The Next Big DDoS Event Is Just Around the Corner. Or Is It?

It has been nearly two years since we entered the terabit attack era. What, if anything, can we learn from the past?

The Next Big DDoS Event Is Just Around the Corner.

In October 2016, a massive DDoS attack targeted DNS service provider Dyn, successfully taking offline dozens of the world’s leading brands. This attack was powered by Internet of Things (IoT) botnets and led to much discussion about how secure and resilient our digital infrastructure truly was. It shocked most people to see just how many popular internet and digital services could be impacted from a single event.

Sixteen months later, in late February 2018, attackers using vulnerable memcached servers and their magnificent reflection/amplification capabilities launched what would become one of the largest DDoS attacks in history. Akamai first reported the 1.3Tbps attack, which was against GitHub, one of its customers. Days later, NETSCOUT worked with a North American service provider (SP) customer to successfully mitigate a 1.7Tbps DDoS attack, now the largest ever recorded. The same wonder and speculation followed these attacks: What’s next?

Sixteen months lapsed between Dyn and the memcached attacks. Sixteen months from memcached takes us to June 2019. Uh-oh? Here we are, months past June so clearly no. As it turns out. DDoS attacks are not like earthquakes. Their past behavior is not a predictor of the future.

What’s Next? Look for Changing Tactics

What helps as a predictor of future DDoS attacks is an understanding of human nature. As I mentioned above, with NETSCOUT’s help, a very well-prepared SP networking and security team was able to successfully mitigate the largest attack of all time with no disruption to services. This is a remarkable accomplishment, and something that does not go unnoticed by attackers.

Botnet-driven DDoS attacks can be blocked en masse when they target specific ports. In fact, almost all volumetric DDoS attacks can easily be stopped by SPs. Even better, in most cases this can be accomplished through automation, with no human interaction.

 Since most SPs have such sophisticated DDoS defenses in place, attackers are changing tactics. What SPs can’t easily do is block traffic that is part of legitimate business services, such as OpenVPN. The cardinal sin of DDoS mitigation is dropping legitimate business traffic as part of a DDoS mitigation. When that happens, the defender is essentially completing the attack for the attacker.

Because the SP cannot block them, all those illegitimate packets go to the legitimate service, taking up resources and causing performance issues. This is a deadly threat to any organization today. So much is invested in the delivery and consumption of digital services that any degradation or disruption can have enormous cascading consequences. Attackers know this too.

This trend was first reported in March, when we released the 14th Annual Worldwide Infrastructure Security Report.

As the report details, digital transformation strategies are under attack. Digital transformation is critical to service providers looking to capture new revenue opportunities and enterprises looking to run efficient, scalable, high-performing businesses. This has the attention of attackers, who are increasingly targeting these new services:

SaaS services: The report cites a threefold year-over-year increase in the number of DDoS attacks against SaaS services, from 13 percent in 2017 to 41 percent in 2018.

Third-party data center and cloud services: NETSCOUT’s report also found a significant year-over-year increase in the number of DDoS attacks against third-party data centers and cloud services, from 11 to 34 percent.

Service providers: Cloud-based services were increasingly targeted by DDoS attacks, up from 25 percent in 2016 to 47 percent in 2018, according to the report.

By no means are we predicting an end to massive DDoS attacks—not with so many vulnerable IoT devices out there, not to mention abusable applications that allow for the reflection/amplification of traffic. That said, these attacks pose much less of a threat to SPs because of the defenses in place, enhanced automation, and SPs’ ability to mass block volumetric attacks targeting specific ports.

What we’re seeing now is legitimate services targeted with low-volume attacks because the SP cannot readily filter out attack traffic at the individual user level. This is a weakness in many defenses, and not surprisingly, this is where today’s attackers are focusing. We may yet see a 2Tbps attack, but we’re much more likely to see a growing swarm of these more sophisticated attacks, requiring SPs to utilize more sophisticated analytics and better visibility to drive their filtering capabilities.

Download the 14th annual NETSCOUT Worldwide Infrastructure Security Report to learn more about the DDoS threat landscape.

Steinthor Bjarnason is a principal security engineer with ASERT.