Researchers at Netscout have released a report analyzing the malicious internet traffic of 2020 and comparing it to the years before. Some of the results were as expected: Brute-forcing credentials and more targeting towards internet-connected devices were foreseeable and have been discussed at length. And even a record-breaking year in Distributed Denial of Service (DDoS) attacks might have been expected as it follows the upward trend over the years. But the sheer number of attacks, their size, and a new big player in the field of DDoS extortion may raise some surprised eyebrows.
The report identifies a "huge upsurge" in DDoS traffic during 2020, with a number of records broken:
- The most DDoS attacks launched in a single month (929,000).
- The most DDoS attacks in a single year (more than 10 million).
- Monthly DDoS attack numbers that regularly exceed the 2019 averages by 100,000-150,000 attacks.
As you can see the records are found in the number of attacks. The attack frequency spiked by 20 percent year over year and 22 percent in the last six months of 2020.
A DDoS attack stops people from using a computer system by keeping it so busy with traffic from multiple locations that it is overloaded and either crashes or is permanently busy. Because they work by delivering more traffic than the system or network under attack can handle, they hinge on an attackers' ability to deliver significant volumes of traffic.
To increase the amount of data they can deliver, attackers look for methods that amplify the amount of traffic they can create. Typically an attacker will look for a service that will return a lot of data in response to a simple request (often hundreds of times more data). They will then make as many requests to that service as possible, but spoof their address so that it looks like the requests are coming from the victim. Because of the spoofed address the responses are reflected: sent to the victim instead of back to the attacker.
According to Netscout, threat actors exploited and weaponized at least four new reflection/amplification DDoS attack vectors in 2020. The report specifically mentions that abusable applications and services based on the UDP protocol remained a valuable asset for attackers. These applications and services were analysed and abused to provide new reflection/amplification vectors for DDoS attacks and helped provide the power required for the new wave of attacks.
According to the report, UDP-based reflection/amplification attacks continued to dominate the list of most popular attack vectors, with TCP ACK flood attacks coming in a close second. This represents a changing of the guard, given that TCP SYN floods were dominant in previous years. However, Domain Name System (DNS) reflection/amplification attack frequency rose steadily over approximately the past 18 months and became the top vector of choice in 2020.
Recommended background reading: SYN/ACK in the TCP Protocol
Lazarus Bear Armada
The Netscout report also reveals that in August of 2020 a new threat actor in the field of DDoS extortion emerged and quickly started to make waves. In a DDoS extortion attack an attacker demands a ransom in exchange for halting a DDoS attack that is stopping the victim or its customers from using systems they need. The new group named themselves Lazarus Bear Armada (LBA). Very likely to imply that they are affiliated with well-known APT groups like the Lazarus Group, Fancy Bear, and the Armada Collective. Affiliations that they like to emphasize when threatening victims.
Their extortion attacks were primarily directed towards companies in the financial and travel-industry sectors, and sometimes included their upstream internet transit providers too. ISPs, healthcare providers, insurance providers, personal care product manufacturers, regional energy providers, and IT-related vendors were also targeted, according to Netscout.
Extortion and attacks
The LBA attacks are characterized by the attacker initiating a demonstration DDoS attack against parts of the target's online infrastructure, followed shortly after by an email demand for a substantial payment in Bitcoin. The extortion demands typically stated that the attacker had up to 2 Tbps of DDoS attack capacity at the ready, which could be directed at the victim's systems if the demands were not met. And they did not shy away from actual DDoS attacks against those unwilling to pay. Not even when it concerned organizations that played a crucial role in fighting the pandemic.
DDoS attack capacity
Even though there are no, agreed upon, international standards to measure DDoS attack capacity, the attack volumes observed over the course of the LBA's campaign maxed out at 300 Gbps, which is significant.
Defending against a DDoS attack
As in most areas of security, searching for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. DDoS mitigation is a complex subject, but we suggest that your chosen solution should offer you one or more of these options:
- Allow users to use your systems normally as much as possible, even during an attack.
- Protect your network from breaches during an attack.
- Establish an alternative system to work with.
Broadly speaking organizations either need to be able operate in spite of systems being unavailable, with ways to keep the work going and the revenue flowing, or they need a way to absorb, re-route or drop DDoS traffic so they can continue to operate as close to normally as possible. Defending against massive-scale DDoS attacks requires access to enormous network resources, which may only be accessible via a third-party offering DDoS mitigation services. Whatever form your protection takes, make sure you have a plan or protocols in place before an attack occurs.
You can read more on the subject in our article DDoS attacks are growing: What can businesses do?