mitigation capacity and/or partnerships with skilled commercial DDoS mitigation service providers, can maintain availability even in the face of these outsized attacks on their availability.

Triple Extortion

A little bit of ransomware, a little bit of DDoS extortion, and a whole lot of trouble.

From adding new weapons to their ransomware-as-a-service (RaaS) portfolio to offering payment portals and support centers for victims, ransomware gangs are laser-focused on parting unsecured organizations from their money.

Here’s how it works

black lock icon with green keyhole icon

Data Encryption

This is the bedrock ransomware ploy: Cybercriminals breach a network and encrypt valuable data, blocking it (and sometimes the entire system) from the victim organization. The attackers then demand payment in return for a decryption key.

black outline person with hoodie and screen with blue skull

Data Theft

With the double-extortion play, cybercriminals quietly remove data before locking the victim out and then threaten to publicly expose and/or sell the stolen data unless paid. This makes it harder for victims to ignore ransomware threats, because even those who can restore data via backups remain at risk of data exposure.

Ransomware gangs known to use double extortion:

  • Maze
  • Sodinokibi
  • DoppelPaymer
  • Nemty
  • Nefilim
  • CLOP
  • Sekhmet
circles target outline with arrows pointing towards red circles middle

DDoS Attacks

To pull off triple extortion attacks, RaaS operator and DDoS attacks (commonly used as a stand-alone extortion method) to their list of services, to be launched after steps one and two. This further ratchets up the pressure on the victim in a couple of ways: First, it emphasizes the seriousness of the adversary. And second, maintaining availability adds yet another stressor to a security team already dealing with the first two events.

Ransomware families known to use triple extortion:

  • SunCrypt
  • Ragnar Locker
  • Avaddon
  • Darkside

Ransomware is big business.

$ 0

Big profits =

more moeny to pay for more expensive attack tools such as single zero-day vulnerabilities

One ransomware group's collection in ransom payments in 1H 2021

According to Coveware

Ransomware is a global crisis.

  • Attacks affect not only companies but also governments, schools, and public infrastructure.

  • Global coalition Ransomware Task Force (RTF) has called ransomware “a serious national security threat and public health and safety concern.”

  • Heads of state are getting involved, with U.S. President Biden pressuring Russia’s President Putin to shut down ransomware groups.

Fighting back is a global effort.

Despite these recent global efforts, we still face a massive uphill climb to make even a small dent in ransomware activity.

DDoS Extortion

DDoS extortion attacks continue to threaten organizations of all sizes and across multiple industries. As the Lazarus Bear Armada DDoS extortion campaign demonstrated, these adversaries are both persistent and adaptive, deploying new attack methodologies against an ever-expanding target set.

While the LBA DDoS extortion campaign continues to target a range of organizations, a new DDoS extortion campaign has been launched by a threat actor known as Fancy Lazarus. Despite the—dare we say it?—fanciful similarities between the noms de criminel of these threat actors, there are some key differentiators.

Key Differences

  • Based on NETSCOUT’s observations, the Fancy Lazarus campaign primarily targets ISPs (although some organizations have recently reported expanded targeting)—and more specifically, the authoritative DNS servers operated by those ISPs—whereas LBA targets a wide range of industries and service delivery elements.

  • Unlike with the LBA campaign, NETSCOUT has not observed Fancy Lazarus conduct detailed pre-attack reconnaissance or adapt attack methodologies to the specifics of the targeted organizations.

  • Attack vectors used by Fancy Lazarus center around DNS reflection/amplification, DNS “water torture” attacks, and TCP reflection/amplification. LBA typically leads with DNS reflection/amplification combined with at least one other reflection/amplification vector and will often use multiple additional vectors when persistently attacking a given target.

As these high-profile DDoS extortion campaigns continue and new ones emerge, successfully mitigating DDoS extortion attacks has become a high priority for enterprises and service providers alike. The most recent NETSCOUT Worldwide Infrastructure Security Report (WISR) reported a 125 percent increase in DDoS extortion attacks, while survey respondents listed such attacks as a primary concern, second only to ransomware.

We spoke with Carlos Morales, chief technology officer of security solutions at NETSCOUT partner Neustar, about attack trends observed by Neustar security operations center (SOC) DDoS mitigation specialists.

SOC Stats

  • More than 35 customers reported receiving a DDoS extortion demand, coupled with a DDoS attack, primarily from either the LBA or Fancy Lazarus attack campaigns. Although this number may seem low at first glance, the SOC suspects that the likely prevalence of DDoS extortion attempts was significantly higher. However, not every targeted organization is willing to disclose that it’s been on the receiving end of such attacks.

  • More than 50 percent of targeted organizations were in the financial industry, which aligns with a primary target base of the LBA campaign.

  • Throughout 2021, Neustar has performed emergency onboarding of one or more new DDoS mitigation service customers each month due to the increased prevalence of DDoS extortion attacks.

  • A growing number of organizations indicate that Fancy Lazarus is on the warpath, targeting growing numbers of network operators. This tallies with observed increases in DDoS attacks directed toward authoritative DNS servers, one of the hallmarks of the Fancy Lazarus DDoS extortion campaign.

Connectivity Supply Chain

Although we generally think of threat actors targeting specific entities—enterprises, service providers, public sector organizations—that’s not the entirety of the bad-guy sphere of interest. Cybercriminals increasingly are attacking components that make the internet tick. Unlike internet-based technologies such as cloud hosting or software as a service, these technologies allow things such as cloud computing to function over the internet. Think of it as a supply chain for connectivity.

We analyzed three key areas of what we’d classify as the connectivity supply chain and identified attacks against them.

The most important aspect of attacks on these areas is the collateral damage inflicted. Even if the attack does not take the component fully offline, these services represent hundreds of thousands, if not millions, of consumers, and are the gateways to everything we do online. Take one down, and you impact a huge array of people, organizations, and service providers.

Thankfully, these services are usually heavily defended, and attacks often bounce off the protection in place. We see this with the Fancy Lazarus campaign when it targets authoritative DNS servers used by ISPs. But despite the current success in defending these services, it’s important to note that attackers often attempt to take down targets that could cause extensive collateral damage. This underscores the importance of constant vigilance, because it takes only one attacker innovation to change the game.

Vertical Industries

The top 10 vertical industries under attack in the first half of 2021 clearly illustrate the long pandemic tail of attack targets and methods.

Sectors such as broadband and wireless communications companies will always remain atop the target list, with attackers taking aim at both subscribers and the operational infrastructure of the companies themselves. In particular, attacks on online gaming—a hugely popular target—impact broadband, wireless, and cable internet companies (see Industry Spotlight: Online Gaming). These sectors also serve as ancillary targets, with threat actors increasingly attacking upstream and downstream connectivity providers to take down their real objective: a subscriber. Meanwhile, the threat actors behind the Fancy Lazarus DDoS extortion campaign have focused almost exclusively on ISPs. We also note the continued popularity of the online services that businesses and consumers relied on to survive the pandemic. The sectors that contain cloud providers, Netflix, Zoom, and online shopping all experienced significant attention from cybercriminals.

video game handheld controller outline with wire and green plus sign and dots

Industry Spotlight

Online Gaming

Online gaming has always been rife with related DDoS attack activity, but the explosive growth of gaming during the pandemic added even more fuel to the fire. After all, DDoS-for-hire services are both easy to find and ridiculously cheap. And although online gaming platforms do receive a portion of the attacks, the brunt are aimed directly at gamers—and, by extension, their broadband access providers.

VPNs Under Attack

Online game streamers know they have arrived when companies ask them to advertise their VPNs. But these days, VPNs themselves are targets. By focusing on a VPN node that may be in use by hundreds, if not thousands, of users worldwide, adversaries can inflict much higher collateral damage. Even worse, threat actors can mine those nodes for individual IP addresses. Because commercial VPNs make the list of VPN exit nodes  public,  it doesn’t take much work for adversaries to find a slew of potential targets.

A New Era: Persistent Personal DDoS Attacks

Online gaming has always been a significant target for DDoS attacks: Common gaming industry practices such as peer-to-peer gaming session management and player-to-player voice chat give even moderately skilled miscreants the means to discover the IP addresses of their fellow players and target them with DDoS attacks. Unfortunately, those DDoS attacks often end up affecting large swathes of the ISP’s adjacent customer base along with the target. For large broadband operators, the collateral damage can involve internet outages that affect thousands of users.

Now, however, DDoS-for-hire companies have taken it a step further. Security researchers and gamers on online gaming forums make note of easy-to-use solutions that allow pinpoint attacks by mapping gamer tags—players’ online user names—to IP addresses. That gives malicious gamers enough data to launch DDoS attacks that knock their unsuspecting prey out of gaming sessions, disrupt their internet connectivity, and often cause collateral impact to uninvolved customers of the associated ISP.

Some of these tools are linked into associated online databases that store gamer tags along with the associated IP address(es). Malicious gamers use these information repositories to mercilessly persecute targeted gamers, in many cases not only preventing them from playing online but also disrupting their household internet access for extended periods of time.

Even worse, shady organizations now play both sides of the fence. These same services also sell purported delisting services to gamers whose gamer tags and IP addresses have been made public. Needless to say, these services provide no guarantee of success. And it takes little time for another malicious actor to flag that same gamer and relist the information with that same gamer tag database.

Those organizations also offer paid VPN services that they claim will shield gamers from DDoS attacks by hiding IP addresses. In reality, attackers can apply the same tools used to find ISP-supplied IP addresses to the task of finding the VPN-supplied IP address, which means that the VPN services offer no protection from further targeted DDoS attacks.

With these quasilegal services simultaneously empowering malicious actors while exploiting desperate targeted gamers, it’s apparent that we’ve entered the era of the persistent personal DDoS attack. Now more than ever, it’s important for broadband access ISPs to tap into top security services and edge-to-edge DDoS defense solutions to protect their users and their networks from the scourge of individualized DDoS-fueled persecution (see How Can You Protect Yourself?).

Inevitably, these attacks affect more than gamers. Targeting local networks and VPNs will almost always inflict collateral damage on innocent bystanders, making these attacks a concern for every single person on the internet.

white credit cards outline with green circle icon

Industry Spotlight

Commercial Banks and Payment Card Processors

DDoS attack activity in the payment card processing sector provides a useful barometer for shifting trends in adversary tactics. As threat actors adopt more complex attack techniques, we see a shift in how attack vectors are being used.

A Little Background

  • There were 19 percent more TCP-based flood attacks than reflection/amplification attacks in 1H 2021.

  • After two years atop the attack vector list, DNS reflection/amplification ceded first place to TCP ACK flood attacks. 

Which brings us back to the financial sector, a vertical that experienced significant increases in TCP ACK flood attacks. Many of these attacks targeted prominent payment card processing services. Attackers launched specifically chosen attack types designed to overwhelm multiple layers of both cloud-based and on-premises DDoS defenses. The result? Outages and downtime for the institutional customers of these services—and, by extension, their end customers. (It should be noted that TCP ACK floods against game developers also spiked, because many popular game developer SDKs use TCP-based connections.)

Layers of DDoS Attacks

In one instance, we witnessed adversaries using well-known reflection/amplification vectors to overcome one layer of protection, followed by TCP ACK flood attacks that overwhelmed secondary defenses. In another incident, we saw this exact scenario repeated, only in reverse. Clearly, attackers are doing their homework to thoroughly understand their target’s DDoS mitigation defenses before attacking. These attacks illustrate the adaptive nature of skilled adversaries: By adjusting to changes in security postures while monitoring the efficacy of their attacks, threat actors can adapt to successful defensive efforts by changing attack vectors and targets on the fly.

DDoS attacks diagramDDoS attacks diagram

At more than 7,000 attacks in 1H 2021, the activity against commercial banks and payment card processing services may seem small compared with overall numbers. However, several of these attacks were successful and negatively impacted both the targeted organizations and downstream consumers attempting to use credit cards.

Given the fact that credit card processors can service as many as 5,000 transactions per second, even a few minutes of downtime can result in millions of dollars in lost revenues, not to mention negative brand impact and broad-based customer churn.

DDoS Attack Vectors

Click on an element for more information

Number of Attacks
Available Devices
New attack vector Attack vector symbol Amplification factor 0 - 50,000 Attacks 50,001 - 500,000 Attacks 500,001+ Attacks Attack vector name
Risk 56,000,000+ Available devices Risk 44,000,001 - 6,000,000 Available devices Risk 32,000,001 - 4,000,000 Available devices Risk 2500,001 - 2,000,000 Available devices Risk 11 - 500,000 Available devicesAvailable devices
  • 35.5:1 Ar ARMS2
  • 120:01:00 Bc BACnet3
  • 3.8:1 Bt BitTorrent4
  • 1,000:1 Ch Chargen5
  • 5.7:1 Ci Citrix-ICA6
  • 56.89:1 Cd CLDAP7
  • 34:01:00 Cp COAP8
  • 24:01:00 Di DHCPDiscover9
  • 37.34:1 Dt D/TLS10
  • Ds DNS11
  • 160:01:00 Dn DNS Amp12
  • Ht HTML513
  • Im ICMP Flood14
  • In IP NULL15
  • 1.1:1 Ip IPMI16
  • Iv IPv4 Protocol 017
  • 1:01 Ik ISAKMP/IKE18
  • 5.6:1 Jk Jenkins19
  • 13.5:1 Lt L2TP20
  • 4.35:1 Md mDNS21
  • 51,200:1 Mc Memcached22
  • 25:01:00 Mq MSSQLRS23
  • 3:01 Nb NetBIOS24
  • 556.9:1 Np NTP25
  • 33.9:1 Ov OpenVPN26
  • 4.68:1 Pm PMSSDP27
  • 140.3:1 Qd QOTD28
  • 63.9:1 Qk Quake29
  • 29:01:00 Rc rpcbind30
  • 85.9:1 Rd RDP-over-UDP31
  • 134.24:1 Ri RIPv132
  • 30.7:1 Se Sentinel33
  • 10:01 Sp SIP34
  • 880:01:00 Sn SNMP35
  • 30.8:1 Ss SSDP36
  • 3.32:1 St STUN37
  • Ta TCP ACK38
  • Tn TCP NULL39
  • Tr TCP RST40
  • Ts TCP SYN41
  • 3:01 Tk TCP SYN/ACK42
  • 46.5:1 Tf TFTP43
  • 4:01 Ub Ubiquiti44
  • 2,464:1 Un Unreal45
  • 14:01 Ve VSE46
  • 500:01:00 Wd WS-DD47

500,001+ Attacks

50,001-500,000 Attacks

0-50,000 Attacks

Abusable open-source and commercial applications and services utilizing UDP and TCP remain valuable assets for attackers. We saw a sharp uptick in new reflection/amplification DDoS attack vectors that adversaries used to power a new wave of attacks. Here’s a rundown of the latest attack vectors and methodologies.

TsuNAME Zone Cyclic Dependency-Induced Recursive DNS Query Cascade

TsuNAME is a sabotage-based DDoS attack methodology that targets authoritative DNS servers. This rather complex attack scenario involves the deliberate misconfiguration of NS records in multiple DNS domains registered by the attackers with a targeted authoritative DNS hosting service, such that the NS records for each domain pathologically refer to one another in what is termed a “zone cyclic dependency.” The attackers would also be required to identify and leverage significant numbers of abusable open DNS recursive servers and/or DNS forwarders incapable of detecting and caching responses for cyclical zone dependencies.

Session Traversal Utilities for NAT (STUN) Reflection/Amplification

ST STUN periodic table element includes star 3.32:1

STUN is a protocol used to effectuate mappings between “inside” and “outside” IP addresses and protocol ports for hosts situated behind NAT installations. It is utilized by various services such as Session Initiation Protocol (SIP), Interactive Connectivity Establishment (ICE), and Traversal Using Relays around NAT (TURN). STUN may be configured to operate over both TCP and UDP transports.

DHCPDiscover Reflection/Amplification

Di DHCPDiscover element with start 24:1

DHCPDiscover, a UDP-based JSON protocol used to manage networked digital video recorders (DVRs), can be abused to launch UDP reflection/amplification attacks when an internet-exposed DVR lacks any form of authentication for the service. Unfortunately, many of these DVR variants by default do not include such authentication.

Top DDoS Vectors by Attack Count

After two years heading the attack vector list, DNS reflection/amplification ceded first place to TCP ACK flood attacks. Although new reflection/amplification attack vectors are frequently discovered and used, we observed 19 percent more TCP-based flooding attacks than reflection/amplification attacks in 1H 2021. That said, there is a lot of overlap as adversaries mix and match vectors to launch complex multivector attacks.

3,848,855

Reflection/ amplification attacks in 1H 2021

4,569,151

Non-reflection/ amplification attacks in 1H 2021

=

19%

Difference

Reflector/Amplifier Vector Distribution and Density

Adversaries continually find ways to adapt and add new tools to their repertoire. One method is to abuse legitimate devices and protocols on the internet to reflect and amplify traffic. These operators find vulnerable devices by scanning the entire internet with probe packets to elicit an amplified response and then storing that IP address into a database they will use for attacks. To combat this ever-increasing abuse, NETSCOUT conducts internet-wide scans to identify the same devices. However, we take it a step further and correlate any matches to actual DDoS attacks in the wild. This list of IP addresses of recently observed attacks (ROAs) helps our customers shut down reflection/amplification attacks and protect themselves from a vast array of abused devices.

As part of this project, we assess the origin of these reflectors/amplifiers and use the density of these clusters to score various parts of the internet. For 1H 2021, we evaluated all of the unique devices vulnerable to abuse to illustrate key density zones. We then plotted the ROAs over time to show just how adversaries abuse these devices. Many of these devices belong to oblivious consumers—for example, woefully vulnerable Internet of Things (IoT) devices on home networks, such as routers, digital video recorders, and closed-circuit TV cameras.

Multivector Attacks and the Whole Kitchen Sink

There’s a case to be made that DDoS attack vectors are the vampires of the threat landscape—they never die. And as adversaries constantly find and monetize new vulnerabilities, the portfolio of available vectors never stops expanding. The always-efficient cybercrime community has made full use of this wealth to craft increasingly complex 15-plus vector attacks. We recently started calling the chart-toppers omnivector attacks, because adversaries are using all or most of the known or available DDoS attack vectors in such attacks. Case in point: the largest multivector attack in 2020 used 26 vectors. In the first half of 2021 alone, black hats have already launched 15 attacks ranging between 27 and 31 vectors. And while 15- to 20-vector attacks show respectable growth, the real expansion hits for attacks between 22 to 26 vectors, which demonstrated growth ranging from 176 percent to 371 percent.

How Can You Protect Yourself?

As with so many other aspects of the human condition, the 80/20 rule—also known as the Pareto Principle after its famous expositor, the economist Vilfredo Pareto—applies not only to economics but also to internet security in general and DDoS defense in particular.

For approximately 80 percent of attacks, organizations that have implemented the relevant industry best current practices (BCPs) will be able to maintain availability in the face of DDoS attacks with little or no ad hoc reaction measures. The remaining 20 percent of attacks will require defenders to optimize defenses based on factors such as attacker behavior and vector selection. Even then, the time and effort expended in preparation require defenders to react in a situationally appropriate manner, maximizing the resiliency of their online properties and thwarting attackers.

NETSCOUT recommends the following actions to ensure that network operators and enterprises have maximized their ability to defend against DDoS attack.

01

MIND YOUR BCPs

02

Document infrastructure changes

03

Test, test, test

04

Custom-tailor countermeasures

By adhering to BCP measures and implementing these recommendations, any organization will be well positioned to successfully defend its online properties against DDoS attacks, whether those attacks fall into the 80 percent or the 20 percent of the Pareto equation.