Thought leadership. Threat analysis. Cybersecurity news and alerts.
Ransom DDoS Extortion On the Rise Again
A recent report from researchers at Proofpoint showed that ransom distributed denial-of-service (DDoS) extortions are on the rise again.
In the blog post “Ransom DDoS Extortion Actor 'Fancy Lazarus' Returns,” researchers at Proofpoint reported that since May 21, 2021, they've observed renewed DDoS extortion activity targeting an increasing number of industries by the threat group known as "Fancy Lazarus." In a DDoS attack, a system (website, network, application server, DNS server, and individual IP) is flooded with data requests in a bid to shut it down.
“The ransom distributed denial of service extortion threat actor known as ‘Fancy Lazarus’ is back, taking aim at an increasing number of industries, including the energy, financial, insurance, manufacturing, public utilities, and retail sectors,” researchers at Proofpoint said. “The actor [Fancy Lazarus] took over a month-long break from April to May 2021 before returning with new campaigns that include some changes to the group’s tactics, techniques, and procedures ….”
According to researchers at Proofpoint, the threat group’s latest campaign changes the group’s name to Fancy Lazarus from previous names such as “Lazarus,” “Lazarus Group,” and “Armada Collective.” The researchers found no connection between this ransom DDoS extortion group and the advanced persistent threat (APT) actors with the same names.
Ransom DDoS Extortion Prevalence
On November 1, 2019, CERT NZ reported that it received reports relating to an extortion campaign targeting companies within the financial sector in New Zealand. The extortion campaign, CERT NZ said, involved two phases. The first phase involved an email stating the name of the extortionist, the name of the target company, the deadline when the major DDoS attack will occur and the demand for a ransom to prevent it.
The second phase, according to CERT NZ, involved a demonstrative DDoS attack (typically lasting 30 minutes) against an IP address belonging to the companies’ network. CERT NZ said the DDoS techniques used in the demonstrative DDoS attack, include targeting services using the following protocols:
Hyper Text Transfer Protocol (HTTP)
Web Service Dynamic Discovery (WSD)
Apple’s Remote Management Service (ARMS)
Simple Service Discovery Protocol (SSDP)
Network Time Protocol (NTP)
Domain Name System (DNS)
Lightweight Directory Access Protocol (LDAP)
SYN and Internet Control Message Protocol (ICMP)
On November 15, 2019, researchers at Akamai said multiple companies have reported receiving an email demanding 2 bitcoins. Akamai said the extortion email contains a threat that if payment isn’t made before the deadline expires, the price increases by 1 bitcoin and the targeted DDoS attack will start.
“Shortly after a customer received one of these extortion emails, Akamai observed a 30Gbps attack (at peak) originating from a globally distributed botnet, where each IP sent a fraction of the overall traffic,” Akamai said. “The attackers were abusing DNS, Apple Remote Management Service (ARMS), CLDAP, TFTP, PortMap, and WS-Discovery (WSD), across the UDP protocol.”
In August 2020, the Federal Bureau of Investigation (FBI) issued an alert warning that thousands of organizations in multiple industries across the globe were targeted in the ransom DDoS extortion campaign similar to the ransom DDoS extortion campaign described by Akamai and CERT NZ. According to the FBI, DDoS "demonstration" launched by the threat group varied across institutions with some targeting a single IP address and others targeting multiple IP addresses, as well as variable peak volumes and attack length.
In the August 2020 blog post "Ransom Demands Return: New DDoS Extortion Threats From Old Actors Targeting Finance and Retail," researchers at Akamai said they’ve observed ransom DDoS attacks peak at almost 200 Gb/sec, utilizing ARMS, DNS Flood, GRE Protocol Flood, SNMP Flood, SYN Flood, and WSDiscovery Flood attacks as their main vectors.
Teresa Walsh, global head of intelligence at the Financial Services Information Sharing and Analysis Center (FS-ISAC), a cybersecurity consortium of nearly 7,000 financial companies told the Wall Street Journal last February that the global nature of the targets of the ransom DDoS extortion campaign was alarming, citing victims in North America, Latin America, Europe, the Middle East, Africa, and Asia-Pacific.
“After about four or five members raised their hands to say that they were seeing similar activity [ransom DDoS extortion], that’s when we started diving into a potential campaign against our members,” said Walsh. “This accumulated week upon week. Even months later, we were still seeing extortion emails coming through, and short-lived attacks,” Ms. Walsh said.
Ransom DDoS Extortion Campaign Modus Operandi
According to Proofpoint researchers, the ransom DDoS extortion campaign modus operandi always begins with sensational emails. The researchers said the extortion emails contain the following:
It’s important to note that DDoS attack against websites, networks, application servers, DNS servers, and individual IPs is now preventable with a DDoS protection solution.
Lessons Learned Four Years After Dyn DDoS Attack
One of the perpetrators of the massive distributed denial-of-service (DDoS) attack that brought down the domain name system (DNS) provider Dyn and major websites pleaded guilty.
In a statement, the U.S. Department of Justice said that on October 21, 2016, the individual, who was a minor at the time, pleaded guilty to creating, in collaboration with other individuals, a botnet that launched several DDoS attacks and impacted the DNS provider Dyn (now owned by Oracle), as a result, taking offline for several hours a number of websites, including the websites of Sony, Spotify, Amazon, Twitter, PayPal, and Netflix.
What Is a DDoS Attack?
A DDoS attack is a type of cyberattack that overwhelms an online resource, such as a website with malicious traffic, taking down the website offline, making it unavailable to legitimate site visitors.
In overwhelming an online resource or online platform with malicious traffic, attackers use a botnet. A botnet refers to hijacked computers, including Internet of Things (IoT), and controlled by the attackers to perform malicious activities including DDoS attacks.
Based on court documents, in September and October of 2016, the attackers, including the one who recently pleaded guilty, created a botnet, which was a variant of the botnet called “Mirai,” in launching the DDoS attacks that resulted in taking down Dyn. The Mirai-variant botnet hijacked IoT devices including video cameras and recorders and turned them into “zombie robots” in launching the DDoS attacks.
"We saw both attack and legitimate traffic coming from millions of IPs across all geographies,” Scott Hilton, Dyn EVP of Product, said in a statement about the attack. “It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”
Role of Domain Name System (DNS) Resolver
Domain Name System (DNS) is one of the infrastructural services that most modern websites critically rely on when servicing web requests.
In searching the internet, users type into the web browsers words such as espn.com. Web browsers interact with Internet Protocol (IP) addresses – referring to addresses that are too complex for users to memorize such as 192.168.1.1 (in IPv4), or more complex IP addresses 2400:cb00:2048:1::c629:d7a2 (in IPv6).
What DNS does is convert these domain names, for instance, espn.com into IP addresses so that web browsers can load the web content. This eliminates the need for users to memorize complex IP addresses. DNS resolver like Dyn, meanwhile, initiates the process that leads to a domain name being translated into the necessary IP address.
DNS resolvers, also known as DNS providers, aren’t immune to cyber risks such as DDoS attacks as shown in the Mirai-Dyn incident. The Mirai-Dyn incident also showed that the reliance on a single third-party DNS resolver like Dyn led to taking offline the websites relying solely on a single DNS resolver.
In the study "Analyzing Third Party Service Dependencies in Modern Web
Services: Have We Learned from the Mirai-Dyn Incident," a team of Carnegie Mellon University researchers found that despite the highly publicized Dyn outage, for the period of 2016 to 2020, 89% of the Alexa top-100K websites critically depend on third-party DNS providers, that is, if these DNS providers go down, for instance through DDoS attacks, these websites could suffer service disruption.
The Carnegie Mellon University study also found third-party critical dependencies are higher for lower-ranked websites. The Carnegie Mellon University researchers added, “Moreover, we observe that redundancy decreases with popularity; i.e., more popular websites care more about availability as compared to less popular ones.”
The DDoS attack on Dyn in 2016 showed that third-party DNS providers aren’t immune to cyber risks such as DDoS attacks that are faced by small organizations.
One lesson out of the DDoS attack on Dyn in 2016 is the need to have a backup DNS resolver or provider. Twitter, for instance, added redundancy or backup by deploying a private DNS in addition to Dyn (now Oracle). Only a few organizations, however, can do what Twitter did as many can’t afford a private DNS infrastructure.
According to Carnegie Mellon University researchers, only a small fraction of websites have DNS infrastructure backup due to the following reasons:
DNS Amplification DDoS attack hit Dyn in 2016. Since DNS is UDP based, it opens the door to IP spoofing and amplification attack. In IP spoofing, attackers falsify the source IP header to mask their identity. UDP-based DNS also allows for an attack amplification technique in which 1Mbps of attack traffic can end up becoming 100Mbps reflected on the victim.
DDoS protection is available against DNS Amplification DDoS attacks. Imperva’s DDoS Protection for DNS is the first destination for all DNS queries. “Acting as a secure proxy, Imperva prevents illegal DNS queries from reaching your server while masking it from direct-to-IP network layer attacks,” Imperva said in a statement.
Rise of Phishing and DDoS Attacks in the Education Sector
COVID-19 resulted in the temporary shutdown of schools and universities across the world. This has given rise to online classes, whereby classes are conducted remotely and on digital platforms.
As schools and universities across the world reopen, many opt for mixed physical and online classes, while some still opting for purely online classes. The shift to online classes, however, has opened a window for malicious actors to exploit.
The shift to online classes gives rise to phishing attacks and distributed denial of service (DDoS) attacks directed against the education sector.
Phishing is one of the oldest and popular forms of cybercrimes. In a phishing campaign, intended victims, whether targeted or random individuals, are tricked into clicking something leading to the stealing of data or the downloading of malicious software (malware).
Microsoft Security Intelligence has found that as of September 7, 2020, out of the nearly 8.7 million malware encounters reported in the last 30 days, 59.84% came from the education sector, making it the most affected sector.
In the report “Digital Education: The cyberrisks of the online classroom”, Kaspersky Lab said that attackers lure victims in downloading malware by bundling fake versions of popular video meeting apps and online course platforms as legitimate application installers. Victims encounter these fake video meeting apps and online course platform installers through phishing websites – referring to sites designed to look like legitimate websites supposedly for downloading popular video meeting apps and online course platform app installers.
Another way by which victims encounter these fake video meeting apps and online course platform installers is through phishing emails that masquerade as special offers or notifications. Downloading of the fake video meeting apps and online course platform installers either from phishing websites or phishing emails could lead to the installation and running of malicious software on the victim’s computer or stealing of sensitive data.
In April of this year, researchers at Check Point reported that in just a span of 3 weeks, nearly 2,500 new websites relating to the video conferencing app Zoom were registered. Out of these 2,500 new Zoom-related websites, 1.5% of these websites were found as malicious and the other 13% were found as suspicious. The researchers added that cybercriminals impersonated other video conferencing apps such as Microsoft Teams and Google Meet.
Researchers at Check Point reported that victims fell prey to phishing emails that came with the subject “You have been added to a team in Microsoft Teams“. The phishing emails contained a malicious website URL, which on the first glance looks similar to the legitimate Microsoft Teams URL. A double-check, however, of this URL shows that this URL is a fake one and victims who landed on this fake Microsoft Team site ended up downloading a malware.
Distributed Denial-of-Service (DDoS) Attacks
In a DDoS attack, a botnet – referring to a network of computers infected with self-propagating malware – is used by an attacker in overwhelming the target or its surrounding infrastructure with a flood of internet traffic. According to Kaspersky Lab, between January 2020 and June 2020, the number of DDoS attacks affecting the education sector increased by at least 350% when compared to the corresponding month in 2019.
Authorities recently arrested a 16-year-old in connection with a series of DDoS attacks on Miami-Dade County Public Schools that disrupted the district's first week of online classes. The teenager admitted to launching the DDoS attacks using Low Orbit Ion Cannon (LOIC).
LOIC is a decade-old application developed originally used for network stress testing. Since becoming an open-source application it has been used for malicious activities such as DDoS attacks. A successful DDoS attack using LOIC floods a target server with TCP, UDP, or HTTP packets with the goal of disrupting service.
A DDoS attack via LOIC uses IRC chat channels to run a “Hivemind” version of the LOIC. This allows a primary user of the IRC chat to control secondary computers, creating a botnet – referring to a network of computers controlled by the primary user for malicious activities such as DDoS.
LOIC was used in the past to launch DDoS attacks against Visa and MasterCard websites in response to the freezing of payments to WikiLeaks. The thing about using LOIC in launching DDoS attacks is that attackers are unable to hide their IP addresses, making it easy for authorities to track them down. Due to this IP address visibility, authorities in many countries have taken legal actions against DDoS attackers leveraging LOIC.
Preventive and Mitigating Measures Against Phishing and DDoS Attacks
To stay safe from phishing attacks, be wary of clicking anything online as these could lead you to phishing sites. Also double-check URLs as a difference in one letter or character could lead you to a malicious site.
To stay safe against DDoS attacks, including DDoS attacks leveraging LOIC, use WAF, short for Web Application Firewall. WAF specifically provides strong protection against HTTP floods. As protection against TCP and UDP, use a dedicated DDoS protection.
DDoS Extortions Return
Over the past few weeks, a group of cybercriminals has launched distributed denial-of-service (DDoS) attacks targeting companies in the finance and retail sectors and demanding ransom payment for the attacks to stop.
In the blog post "Ransom Demands Return: New DDoS Extortion Threats From Old Actors Targeting Finance and Retail", Akamai reported that over the past few weeks, a series of DDoS attacks from the so-called "Armada Collective" and "Fancy Bear" actors have targeted businesses across multiple sectors, including finance and retail, and these DDoS attacks come with extortion demands. Some of the attacks peaked at almost 200 gigabyte per second (GB/s), Akamai said.
ZDNet likewise reported that in the past weeks, a criminal group that goes with the names "Armada Collective" and "Fancy Bear" has launched DDoS attacks against some of the biggest financial service providers and demanded payments in the form of the cryptocurrency bitcoin as extortion fees to stop the DDoS attacks.
Incidentally, a few days ago, the operations of the New Zealand stock exchange were disrupted as a result of a DDoS attack. Other than the comment that the attack came from overseas, authorities in New Zealand won't comment on whether or not the DDoS attack also involved a ransom demand.
Evolution of DDoS Extortions
DDoS extortion is nothing new. This type of extortion has been around in the last few years. The recent DDoS extortions, however, differ with the older DDoS extortions in terms of methods and severity.
The recent DDoS extortion campaign described by Akamai and ZDNet resembled that the type of DDoS extortion campaign described in the alert entitled "DDoS extortion campaign targeting financial sector" released on November 1, 2019 by the Computer Emergency Response Team New Zealand (CERT NZ).
According to CERT NZ, it received reports relating to a DDoS extortion campaign targeting companies within the financial sector in New Zealand. This extortion campaign had also been observed in other countries, CERT NZ said. As described by CERT NZ, the DDoS extortion campaign followed these steps:
First, the target company receives an email stating “We are the Fancy Bear and we have chosen [Company Name] as a target for our next DDoS attack.” In the email, the attackers give the target company a deadline when the major DDoS will happen and demand from the target ransom to prevent the said major DDoS attack.
Second, to threaten the target that the major DDoS attack is coming, a minor DDoS is launched against an IP address belonging to the company's network. These demo attacks generally last for 30 minutes.
In the DDoS extortion campaign observed by Akamai, the targets were warned that going public about the extortion demand will result in the immediate major DDoS attack. The extortion demand also threatens the targets that the major attack will make websites and other connected services "unavailable for everyone" and will harm the target's reputation.
While past DDoS extortion campaigns targeted the victims' websites, the recent extortion campaign described by CERT NZ, Akamai and ZDNet targeted the victims' backend infrastructure, resulting in prolonged and severe outages. An example of a backend infrastructure is the DDoS attack on the target's web hosting provider resulting in the outages of the ultimate target's website.
In the case of the attack of the New Zealand stock exchange, the stock exchange's web hosting provider Spark was targeted in a series of DDoS attacks, resulting in the outages at the New Zealand stock exchange as well as downtime of the websites of Spark's other customers.
Reflective DDoS Techniques
In the November 2019 alert, the CERT NZ said that the so-called Fancy Bear threat group overwhelms the target using a variety of reflective DDoS techniques, with targets including services using the following protocols:
A reflective DDoS technique is a DDoS attack that depends on publicly accessible UDP servers to overwhelm a victim’s system with UDP traffic. UDP, short for User Datagram Protocol, is an internet communication protocol for time-sensitive transmissions such as video chat. UDP is designed not to validate source Internet Protocol (IP) addresses for the protocol to operate very quickly. This, however, creates an exploitation opportunity for attackers.
In general, in a reflective DDoS attack, an attacker who’s capable to spoof IP addresses sends fake requests to a vulnerable UDP server. The UDP server, not knowing the request is fake, prepares the response. These UDP responses are delivered to an unsuspecting target, overwhelming the target’s resources such as the network itself.
Best Practices Against DDoS Extortions
It’s recommended not to pay ransom to DDoS extortionists. Ransom payment only encourages extortionists to attack your organization again.
Like any other types of DDoS attacks, in DDoS attacks using reflective techniques, two groups are exploited by the attackers: the ultimate target and vulnerable computers, in this case, vulnerable UDP servers. In order to prevent your organization’s computers from being used for reflective DDoS attacks, it’s best to stop using UDP when not needed. If UDP is needed, configure it to always respond with smaller packet size. It’s also important to use a Firewall.
To protect your organization from being the ultimate target of a reflective DDoS attack, it’s best to work with your trusted cybersecurity service provider and use a DDoS protection service to prevent the DDoS traffic from reaching your organization’s systems.
The Driz Group specialized in DDoS protection and can mitigate the DDoS attack in just a few minutes.
How DDoS Threat Landscape Has Evolved Over Time
Through the years, distributed denial-of-service (DDoS) – a form of cyberattack originating from multiple systems and overwhelming one specific service or website using malicious data or requests – has evolved and grown stronger and more prevalent.
Evolution of the DDoS Threat Landscape
The Morris Worm
DDoS threat has been around ever since humanity decided to interconnect computers. The malicious software dubbed as “Morris worm”, which was unleashed prior to the invention of the World Wide Web, is considered by some as the first DDoS attack.
Morris worm replicated a copy of itself and propagated itself at a remarkable speed to computers belonging to a number of the prestigious colleges and public and private research centers that made up the ARPANET – an early prototype for the internet. On November 2, 1988, in just 24 hours, the Morris worm affected an estimated 6,000 of the approximately 60,000 computers that were then connected to ARPANET.
The unleashing of the Morris worm resulted in slowing to a crawl vital military and university functions and delayed emails for days. The creator of the Morris worm, then 23-year-old Cornell University graduate student Robert Tappan Morris unleashed out the worm by exploiting security vulnerabilities in a specific version of the Unix operating system. The worm was also unleashed by attempting to break into user accounts on an infected machine using brute force attacks, that is, guessing weak passwords similar to modern-day brute force attacks.
MafiaBoy DDoS Attack
While not the first DDoS attack in the World Wide Web era, the DDoS attacks carried out by MafiaBoy, then 15-year old Michael Calce from Montreal, Canada, were notable as this teenager launched a series of high-profile DDoS attacks in February 2000 against large commercial websites, including eBay, Amazon and E*Trade. In carrying out his DDoS attacks, Calce modified the code written by another hacker. Calce compromised nearly 200 university networks and brought this under his control to launch DDoS attacks against specific targets.
In the book "Mafiaboy: A Portrait of the Hacker as a Young Man", Calce wrote that he scanned the internet for university-owned servers withsecurity weaknesses that he could exploit. "Once I found at least one, I ran a program I had found called Hunter to hijack that computer's connection."
In the age of Internet of Things (IoT), the DDoS attacks carried out Mirai stand out. Mirai is a malicious software (malware) that compromises poorly secured IoT devices such as wireless routers and security cameras into a botnet to conduct large-scale DDoS attacks. A botnet refers to a network of compromised computers coordinating as one to carry out instructions at the direction of their master – a malicious threat actor.
On September 30, 2016, Mirai source code was leaked online by one of its authors, Paras Jha. The Mirai source code was later used by different malicious actors in launching DDoS attacks.
Mirai exploits the habit of IoT users of not changing the default login details. At its height, nearly 400,000 IoT devices were hijacked by Mirai for DDoS attacks.
One notable DDoS attack utilizing the Mirai source code was the DDoS attack on internet infrastructure services provider Dyn DNS (now Oracle DYN) in October 2016. The DDoS attack on this internet infrastructure, which enslaved 100,000 devices including IP cameras and printers, disrupted the services of major websites such as Amazon, Netflix, Reddit, Spotify and Twitter.
Memcached-Based DDoS Attacks
In February 2018, DDoS attackers used a new attack method that exploited a lesser number of devices but produced a bigger punch. GitHub reported on February 28, 2018 that GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a DDoS attack. The DDoS attack on GitHub peaked at 1.35 Tbps – then setting the record of the largest DDoS attack.
In analyzing the DDoS attack on GitHub, Cloudflare reported that the attack on GitHub exploited 5,729 memcached servers that were inadvertently made accessible on the internet. Memcached is an open-source distributed memory caching system for speeding up applications.
"Launching such an attack [by exploiting Memcached] is easy," Cloudflare said. "First the attacker implants a large payload on an exposed memcached server. Then, the attacker spoofs the 'get' request message with target Source IP. In practice, we've seen a 15 byte request result in a 750kB response (that's a 51,200x amplification)."
With nearly 100,000 Memcached servers exposed to the internet, Cloudflare said at that time that it's expecting to see much larger attacks in the future.
Days after the GitHub attack, NetScout reported an even larger DDoS attack, victimizing a US-based service provider. This time peaking at 1.7Tbps. "The attack utilized a Memcached ... Reflection & Amplification vector to accomplish such a massive attack," NetScout said.
CLDAP-Based DDoS Attack
In the 1st quarter of 2020, Amazon reported that in February of this year, it detected and mitigated a DDoS attack targeting an AWS customer. The DDoS attack, Amazon said, peaked at 2.3 Tbps and caused three days of “elevated threat".
According to Amazon, the DDoS attack on one of its AWS customers exploited Connection-less Lightweight Directory Access Protocol (CLDAP) web servers. CLDAP is used to connect, search, and modify internet-shared directories. DDoS attackers have made CLDAPexploitation as part of their arsenal since 2016.
Imperva's 2019 Global DDoS Threat Landscape Report found that large-scale DDoS attacks were outside of the norm. "Overall, we saw attacks that were smaller, shorter, and more persistent," Imperva said. "While this trend may be indicative of attackers’ attempts to wreak havoc before a mitigation service kicks in, it’s no match for Imperva, where time to mitigation is near zero."
Many companies that call us have fallen victim to a DDoS attack, and paid ransom to cybercriminals to stop the attacks and resume normal business operations.
Protect your website, web applications and your network today and avoid costly business interruptions.
Using state of the art technology, our team will mitigate a DDoS attack in just 10-seconds, protecting your revenues, your assets and your reputation.
Amazon Records 2.3 Tbps DDoS Attack, Largest To Date
Amazon recently revealed that it detected and mitigated the largest distributed denial-of-service (DDoS) attack to date, targeting one of Amazon Web Services (AWS) customers.
In the "AWS Shield Threat Landscape Report – Q1 2020", Amazon said its threat protection service called "AWS Shield" detected and mitigated a DDoS attack in one of AWS customers with a previously unseen volume of 2.3 Tbps (terabytes per second). TBps refers to a data transmission rate equivalent to 1,000 gigabytes or 1,000,000,000,000 bytes per second.
In March 2018, NETSCOUT Arbor reported that it detected and mitigated the previous record holder for the largest DDoS attack which peaked at 1.7 Tbps, an attack targeted at a customer of a U.S. based service provider. The 1.7 Tbps DDoS attack came just heels after the previous record holder of the largest DDoS attack – an attack that specifically targeted GitHub in February 2018.
The AWS DDoS Attack
In a DDoS attack, multiple computers act as one unit to attack one target. Attackers often hijack and take control of vulnerable computers for the purpose of DDoS attacks by taking advantage of the security vulnerabilities or misconfigurations on these computers.
According to Amazon, the DDoS attack that targeted one of the company's AWS customers "caused 3 days of elevated threat during a single week in February 2020 before subsiding". Amazon said that the unnamed DDoS attacker or attackers utilized an amplification technique that takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP) in launching the DDoS attack.
CLDAP is a cross-platform protocol and often used on Microsoft Active Directory networks to retrieve server information. From October 2016 to January 2017, Akamai reported that it detected and mitigated a total of 50 CLDAP reflection attacks, 33 of which exclusively used CLDAP reflection.
On January 7, 2017, Akamai said it detected and mitigated the largest DDoS attack using CLDAP reflection as the sole vector at the time, reaching peak bandwidth of 24 gigabytes per second (GBps), and peak packets per second of 2 million packets per second. Akamai added that the CLDAP protocol allows DDoS attacks to amplify 56 to 70 times.
"The query payload is only 52 bytes ...," Akamai said regarding thisJanuary 7, 2017 CLDAP reflection DDoS attack. "This means that, the Base Amplification Factor (baf) for the attack data payload of 3,662 bytes, and a query payload of 52 bytes, was 70x, although only one host was revealed to exhibit that response size. Post attack analysis showed that the average amplification during this attack was 56.89x."
The DDoS attack detected and mitigated by NETSCOUT Arbor and the DDoS attack on GitHub in 2018, meanwhile, were launched by taking advantage of internet-exposed Memcached protocol – a general-purpose distributed memory-caching system. Attack vectors of the topmost DDoS attacks are often used by DDoS-for-hire services in launching DDoS attacks.
In the case of the DDoS attack on GitHub, the amplification factor reached up to 51 times, which means that for each byte sent by the DDoS attacker, up to 51KB is sent toward the target. At the time of the GitHub DDoS attack, Shodan – a search engine that allows users to find specific types of computers connected to the internet using filters – reported 88,000 internet-exposed memcached servers.
In 2018, DDoS-for-hire services took advantage of the close to 100,000 memcached servers exposed to the internet. Since 2016 also, DDoS-for-hire services have been taking advantage of exposed CLDAP protocol.
In taking advantage of vulnerable computers with higher amplification or reflection factor, significant attack bandwidth can be produced with fewer compromised computers. Taking advantage of servers using CLDAP protocol and memcached protocol for reflection/amplification DDoS attacks work the same by sending spoofed requests to a vulnerable server, which then responds with a larger amount of data than the initial spoofed request, amplifying the volume of traffic.
Preventive and Mitigating Measures Against DDoS Attacks
DDoS attacks that are taking advantage of the CLDAP protocol start with servers that are exposed to the internet with port 389 open and listening. DDoS attackers simply scan the internet for these open port 389 and add these to a list of amplifiers or reflectors.
Don't be a part of the bigger DDoS reflection/amplification problem. If your organization doesn't need the CLDAP protocol, close this DDoS amplification egress by not exposing this protocol to the internet, that is, by blocking port 389. In the case of DDoS attacks taking advantage of exposed memcached servers, one of the prevented measures in preventing attackers in hijacking memcached servers for DDoS attacks is by disabling UDP.
Most often, however, DDoS attacks don’t reach the terabyte. According to Amazon, most of the DDoS events involving CLDAP protocol in the first quarter of 2020 was 43 Gbps.
While many DDoS attacks are non-terabyte attacks, such attacks still disrupt normal business operations and denying legitimate users access to victims’ IT infrastructure. Imperva’s 2019 Global DDoS Threat Landscape Report showed that most DDoS attacks were short, with 51% lasting less than 15 minutes. While most DDoS attacks were short, Imperva reported that the vast majority of DDoS attacks were persistent and aimed at the same targets. “Attackers either launched DDoS assaults in short streaks – two-thirds of targets were attacked up to five times – or were ultra-persistent, with a quarter of targets attacked 10 times or more,” Imperva reported.
DDoS Attacks Accelerate Amid the COVID-19 Pandemic, Reports Show
Since the start of the global COVID-19 pandemic, reports show that distributed denial of service (DDoS) attacks have accelerated.
A report from NETSCOUT Arbor showed that DDoS attack count and bandwidth have all seen significant increases since the start of the global COVID-19 pandemic. From March 11th to April 11th of 2020, NETSCOUT reported that it observed more than 864,000 DDoS attacks – the single largest number of DDoS attacks that the organization had seen over any other 31-day period to date.
The number of DDoS attacks during the March 11th to April 11th of 2020, NETSCOUT Arbor said surpassed that of the DDoS count during the December 2019 holiday period which peaked at 751,000. From November 11th of 2019 to March 11th of 2020, NETSCOUT Arbor reported that it observed an average of 735,000 DDoS attacks per month.
According to NETSCOUT Arbor, while terabit-class DDoS attacks make the headlines, the most significant DDoS-related metric goes to the sheer amount of bandwidth (bps) and throughput (pps) consumed by DDoS attacks. From March 11th to April 11th of 2020, NETSCOUT Arbor reported that it observed a whopping 1.01 pbps and 208 gpps of aggregate DDoS attack traffic. This aggregate DDoS attack traffic, NETSCOUT Arbor said represents a 14% increase in attack bps and a 31% increase in attack pps.
Imperva’s March 2020 Cyber Threat Index Report, meanwhile, revealed that for the month of March 2020, DDoS attacks on financial, food and beverage industries across multiple countries spiked amid the COVID-19 pandemic. According to Imperva, websites in the food & beverage industry experienced more attacks, with 6% increase in DDoS attacks.
DDoS attacks in the food & beverage industry in Germany, Imperva reported, spiked by 125%. Earlier, on March 19, 2020, Takeaway.com, one of the leading online food delivery marketplace that connects consumers and restaurants in several European countries, including Germany reported that one of its websites was under DDoS. Jitse Groen, Founder and CEO of Takeaway.com revealed via Twitter that the DDoS attacker or attackers demanded 2 bitcoins (valued nearly USD 14,000 at the time of the demand) for the DDoS attack to stop. The attackers also threatened to launch a DDoS attack on the company’s other website.
Imperva added that it also observed an increased volume of DDoS attacks on the financial industry globally, with 3% increase. DDoS attacks in the financial industry in Italy (+44%), UK (+21%) and Spain (+18%) were notably larger, Imperva said.
“With attacks on the rise in the food and beverage and financial services industries, companies need to employ effective security strategies to balance the new load of traffic to their websites and mitigate new risks,” Nadav Avital, head of security research at Imperva, said.
Biggest DDoS Attack Ever Recorded
On February 28, 2020, GitHub – a website that allows software developers to store and manage their software code – was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a DDoS attack.
According to GitHub, the DDoS attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. The DDoS attack peaked at 1.35Tbps via 126.9 million packets per second, GitHub said.
GitHub added that the DDoS attackers specifically used the memcached-based approach. Cloudflare describes memcached DDoS this way: “A memcached distributed denial-of-service (DDoS) attack is a type of cyber-attack in which an attacker attempts to overload a targeted victim with internet traffic. The attacker spoofs requests to a vulnerable UDP memcached server, which then floods a targeted victim with internet traffic, potentially overwhelming the victim’s resources. While the target’s internet infrastructure is overloaded, new requests cannot be processed and regular traffic is unable to access the internet resource, resulting in denial-of-service.”
DDoS Protection Amid the COVID-19 Pandemic
COVID-19 was declared by the World Health Organization (WHO) as a pandemic on March 11, 2020. Since then, quarantine sites in many parts of the world were ordered, giving the global community a new normal: staying at home. As people are mandated to stay at home, online communication has become a lifeline for many people to work, shop and study online.
With the rise of internet traffic, organizations can mistakenly believe that all traffic comes from legitimate sources. Not all internet traffic, however, come legitimate sources as an increase in internet traffic could be a sign of a DDoS attack.
Signs of a DDoS attack resemble that of a typical legitimate internet traffic, including unusually slow in opening a file or accessing a website; unavailability of a website; or inability to access a website. DDoS campaigns can last from minutes to hours, while others can go on for months and even for years.
It’s important to be able to distinguish between a legitimate traffic from a DDoS attack. At the outset, malicious traffic can be detected and identified via firewall or intrusion detection system. Signs of malicious network traffic include traffic from an unusual geographical location or suspicious IP addresses.
It’s also important to note that DDoS attacks could simply be a simple diversionary tactic used by attackers to hide their main intention of conducting other malicious activities in your organization’s network.
Speak with our experts today to mitigate the DDoS risks. Protect you most valuable assets and keep cybercriminals at bay.
DDoS Attacks Are Getting Smaller, Shorter & More Persistent, Study Shows
A recent study released by Imperva showed that DDoS attacks are getting smaller, shorter and more persistent – a trend that shows that attackers are hoping to cause great damage before the activation of DDoS mitigating measures.
What Is DDoS Attack?
DDoS, short for distributed denial-of-service, is a type of cyber-attack in which multiple computers operate together as one to attack a target, for instance, a particular website.
Attackers typically use botnets to carry out DDoS attacks. A botnet is a group of internet-connected computers that are hijacked by malicious actors. These hijacked computers are then controlled by attackers as one “zombie army” to attack a chosen target.
There are two general types of DDoS attacks, the network layer attack and application layer attack. In network layer DDoS attacks, malicious actors “clog the pipelines” connecting to the target network, resulting in severe operational damages, such as account suspension. In application layer DDoS attacks, malicious actors flood a target application with seemingly innocent requests, resulting in high CPU and memory usage leading to the eventual hanging or crashing of the targeted application.
In network layer DDoS attack, the attack is measured by gigabits per second (Gbps) or packets per second (PPS), while in application layer DDoS attack, the attack is measured by requests per second (RPS). Most mid-sized websites can be crippled by 50 to 100 RPS application layer DDoS attacks, and most network infrastructures can be shut down by 20 to 40 Gbps network layer DDoS attacks.
Prevalence of DDoS Attacks
“Overall, we saw attacks that were smaller, shorter, and more persistent,” Imperva said in the company’s 2019 Global DDoS Threat Landscape Report. The company said that this trend “may be indicative of attackers’ attempts to wreak havoc before a mitigation service kicks in”.
Imperva reported that most DDoS attacks in 2019 were short, with 51% lasting less than 15 minutes. The report also showed that DDoS attacks in 2019 were conducted in short streaks, with two-thirds of targets attacked up to five times and a quarter of targets attacked 10 times or more.
Imperva added that while the norm of DDoS attacks in 2019 was small, the company recorded the largest network layer DDoS attack and application layer DDoS attack. The company said it recorded a network layer DDoS attack that reached 580 million packets per second (PPS), and a separate application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS).
According to Imperva, the top attacked industries in 2019 were games (35.92%), gambling (31.25%), computers and internet (26.51%), business (3.37%) and finance (2.95%); while the top attacked territories were India (22.57%), Taiwan (14.79%), Hong Kong (12.23%), Philippines (11.36%) and United States (8.73%). In 2019, Imperva said application layer attack requests overwhelmingly came from the Philippines and China. The company, however, noted, “Those source origination points were notedly the location of the machines used to carry out the attacks, not necessarily the location of the attackers themselves.”
The Role of Botnets
Imperva’s analysis of the largest application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS) showed that most of the IPs had the same opened ports: 2000 and 7547. The Mirai botnet has been known to target IoT devices exposed to the internet via TCP port 2000 and 7547.
The Mirai botnet was first observed in the wild in 2016. This botnet hijacked IoT devices via factory default usernames and passwords. The release of the Mirai’s source code on September 30, 2016 resulted in the development of new versions of Mirai, with some versions targeting different vendors of IoT devices and some adding new functionalities.
The DDoS attack on the domain name service (DNS) provider Dyn on October 21, 2016 was attributed to the Mirai botnet. The DDoS attack on Dyn resulted in temporarily bringing down America’s top websites such as Twitter, Netflix and Reddit.
In the 4th quarter of 2019, researchers at 360 Netlab reported 2 new botnets: Roboto and Mozi. In November 2019, 360Netlab researchers reported that Roboto attacks Linux servers via CVE-2019-15107, a security vulnerability in the Webmin remote administration application. While Roboto has DDoS capability, the researchers said, there’s no evidence yet that a DDoS attack has been launched by this botnet.
In December 2019, researchers at 360 Netlab reported that Mozi attacks IoT devices, exploiting a handful of security vulnerabilities, including CVE-2014-8361, a security vulnerability in Realtek routers that allows remote attackers to execute arbitrary code, and CVE-2018-10562, a security vulnerability in GPON routers in which the router saves ping results, enabling attackers to execute commands and retrieve their outputs.
While a typical DDoS botnet operates using a command-and-control (C2) server – a computer controlled by an attacker to send malicious commands to infected computers, both Roboto and Mozi rely on peer-to-peer (P2) networks. In P2 networks, decentralized networks of infected computers or “bots” communicate with one another, instead of communicating with a centralized command-and-control server.
The of use P2 networks by cyber criminals isn’t a new thing. For years, attackers have used P2 networks from stealing data to sending malicious commands. P2 networks have been used by attackers to evade the efforts to take down C2 servers. Authorities such as the FBI and technology companies have had success in shutting down botnets that rely on C2 servers to steal data or send malicious commands. By taking down a C2 server, the zombie army or hijacked computers are rendered useless.
Would you like to learn more and see how to protect your organization and mitigate DDoS attacks in under 10-minutes, with no hardware or software to buy or install?
Recent DDoS Attacks Leverage TCP Amplification
A recent report from Radware showed that attackers over the past month have been leveraging TCP amplification in launching distributed denial-of-service (DDoS) attacks.
What Is TCP Amplification?
TCP amplification is one of the lesser-known ways attackers perform DDoS attacks. In a DDoS attack, multiple computers are operating together to attack a particular target, for instance, a website.
TCP is a set of rules that’s applied whenever computers connected to the internet try to communicate with one another, enabling them to transmit and receive data. With TCP, connection is only established with a three-way-handshake, also known as SYN, SYN-ACK, and ACK. During the three-way-handshake, the IP addresses of both communication parties are veriﬁed via random sequence numbers.
1. SYN (Synchronize)
This first handshake happens when computer X, for instance, sends a message containing a random sequence number to another computer, let’s call this computer Z.
2. SYN-ACK (Synchronize-Acknowledge)
This second handshake happens when computer Z responds via an acknowledgment number and a random sequence number.
3. ACK (Acknowledge)
This third handshake happens when computer X completes the connection setup by sending a ﬁnal acknowledgment to computer Z via a sequence number and acknowledgment number.
Ampliﬁcation DDoS attack, meanwhile, refers to an attack in which an attacker doesn’t directly send trafﬁc to the ultimate target but rather sends spoofed network packets to a large number of devices, also known as reflectors or ampliﬁers. Attackers often use ampliﬁers that send back responses that are significantly larger than the requests, resulting in an increased or ampliﬁed attack volume. TCP was initially thought to be immune from amplification attacks due to its three-way-handshake.
TCP’s vulnerability to amplification attacks was reported back in 2014. In the paper “Exit from Hell? Reducing the Impact of Ampliﬁcation DDoS Attacks”, researchers at Ruhr-University Bochum demonstrated that even with the three-way-handshake TCP is still vulnerable to ampliﬁcation DDoS attacks. According to the researchers, TCP is vulnerable to ampliﬁcation DDoS attacks as SYN/ACK segments are resent until connection is successfully established, connection times out, or connection is manually closed.
Resending of SYN/ACK segments, the researchers said, overloads the capacity of the victim’s network. “In face of ampliﬁcation attacks, this is problematic, as the client’s IP address is not validated until the handshake is complete,” the researchers said.
In this 2014 study, the researchers showed that hundreds of thousands of devices, mostly business and consumer routing devices, were vulnerable to be abused for ampliﬁcation DDoS attacks as these devices repeatedly sent up to 20 SYN/ACK packets in response.
In the follow-up paper "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks", researchers at Ruhr-University Bochum identified thousands of TCP-based protocols that allow amplification of factor 50 times and higher. In this follow-up paper, the researchers also identified more than 4.8 million devices vulnerable to an average ampliﬁcation factor of 112 times. They also identiﬁed thousands of devices that can be abused for ampliﬁcation up to a factor of almost 80,000 times, reﬂecting more than 5,000 packets within 60 seconds and causing a serious impact on a victim’s network.
From the viewpoint of the attackers, the researchers said, abusing TCP brings multiple beneﬁts as there are millions of potential TCP ampliﬁers out there and ﬁxing them is an “infeasible operation”. According to the researchers, the root cause of the ampliﬁcation DDoS attacks is IP address spooﬁng which "enables attackers to specify arbitrary targets that are ﬂooded with reﬂected trafﬁc”.
TCP Amplification Attacks + Carpet Bombing
Radware reported that last month, European sports gambling website Eurobet experienced TCP amplification attacks that lasted for nearly 30 days. Radware also reported that last month, Turkish financial services company Garanti experienced TCP amplification attacks.
In the case of TCP amplification attacks on Garanti, Radware said, "In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of AS12903 (Garanti Bilisim Teknolojisi ve Ticaret TR.A.S.) were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”
According to Radware, TCP amplification attacks are combined with a technique called “carpet bombing”. Carpet bombing attack is a type of DDoS attack where instead of focusing the attack on a single IP, random IP addresses of the victim’s network are attacked. Radware reported that over the last few months, carpet bombing has been used in a number of attacks against South African internet service providers (ISPs).
Impacts, Preventive and Mitigating Measures
By leveraging carpet bombing technique, attackers increase the attack surface; and by leveraging TCP amplification, attackers increase the hit rate onto the victim’s services. For now, however, carpet bombing has been predominantly used against ISPs.
While the recent TCP amplification attacks targeted large organizations, the victims of these attacks also include small organizations and homeowners who owned devices used for the TCP amplification attacks. As the main targets of TCP amplification attacks were overwhelmed by traffic and suffered outages as a consequence, the devices used in the TCP amplification attacks – those that processed the spoofed requests and legitimate replies from the main target of the DDoS – also experienced spikes in traffic, resulting in outages.
IP blacklisting is one of the options in preventing DDoS attacks. In the case of TCP amplification attacks that rely on IP address spooﬁng, IP blacklisting has some pros and cons.
One of the disadvantages of IP blacklisting in TCP amplification attacks is that legitimate users could be affected by this blacklisting as malicious actors could mimic their IP address.
Speak with our expert team today and prevent and mitigate denial of service attacks with iron-clad guarantees. No equipment to purchase, install or maintain.
Schedule a consultation today and protect your organization.
Wikipedia and World of Warcraft Classic Targeted for DDoS Attacks
Distributed denial-of-service (DDoS) again made the headlines over the weekend with the attacks on the popular online encyclopedia Wikipedia and popular online role-playing game World of Warcraft Classic. These latest incidents show that malicious actors are continually targeting vulnerable devices and online services for DDoS attacks.
In a statement released last September 7, Wikimedia Foundation, said that Wikipedia was hit with a “malicious attack”, making the site inaccessible to site visitors in several countries for intermittent periods. Wikimedia Deutschland, meanwhile, outrightly called the attack as “DDoS attack”, announcing via its Twitter account that Wikimedia servers, on which Wikipedia is also hosted, are being “paralyzed by a massive and very broad DDoS attack”.
According to the report by the civil society group NetBlocks, Wikipedia became intermittently unavailable as of approximately 6:00 p.m. UTC September 6, 2019 and at 1:30 a.m. UTC, the attack extended to a near-total outage in the United States and much of the world, continuing up until 2:40 a.m. UTC.
Last September 7 also, Blizzard Entertainment, owner of the World of Warcraft Classic, via its Twitter account said, “Some online services continue to be impacted by a series of DDoS attacks which are resulting in high latency and disconnections.”
It isn’t yet confirmed whether the DDoS attacks on Wikipedia and World of Warcraft Classic are related. A Twitter account claiming responsibility on the DDoS attacks on Wikipedia and World of Warcraft Classic was taken down by Twitter.
DDoS Attacks Prevalence
Wikipedia and Blizzard Entertainment are no stranger to DDoS attacks. On May 15, 2019, NetBlocksreported that Wikipedia became temporarily unavailable internationally. NetBlocks said that its global internet observatory data showed that the incident wasn’t related to filtering or blocking, and was rather likely caused by a DDoS attack.
NetBlocks said that DDoS attacks are distinct from state filtering or blocking, as these attacks have broader international impact but typically last for short periods. Wikipedia is totally blocked in Turkey, is varyingly restricted in China, and was briefly filtered in Venezuela early this year.
In August 2017, meanwhile, Blizzard Entertainmentreported another set of DDoS attacks on its networks. No person or group has taken responsibility for the 2017 DDoS attacks on Blizzard Entertainment and May 2019 incident on Wikipedia.
Real-time gaming networks have been favorite DDoS targets by malicious actors. In August 2014, Sony’s PlayStationnetworks were taken offline as a result of a DDoS attack. The threat group called “Lizard Squad” claimed responsibility over the Sony’s PlayStation networks DDoS attack.
KrebsOnSecurityreported that Lizard Squad controlled a botnet comprised of hacked home routers and commercial routers at universities and companies from around the globe. A botnet is a group of computers infected with the same malicious software (malware) and controlled by a threat actor or actors for the purpose of conducting malicious activities such as DDoS attacks. KrebsOnSecurity reported the botnet controlled by Lizard Squad group drew internet bandwidth from routers around the globe by exploiting the use of factory-default usernames and passwords.
The Mirai botnet, a much bigger botnet, which at its height controlled hundreds of thousands of IoT devices such as routers and CCTV cameras, brought down a big chunk of the internet for most of the U.S. east coast as a result of the DDoS attack on Dyn, an internet infrastructure company.
The recent Wikipedia DDoS attack, according to NetBlocks, is understood to have been amplified through insecure devices.
Prevention and Mitigation
In a DDoS attack, both the owners of computers or Internet of Things (IoT) devices and owners of targeted online services play an important role. IoT, such as routers, small as they are, are also computers. Owners of these devices, however, don’t view these devices like typical computers such as laptops, with many owners leaving these devices vulnerable to attacks by opting to use the default-factory login details.
The threat of DDoS attack is real as malicious actors have the technology to control not just IoT devices but ordinary computers as well. French authorities and antivirus solution provider Avastrecently took down the botnet called “Retadup”, which controlled nearly a million computers worldwide. It isn’t yet known how the Retadup malware initially infected these nearly one million computers.
In an ideal world, owners of IoT devices and internet-facing desktop or laptop computers have the responsibility to protect these computers from being used as an army for DDoS attacks by practicing basic cyber hygiene such as changing default-factory usernames and passwords and by applying the latest security updates.
DDoS protection is all the more important in organizations that rely on providing online services. While your organization may have no control over the cyber hygiene of other IoT devices, desktop and laptop users, your organization can undertake cyber security measures in order to mitigate the effects of DDoS attacks.
Mitigating measures against DDoS attacks are broadly categorized into do-it-yourself (DIY) methods, on-premise mitigation appliances and off-premise cloud-based solutions. DIY methods, such as manual IP blacklisting, is often a reactionary measure in response to a successful first DDoS attack that already caused hours of downtime.
On-premise mitigation appliances refer to hardware appliances deployed inside a network and placed in front of protected servers. Compared to DIY methods, on-premise mitigation appliances have advanced traffic filtering capabilities such as geo-blocking, rate limiting, IP reputation and signature identification.
Off-premise cloud-based solutions, meanwhile, offer virtually limitless scalability and don’t require investment in security personnel or expenses for DIY solutions and on-premise hardware.
Connect with our web application securityexperts and protect your mission critical infrastructure in less than 10-minutes.
Steve E. Driz, I.S.P., ITCP