Netscout: DDoS Attacks and Attackers Are Evolving

Evident in NETSCOUT’s 14th Worldwide Infrastructure Security Report (WISR) findings is the current game of whack-a-mole between defenders and attackers. Wait. Nearly every year’s findings show proof of how a lot of things change, the more they stay similar.

Once a brand new exploit is identified, it never goes away. It gets used and abused in cycles during which activity spikes then recedes, often for years, until it comes back to life once more. There’s no higher example than Memcached servers and their potential for abuse.

The Rise of Memcached Attacks

In 2010, a presentation at the BlackHat USA Digital Self Defense conference indicated that there have been several insecure Memcached deployments internet-wide that might be abused and exploited. Not much happened—that is, till early 2018, once NETSCOUT’s Threat Intelligence Team warned that it “observed a major increase in the abuse of misconfigured Memcached servers residing on internet data Center (IDC) networks as reflectors/amplifiers to launch high-volume UDP reflection/amplification attacks.”

Weeks later, in February 2018, there was the first-ever terabit-size DDoS attack. This was followed days later by an attack nearly double that big, measuring 1.7 Tbps.

While exploits are identified, abused, and abandoned, attackers continue searching for the simplest path to success. They’re looking for the weakest link, and therefore the WISR has shown over the last fourteen years however the game is played between attackers and defenders. As one area of defense is made up, attackers advance to something else. If a crucial new service is launched, they check its resilience. That’s how it goes. That’s how it will perpetually go.

The Constant Evolution of DDoS Attacks:

• The 2007 WISR mirrored significant concern over DDoS flooding of links and hosts. As a result, ISPs created investments in their mitigation capabilities to prevent these attacks. By the 2008 WISR, ISP concern over DDoS flooding of links and hosts had fallen within the rankings from 24-karat gold to 11 November. Attackers then began targeting applications.
• In 2009, network operators centered their defenses against lower-bandwidth and application-layer DDoS attacks. This led to a modification in techniques and a comeback to volumetric attacks in 2010. “Based upon our experiences operating with operators over the last year, we tend to believe this huge increase in attack-traffic bandwidth is also partly due to operators focusing their defenses against lower-bandwidth and application-layer DDoS attacks. Attackers could have had to ‘up the ante’ to overwhelm the defenses and bandwidth capacity of defenders,” same report authors.
• By 2012, network operators had invested with each in on-premises protection against low-bandwidth application-layer attacks and cloud-based defenses for high-volume attacks. So, what did attackers do? They modified techniques once more, unleashing complicated, multivector offenses that enclosed high-volume, application-layer, and stateful-infrastructure assaults all in one sustained attack.
  “This year’s results ensure that application-layer and multivector attacks are continuing to evolve whereas volumetrical attacks are beginning to plateau in terms of size,” scan the 8th annual WISR. “While eighty-six reported application-layer attacks targeting internet services, most concerning is that multivector attacks are up markedly. Attackers have currently turned to sophisticated, long-lived, multivector attacks—combinations of attack vectors designed to chop through the defenses a corporation have in place—to accomplish their goals.”

This year’s WISR found attackers had yet again shifted their focus to stateful infrastructure attacks targeting firewalls and IPS devices. These attacks virtually doubled, from 16 pf in 2017 to 31st in 2018. One reason firewalls and ISP devices are targeted? The probability of success is fairly high. Of those who experienced stateful attacks in 2018, 43rd reported that their firewall and/or IPS contributed to an outage throughout the attack.

Another fascinating finding was that SaaS, cloud, and information center services were all progressively targeted by attackers. Adversaries typically target new services because they’re viewed as less mature, a lot of vulnerable targets.

SaaS, Cloud, and Data Center DDoS Attack Trends

• SaaS services: 2018 information showed a threefold year-over-year increase within the variety of DDoS attacks against SaaS services, from 13 to 41st

• Third-party information center and cloud services: the quantity of DDoS attacks against third-party information centers and cloud services conjointly showed a threefold increase in 2018, from 11 November to 34th

• Service providers: Cloud-based services were more and more targeted by DDoS attacks, up from 25th in 2016 to 47th in 2018

Looking ahead to next year, we all know that the innovation will continue. Simply since the close of the WISR survey period, NETSCOUT’s Threat Intelligence Team has disclosed the following:

• Mirai DDoS attacks have moved from IoT to Linux: Threat actors are learning from their experience with IoT malware to focus on commodity Linux servers. For example, the Hadoop YARN vulnerability was initially used to deliver DemonBot, a DDoS malware, to IoT devices. Soon after, threat actors used the vulnerability to install Mirai on Linux servers, blurring the road between IoT and server malware.
• Mobile phones are progressively employed in DDoS attacks: “Attackers have recently begun launching CoAP reflection/amplification DDoS attacks, a protocol primarily used nowadays by mobile phones in China, but expected to grow with the explosion of the Internet of Things (IoT) devices. like any reflection/amplification attack, attackers begin by scanning for abusable addresses, then launch a flood of packets spoofed with the source address of their target,” the team warned in January this year.

DDoS attacks are perpetually evolving, and attackers are continuously trying to find new targets and adopting new techniques. This can be why NETSCOUT has been advocating over the better part of the past decade for a multilayered defensive approach that includes on-premises protection for your stateful infrastructure and applications, with cloud-based protection from high-volume attacks.