Global DDoS Attack Trends
The second half of the year brought about the establishment of high-powered botnet armies and a rebalancing of the scales between volumetric and direct-path attacks, creating new standard operating procedures (SOPs) for attackers and adding new tactics, techniques, and procedures (TTPs) to their arsenals.
This was observed as TCP-based flood attacks like TCP SYN, ACK, and RST floods remained stable, while DNS and CLDAP amplification attacks decreased by 32 percent and 64 percent respectively. The decrease in DNS and CLDAP amplification resulted in a return to prepandemic attack counts for 2H 2021 at 4,406,713 attacks. This represents a 14 percent decrease from 1H 2021 but a two percent increase from 2H 2019.
Global Stats: Number of Attacks
14% decrease from 2H 2020
Largest Attack
14% increase from 2H 2020
Fastest Attack
107% increase from 2H 2020
Despite the observed decrease in amplification attacks in 2H 2021, the year ended with 9.7 million DDoS attacks in total (an attack every three seconds!), a mere 3 percent decrease from the record number of attacks that took place during the height of the pandemic. This clearly signals that it would be premature to roll the victory drums, given the clear and present dangers lurking in the DDoS threat landscape.
This ebb and flow in DNS amplification attacks is a trend that tracks back to 2018. Similar dips occurred in May 2018, February 2019, September 2019, July 2020, and June 2021. Despite the occasional drop in overall attack numbers, the trend maintained an up-and-to-the-right trajectory at the close of December 2021.
A month-to-month comparison from 2H 2019 to 2021 illustrates how the pandemic impacted DDoS activity, including peaks occurring in January and March 2021. A decrease in attacks against consumers on wireline ISP networks sharply contrasts with a marked increase in attacks against education, computer and software manufacturing entities, and wireless telecommunications providers. This likely is due to multiple factors, including a return to in-person education and the rapid adoption of 5G wireless technology.
DDoS Extortion and The Triple Threat
7-Figure Losses from DDoS Attacks Reported by Publicly Traded Company
Although DDoS extortion (aka RDDoS) isn’t new, high-profile DDoS extortion attack campaigns sometimes emerge. It’s not unusual to have one high-profile DDoS extortion campaign in a year, but it’s fairly rare to see two such campaigns in a year. During 2021, however, a new record was established as three high-profile DDoS attack campaigns took place. This also signals that ransomware gangs are laser-focused on increasing the use of triple-extortion attacks (ransomware + data theft + DDoS).
The prolific Lazarus Bear Armada (LBA) DDoS extortionist threat actor extended its high-impact attack campaign into 2021, targeting multiple verticals worldwide and exhibiting a high degree of pre-attack reconnaissance to maximize attack efficacy.
The Fancy Lazarus DDoS extortionist kicked off a campaign that initially targeted the authoritative DNS servers of wireline broadband access ISPs in the U.K. and Scandinavia by using DNS reflection/amplification attacks, a suboptimal vector when attacking authoritative DNS servers. The campaign was somewhat successful due largely to the unpreparedness of a few network operators; nevertheless, the attacks were mitigated relatively quickly.
The third high-profile DDoS extortion campaign of the year was an aggressive series of attacks masquerading as the REvil ransomware group and targeting SIP/RTP VoIP operators. Retail and wholesale VoIP providers in the U.K. were the initial targets, followed by attacks against VoIP operators in Western Europe and North America. Notably, one VoIP wholesaler filed a form with the U.S. Securities and Exchange Commission (SEC) estimating the total cost of the DDoS attack at between $9 and $12 million. Attackers now appear to view DDoS attacks as criminal endeavors in and of themselves—as opposed to one pillar of triple extortion attacks—meaning more-skilled DDoS extortion campaigns should be expected as sophisticated ransomware groups master this tactic.
Ransomware Gangs
In the 1H 2021 Threat Intelligence report, we noted that several different groups conducting ransomware operations have also moved into DDoS attack territory to place greater pressure on victims to pay demanded ransoms. For this report, Palo Alto’s Unit 42, a Threat Intelligence partner, created a summary of active and recently inactive ransomware gangs that also use DDoS to extort victims into paying the ransom. The following groups are known to use and have been observed using DDoS as part of their operations.
Avaddon
Avaddon ransomware was first seen in February 2020 and by June 2020 had quickly evolved into ransomware as a service (RaaS). In January 2021, the group evolved again to include DDoS attacks in its extortion repertoire.
Despite a successful run, the group inexplicably shut down its operation in June 2021, possibly as a result of political pressure and/or the release of private keys that enabled victims to decrypt files.
REvil
Although currently not operational due to a global takedown, REvil was a prominent user of RaaS. With its highly adaptable encryptors and decryptors, REvil provided infrastructure and services for communicating with victims, as well as a leak site for releasing stolen data if the victim refused to pay the ransom.
In February 2021, REvil announced that it would begin contacting its victims’ business partners and the media to disclose breaches and further extort victims. On March 5, 2021, a REvil spokesperson announced the addition of DDoS attacks, effectively elevating the group’s TTPs to include multi-extortion.
BlackCat
One of the newest ransomware groups, BlackCat (aka ALPHV), was discovered in November 2021. Operating as a RaaS, the group quickly gained notoriety for its sophistication and innovation.
BlackCat solicits for affiliates in known cybercrime forums by promising to leverage ransomware and give 80 to 90 percent of the ransom payment to the affiliate, with the remainder paid to the BlackCat author. The malware itself is written in Russian and coded in Rust, making it one of the first pieces of ransomware to use it. BlackCat not only encrypts and steals victims’ data, but it also then threatens to leak the data via a leak site. Should the victim need additional persuasion to comply with the ransom demand, BlackCat threatens a DDoS attack.
AvosLocker
First seen in summer 2021, AvosLocker is simple but effective ransomware that has utilized triple extortion from the start. AvosLocker operators advertise in underground networks for affiliates with active directory experience, as well as for “access brokers” who potentially could provide access to compromised systems.
Affiliates are incentivized with having AvosLocker take care of the extortion and negotiation parts of the process. AvosLocker then uses affiliates to infect a victim, while handling the remaining ransomware process itself. Like some other ransomware groups, AvosLocker operates a leak site to apply additional pressure on victims to pay the ransom. The group has attacked a diverse set of victims in terms of both region and industry.
Suncrypt
Initially appearing in October 2019, Suncrypt was one of the first ransomware groups to launch DDoS attacks. Along with data encryption and theft, Suncrypt extorts its victims by threatening to attack infrastructure or networks.
Likewise, further pressure is applied by threatening to expose the breach to employees, stakeholders, and the media should ransom negotiations fail. The group maintains a leak site and promises that it won’t expose victim data during the negotiation process. If that process fails, however, Suncrypt leaks victim data and initiates a DDoS attack until negotiations resume.
A Netscout partner
Botnet Army Adds New Weapons
The commonly held idea of botnets used for launching DDoS attacks is that compromised IoT devices come under the control of attackers via a common command-and-control (C2) infrastructure.
The first DDoS-capable botnets debuted in 2007, and they became commonplace by 2013. Their popularity soared in 2016 after the source code of the Mirai IoT botnet was leaked.
From the late 1990s through 2013, the most common way to build DDoS-capable botnets was by compromising PCs. Indeed, compromised PCs are still subsumed into botnets used to launch DDoS attacks today.
But the first botnets were actually found on servers running UNIX on ARPANET, the predecessor to the modern internet. This held true through the transformation of ARPANET into the internet and for the widespread introduction of consumer internet connectivity in the mid-1990s. With their strong processing capabilities and high-speed internet links, server-class computers also have been employed in bespoke attack harnesses used to initiate various forms of reflection/amplification DDoS attacks since the late 1990s. A specialized server-based botnet was used in the high-profile Operation Ababil DDoS attack campaign waged against American and Western European financial institutions from 2012 to 2014.
Likewise, powerful servers running various flavors of Linux are leveraged today by skilled attackers, who launch innovative, targeted DDoS attacks against high-value targets, as well as by DDoS-for-hire services used to launch high-impact reflection/amplification attacks and spoofed SYN, ACK, RST, and GRE floods. Many broadband access networks that provide home and small and midsize business (SMB) internet connectivity have implemented source-address validation (SAV), which precludes IP spoofing, rendering such attacks impossible because they require spoof source IPs.
The common thread through all uses of servers in botnets and attack harnesses is customized code. Unlike mass botnets composed of PCs and IoT devices, generalized DDoS botnet code—including scalable C2 mechanisms—hadn’t really targeted this class of computer, nor was there much emphasis on identifying or exploiting commonplace vulnerabilities in server software in order to leverage them as DDoS bots. Compromised servers were and are commonly used as C2 servers, but not generally as common botnet nodes.
In 2H 2021, they continued evolving with the convergence of Mirai for Intel architectures, which inadvertently resulted in the rapid exploitation of serious vulnerabilities in servers running Confluence, GitLab, and Log4J. Exploits were crafted and delivered to compromise significant numbers of powerful, highly connected servers that were brought together via standard botnet C2 architectures.
Given that online criminals are familiar with the DDoS capabilities of existing Mirai botnets, they were able to quickly employ the new server-class Mirai botnets to launch vicious DDoS attacks. In 2H 2021, two direct-path flooding attacks of more than 2.5 Tbps were launched using server-class botnets. These are the first known terabit-class, direct-path DDoS attacks; previously, reflection/amplification attacks were considered the most practical way to launch DDoS attacks of this magnitude.
The newfound popularity of server-class DDoS botnets is linked with the growth in direct-path DDoS attacks, when compared with reflection/amplification attacks. We expect this trend to continue, driven by the introduction of multigigabit consumer wireline and wireless 5G broadband internet connectivity, increasingly powerful home computers, and IoT devices. We also foresee the very definition of server-class nodes expanding beyond the internet data center (IDC) and into the residential space.
The Dark Side of DDoS-for-Hire
The dark web is a dangerous place where adversaries own and operate DDoS-for-hire platforms and botnets to launch everything from free tests to high-powered multivector attacks. ASERT explored this underground space to evaluate the kinds of attacks being launched. Likewise, we wanted to better understand the kinds of platforms used and their capabilities, to illustrate the low barrier to entry and why DDoS attacks are so prevalent.
As such, we researched the top 19 validated DDoS-for-hire services and captured the types of attacks, purported number of users, and the costs to launch attacks.
-
1
AnonBot
-
2
Booter
-
3
Booter SX
-
4
CryptoStressor
-
5
CyberVM
-
6
DDoS Service
-
7
Downed
-
8
FlyStress
-
9
Instant Stresser
-
10
IPStresser
-
11
NetworkStress
-
12
Project Delta
-
13
Str3ssed
-
14
Stresser GG
-
15
Stresser US
-
16
SunStresser
-
17
Toxicity
-
18
WebStresser
-
19
ZDStresser
Although some of these services have static pricing models, many of them allow for custom configurations based on duration, concurrent tests, and power, which is how adversaries measure bandwidth and throughput.
Prices for these services vary wildly. We found free tests, tests for $5 over a five-day trial, and full attacks for as much as $6,500, which included 100 concurrent attacks, no daily limits, and a committed 1 million packets per second (Mpps). NetworkStress service boasts a 1 Tbps attack size using 150,000 bots for $2,499. Although these services boast massive capacity, we have yet to observe any DDoS attacks sourced from them in the terabit range.
In the 1H 2021 Threat Intelligence report, we described how some of these underground services offer “blacklists” or delisting services to prevent attacks. One example of this can be found on Booter SX, where adversaries offer a temporary or permanent option for delisting IPs. At least three of the services noted above include this feature, which is anything but a guarantee the purchaser will not be attacked.
Nearly every service offers some form of free DDoS attack capability via Network Time Protocol (NTP), DNS, CLDAP, or a random UDP reflection/amplification attack vector. In addition to the free options, these 19 platforms combined boast a total of more than 200 different attack types, many of which are shared across platforms. UDP and TCP reflection/amplification are the most prevalent, followed by UDP and TCP floods. The services also offer varying degrees of UDP and TCP bypasses for CAPTCHAs or other anti-DDoS defenses.
Despite the incredible diversity of these platforms, the majority of attack types are recognized and predominantly mitigated via standard defensive practices. Our primary motivation in exploring these services was to determine the capabilities available to adversaries. Based on our research, none of the listed services was a surprise or provided something we haven’t witnessed in the wild. Given a solid understanding of these attack methods and a properly tuned mitigation platform, network security professionals can create defensive measures and templates to counter attacks from booter/stresser services.
The Intersection of Encryption, State, and DDoS Defense
Application-Layer DDoS Attacks Versus DDoS Attacks Against Applications
One of the most important and wide-reaching trends in the security landscape over the past decade has been the industrywide push to implement strong encryption for websites, online applications, communications services, and just about everything else we use online.
This wholesale move toward encryption for anything and everything also has been noted by attackers. The additional overhead required to process encrypted communications at large scale often means that launching successful DDoS attacks against encrypted applications and services requires comparatively fewer resources on the part of the attackers. Conversely, DDoS defense for encrypted applications and services also requires more resources on the part of defenders.
High-volume application-layer attacks launched over HTTP/S were prominent during this period. Attacks launched via the Meris and Dvinis router-based botnets were reported, either originating directly from the bots themselves or being relayed through them by way of the SOCKS5 proxy functionality of the bots. Attacks of up to 17.2 million requests per second (Mrps) were reported, representing a significant new metric for HTTP/S-encrypted application-layer DDoS attacks. Looking at a two-year snapshot for bandwidth and throughput in attacks targeting applications and services on TCP port 443, we see significant trends toward more potent attacks.
It is ironic that measures intended to bolster two aspects of security—confidentiality and integrity—can have unintended consequences for security’s third (and arguably most important) aspect: availability. Although it is important that deployment of TLS 1.3 proceeds apace, organizations must take into account the associated increases in complexity and overhead, while ensuring that their public-facing properties are designed and implemented to minimize state and maximize DDoS defense capabilities, thereby ensuring maximal resiliency in the face of attack.
With the advent of TLS 1.3 and its important new functionality, encryption moved from being optional to being compulsory. As of late 2021, more than 50 percent of the top 1 million websites supported TLS 1.3, which is a phenomenal adoption rate for security-related technology.
Application-layer DDoS attacks have been ubiquitous on the internet since its inception; some of the earliest DDoS attacks consisted of Client-to-Client Protocol (CTCP) and Direct Client-to-Client (DCC) floods launched via Eggdrop bots to flood users off internet relay chat (IRC) networks.
Most DDoS attacks are intended to disrupt application/service functionality, irrespective of the DDoS vector(s) employed by the attacker and often irrespective of the proximate target of the attack. DNS query-flooding attacks such as DNS water torture attacks can be directed toward authoritative DNS servers and are actually application-layer attacks. The ultimate objective of such attacks is not to take down the DNS server itself but rather to make it impossible for legitimate clients to resolve the DNS records of a website, VoIP service, online gaming service, or other types of online applications and resources. The same holds true for Simple Service Discovery Protocol (SSDP) reflection/amplification attacks aimed at those same authoritative DNS servers; although the SSDP reflection/amplification attack is a layer-3 volumetric attack, it is intended to have the same effect as a DNS water torture attack against the DNS server.
Similarly, a layer-4 TCP SYN-flood directed toward the ultimate target of the attack is intended to have the same result—namely the inability of the targeted server/service/application/content to be utilized by legitimate users. Generic Routing Encapsulation (GRE)-flooding attacks against routers and layer-3 switches that haven’t been hardened against attack can also achieve the desired effect.
As these examples indicate, attacks intended to take down online applications needn’t be restricted to application-layer DDoS vectors. Conflating the intended target with the attack methodology employed should be avoided, because this all too often leads to inadequate assessments of the true scope of applicable threats to availability.
DDoS attacks are attacks against capacity and/or state. Layer-4 direct-path DDoS vectors such as TCP SYN, ACK, and RST floods, which are primarily based on throughput rather than bandwidth, are often used either deliberately or inadvertently on stateful devices such as firewalls, load balancers, and intrusion prevention systems (IPSs) unwisely and unnecessarily deployed in front of servers/services/applications.
The additional state required during the encryption negotiation process and subsequent encrypted communications sessions also increases the vulnerability of the crypto termination endpoints, regardless of whether they are servers, stateful load balancers, stateful firewalls, and so forth. The convergence of these factors, along with the significant resurgence in popularity of direct-path DDoS attack vectors in relation to reflection/amplification attacks, has resulted in an observable increase in direct-path DDoS attacks targeting TLS-encrypted service delivery elements. We observed significant growth in the number of such attacks against TLS-enabled servers, services, and applications, as well as in the packets-per-second (pps) rates of the attack traffic itself. In 1H 2021, the advent of new Mirai-powered, server-based botnets on high-speed internet links contributed significantly to this trend.
TCP ACK-, SYN-, and RST-flood DDoS attacks targeting online credit card processors in Europe and North America resulted in multiple outages by overwhelming stateful firewalls and load-balancers acting as Transport Layer Security (TLS) termination points. TCP reflection/amplification attacks targeting these organizations were also observed. These stateful devices, as well as the servers sited behind them, must be protected against DDoS attacks, and it is important to remove them from the service delivery chain whenever practical.
Carpet-Bombing Attacks
Our Threat Intelligence partner Neustar also witnessed a significant shift in an attack methodology, with carpet-bombing picking up steam in July 2021. This attack is akin to flinging sand instead of a rock with the hope that many smaller attacks will succeed where a single, large attack fails. Data from Neustar’s security operations center (SOC) revealed that carpet-bombing attacks outnumbered individual attacks by more than 10 percent in 2H 2021. The very nature of these attacks makes them difficult to defend against, because there are multiple points to protect as opposed to a single point of entry.
Such attacks, which often can be too small on their own to trip mitigations, can cause a host of distractions and confusion as they land across a target’s network. They certainly make it necessary for defenders to update detection mechanisms and policies to spread defenses across all externally facing ingress points.
A Netscout partner
Vertical Industries
Always a popular target for attacks, many of the telecommunications verticals nevertheless saw fewer attacks in 2H 2021. One of the more notable exceptions occurred in the wireless telecommunications space, where a likely increase in wireless hotspot gaming and the rapid adoption of 5G fueled increased attacks (see Industry Spotlight: Wireless Telecommunications). Meanwhile, the closely related software and computer manufacturing verticals witnessed massive increases in attacks (see Industry Spotlight: Digital Supply Chain).
As adversaries sought to cash in on DDoS extortion, they increasingly launched attacks against insurance agencies and brokerages (see Industry Spotlight: Insurance Agencies and Brokerages), as well as against VoIP providers (see Industry Spotlight: VoIP Providers). Unfortunately, some of these attacks were highly successful, causing significant damage both to the targeted organization and collaterally with their customers.
We’d be remiss in not mentioning one more motivation that stands the test of time: “Because I Can.” Some people like to watch the world burn. And because they can, they do. By fall 2021, people were returning to normal life, including a return to physical versus virtual classrooms. The increase in attacks on colleges, universities, and professional schools is likely attributable to students looking to start fires wherever possible (see Industry Spotlight: Colleges, Universities, and Professional Schools).
Industry Spotlights
Gamers received a small breath of fresh air as DDoS attacks against consumers on wireline networks saw a mild decrease. Sadly, this reprieve for one type of consumer shifted to an increase for wireless consumers. The wireless industry experienced a disproportionate increase in attacks—even as many other telecommunications types saw declines during 2H 2021. This trend likely reflects a continued increase in gamers leveraging wireless hotspots and the rapid expansion of 5G technologies and services. Historically, we’ve seen a larger share of DDoS attacks against this segment in Asia Pacific (APAC); however, for the second half of the year, we instead observed a 38 percent increase in DDoS attacks globally.
We observed a 606 percent increase in attacks against software publishers compared with 1H 2021. Combined with a 162 percent increase in attacks on computer manufacturers and a 263 percent increase against computer storage manufacturing, it becomes apparent that attackers are focusing a concerted effort on the digital supply chain.
Insurance agencies and brokerages—always a favored target for DDoS extortion attacks—experienced an increase in attacks of 257 percent compared with 1H 2021. This segment was an early target for the LBA campaign dating back to mid 2020.
DDoS extortion campaigns also resulted in numerous VoIP providers all over the world being taken offline. VoIP providers and their infrastructure fall under two primary verticals as defined by the North American Industry Codes: all other telecommunications, and data-processing hosting and related services (cloud computing). The first of these had a 93 percent increase in attacks from 1H 2021, and the second saw a notable increase in Europe, the Middle East, and Africa (EMEA), where most of these attacks occurred. In fact, the data-processing hosting and related-services category was the top target in EMEA for 2H 2021.
Although DDoS extortion and attacking gamers for monetary gain are the top motivations behind DDoS attacks, we sometimes see attacks that are designed by students who want to play hooky or delay a test. Such was the case in 2H 2021, when attacks against colleges, universities, and professional schools increased by 102 percent. These attacks coincided with a return to physical classrooms, and they serve as a stark reminder to educational institutions that they can easily fall prey to DDoS attacks that can have significant impact on both faculty and the student body.
DDoS Attack Vectors
- 35.5:1 Ar ○○○○●ARMS Amp
- 120:01:00 Bc ○○○○●BACnet Amp
- 3.8:1 Bt ○○○○●BitTorrent Amp
- 1,000:1 Ch ○○○○●Chargen Amp
- 5.7:1 Ci ○○○○●Citrix-ICA Amp
- 56.89:1 Cd ○○○○●CLDAP Amp
- 34:01:00 Cp ○○○○●COAP Amp
- 37.34:1 Dt ○○○○●D/TLS
- 24:01:00 Di ○○○○●DHCPDiscover Amp
- Ds DNS
- 160:01:00 Dn ○○○●●DNS Amp
- Ht HTML5
- Im ICMP
- In IP NULL
- 1.1:1 Ip ○○○○●IPMI Amp
- Iv IPv4 Protocol 0
- 1:01 Ik ○○○○●ISAKMP/IKE Amp
- 5.6:1 Jk Jenkins Amp
- 13.5:1 Lt ○○○●●L2TP Amp
- ★ Mh MBHTTP Amp
- 4.35:1 Md ○○○○●mDNS Amp
- 51,200:1 Mc ○○○○●Memcached Amp
- 25:01:00 Mq ○○○○●MSSQLRS Amp
- 3:01 Nb ○○○●●NetBIOS Amp
- 556.9:1 Np ○○●●●NTP Amp
- 33.9:1 Ov ○○○●●OpenVPN Amp
- 4.68:1 Pm ○○○○●PMSSDP Amp
- 140.3:1 Qd ○○○○●QOTD Amp
- 63.9:1 Qk ○○○○●Quake Amp
- 85.9:1 Rd ○○○○●RDP Amp
- 134.24:1 Ri ○○○○●RIPv1 Amp
- 29:01:00 Rc ○○○●●rpcbind/portmap Amp
- 30.7:1 Se ○○○○●Sentinel Amp
- 10:01 Sp ○●●●●SIP Amp
- 880:01:00 Sn ○○○●●SNMP Amp
- 30.8:1 Ss ○○○●●SSDP Amp
- 3.32:1 St ○○○○●STUN Amp
- Ta TCP ACK
- Tn TCP NULL
- Tr TCP RST
- Ts TCP SYN
- Tk TCP SYN/ACK Amp
- 46.5:1 Tf ○○●●●TFTP Amp
- 4:01 Ub ○○○○●Ubiquiti Amp
- 2,464:1 Un ○○○○●Unreal-Tournament Amp
- 14:01 Ve ○○○○●VSE Amp
- 500:01:00 Wd ○○○○●WS-DD Amp
500,001+ Attacks
50,001-500,000 Attacks
0-50,000 Attacks
HTTP Reflection/Amplification via Abusable Internet Censorship Systems
A largely academic DDoS attack vector thus far, researchers presented a way to amplify a significant amount of attack traffic via abusable internet censorship systems. Until 2021, reflection/amplification attacks were widely believed to be a problem specific to connectionless protocols such as UDP. The USENIX 2021 paper “Weaponizing Middleboxes for TCP Reflected Amplification” proved otherwise. The paper examined a class of middleboxes used by some networks to censor HTTP-based traffic, ultimately showing how middleboxes can reflect and amplify TCP-based application traffic without requiring the sender to first establish a TCP connection. This discovery exposed the susceptibility of these censorship systems to source IP address spoofing attacks, which led to HTTP reflection/amplification attacks.
Vulnerable censorship systems make traffic forwarding or filtering decisions based on the host: header field in an initial client HTTP request. This field typically contains the DNS name the client is attempting to communicate with (e.g., Host: www.netscout.com). If a vulnerable censorship system considers this host name to be prohibited, the request is intercepted, and an HTTP error page is returned. The returned error page is often many times larger than the initial set of address-spoofed packets, and this becomes the amplification component of the attack.
The methods of the attack and the volume of amplification traffic varies. In some cases, practically infinite amplification has been observed due to routing loop configurations of some censorship systems. Vulnerable systems are widely deployed, with tens of millions of IPv4 addresses on the internet exhibiting an application factor of at least two to one. This vulnerability is one of the largest reflection/amplification threats observed to date. Furthermore, the threat is relatively difficult to detect and defend against, because spoofed attack packets can look like ordinary HTTP traffic.
Diving into Direct-Path DDoS Attacks: Fighting Against the Flood
A new era of high-impact DDoS attacks flourished following the introduction of reflection/amplification methodology in 1997. Attackers used to be limited to the bits-per-second (bps) and pps rates directly generated by botnets and customized attack harnesses. Today, however, they punch far above their weight in terms of the amount of amplified attack traffic used against targeted organizations. Worse, easy-to-use DDoS-for-hire services eliminate the technical requirements of launching a massive DDoS attack. Meanwhile, the more mundane direct-path DDoS attacks—such as TCP SYN, ACK, RST, and GRE floods—continue in popularity.
SYN-flood was the most popular DDoS attack vector from 1996 to 2018, when it was overtaken by DNS reflection/amplification. Direct-path DDoS vectors were still employed by attackers either out of habit, randomly, or because of their suitability to task, but reflection/amplification attacks became significantly more prevalent.
But in 2021, reflection/amplification attacks were displaced by direct-path DDoS attacks. This change in trajectory became apparent with the sharp increase in ACK-flood attacks against online credit card processors and other financial services organizations in 1H 2021 and was further supported when SYN floods joined ACK floods as the top two vectors for 2H 2021.
Although there are always myriad factors at work across the DDoS threat landscape, we attribute this increase in direct-path DDoS attacks to the following factors:
OPERATION ANTI-SPOOFING
• Ongoing efforts to implement source-address validation (SAV, commonly referred to as anti-spoofing) by network operators continue to thwart DDoS attackers.
• The ability to spoof source IP addresses is a requirement for launching any type of reflection/amplification DDoS attack. Attack harnesses must be able to forge spoofed attack initiator traffic supposedly sourced from the targeted organization in order to stimulate large, high-impact amplified attack traffic. And although efforts to broadly implement SAV have been ongoing since the early 2000s, it is still not universally deployed—yet.
• As more network operators implement SAV, they deprive attackers of the ability to emit spoofed attack initiator traffic from their networks. This, in turn, limits the breadth of DDoS-for-hire services and bespoke attack infrastructure that can launch reflection/amplification attacks. Although most TCP flooding attacks are spoofed, they are primarily state-exhaustion attacks that are more dependent on packets-per-second throughput rather than bandwidth to negatively impact their targets.
• As the pool of available spoofing-capable bandwidth shrinks, it is often more cost-effective for attackers to launch larger numbers of smaller-bandwidth attacks—especially because high-bandwidth reflection/amplification attacks often include significant collateral damage, thus attracting the attention of both network operators and law enforcement. That higher degree of scrutiny provides additional motivation for network operators to implement SAV even more broadly, further reducing the increasingly constrained pool of spoofing-capable network capacity available to attackers.
• This isn’t meant to imply that direct-path DDoS attacks don’t generate considerable negative collateral impact. To the contrary, almost all DDoS attacks are overkill, including direct-path attacks, and can significantly interfere with how unrelated parties conduct online activity. However, due to the high-bandwidth focus of reflection/amplification attacks, their collateral damage footprint tends to be even more wildly disproportionate than most direct-path DDoS attacks.
See DDoS-Resistant Architecture for more details.
Server-Class Botnet Army Recruitment
• The subsumption of server-class nodes into mainstream Mirai botnets means that attackers can launch many simultaneous, moderately scaled direct-path DDoS attacks, while retaining the ability to direct high amounts of attack traffic toward targets on demand. Servers are generally expected to generate significantly more outbound internet traffic than PCs and embedded IoT devices.
• Networks that contain unpatched servers are ripe for takeover and tend to be less closely monitored than networks that are heavily engaged with by the operational security community. As a result, they are more likely to rapidly patch exploitable security vulnerabilities.
• TCP-based direct-path DDoS attacks do not have to be spoofed. When a sufficient number of bots participate in an attack, exhausting state on the attack target can still occur if the defenders are unprepared. Likewise, most application-layer DDoS attacks cannot be spoofed, due to their use of TCP as a transport.
All of these factors drove a marked increase in direct-path DDoS attacks during 2021, and we anticipate that their popularity will continue to grow.
Multivector Attacks and Vector Lifecyles
During the first half of the year, we revealed an omnivector attack in Germany that leveraged 31 different attack vectors, illustrating the upward trend in multivector attacks which we’ve tracked for more than five years. However, 2H 2021 not only saw a decrease in these attacks for the first time, but that decrease accompanied a significant dip in overall attack numbers and a subsequent decline in some reflection/amplification attacks. This reveals a trend in which adversaries now prefer to use TCP-based floods and botnets for direct-path attacks.
The variability and availability of DDoS attack vectors raises some questions, ultimately spawning an exercise focused on diving into the lifecycle of reflectors/amplifiers over time to reveal patterns of behavior from adversaries that launch such attacks.
It’s important to note that availability doesn’t often equate to DDoS attacks. A good example is the Apple Remote Management (ARM) service. A recent software update from Apple effectively renders this vector moot; however, it doesn’t reduce the service’s exposure to the internet. So despite an increasing number of available ARM devices, ARM has seen a significant decrease in usage as an attack vector. From a risk-based approach, vendors and security professionals should seek to both remove from visibility and remediate the exploitable nature of these vectors.
In other cases, however, a decrease in available reflectors/amplifiers has a direct impact on the number, size, and speed of an attack. DNS amplification is one such attack vector that experienced a significant decrease in the number of abusable devices over the last two months of 2021. Incidentally, we observed a 32 percent decrease in DNS amplification attacks. Unfortunately, due to the pervasiveness and constant rotation/addition of new DNS servers, which by their very nature lend themselves to this type of abusability, we anticipate that this trend won’t continue. It does, however, serve to illustrate what happens when a significant portion of resources becomes unavailable for adversaries: It accompanies a corresponding decrease in their activity.
