In 2012, an organized and well-planned DDoS attack managed to take down the websites of some of the world’s largest banks and financial services institutions. When that attack was perpetrated almost a decade ago, the news reports about it called it, “effective but unsophisticated.”
Well, it may have been “unsophisticated,” but it still managed to knock out the publicly facing webpages of banking giants Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank.
Now, a decade later, DDoS attacks are still happening. But, unfortunately for the companies and government agencies being targeted by them, they’re no longer the unsophisticated attacks they used to be.
According to the newest version of the NETSCOUT Threat Intelligence Report, DDoS attacks are being perpetrated that utilize new attack vectors, feature better techniques and can avoid detection. And they’re increasing in frequency, with more attacks being reported each year for the past five years.
To learn more about the current state of DDoS attacks, how they’ve evolved and how government organizations can fight back against them, we sat down with Tom Bienkowski , the Director of Product Marketing at NETSCOUT. Here is what he had to say:
GovCybersecurityHub (GCH): Ransomware and phishing attacks seem to get all of the press these days. Are DDoS attacks still happening with any frequency?
Tom Bienkowski: Absolutely. Arbor Networks, which is now a part of NETSCOUT, has been tracking DDoS attack activity on the Internet for more than 20 years. And it’s accurate to say that DDoS attacks have increased not only in frequency, but also size and complexity.
In 2019 our Active Threat Level Analysis System (ATLAS), which has visibility into approximately 1/3 of the world’s internet traffic, has seen more than 8.4 million DDoS attacks. That’s an increase of 16 percent from 2018. More specifically, when we look at DDoS attacks targeting the U.S. public sector – including the military, government agencies and other government institutions – we see an increase of 35 percent just in the past year.
In fact, if your readers want a real-time view into global DDoS attack activity, they can see it visualized on our Cyber Threat Horizon, which gives Advanced Access users the ability to filter attack activity to a particular industry segment, such as government or education.
GCH: Why would malicious actors want to hit a public sector entity – a government agency or a school – with a DDoS attack? What is the motivation for that?
Tom Bienkowski: There are many motivations behind DDoS attacks, especially attacks that target government organizations. For example, we’ve seen an increase in attacks from hacktivist organizations that are using DDoS attacks as a form of protest because they’re easier and safer to conduct against a government than a protest in the streets.
Governments also have to worry about state-sponsored DDoS attacks from adversaries. These attacks are launched by nation-states that have the technological ability to routinely launch DDoS attacks against foreign entities in an attempt to disrupt their services.
In the case of educational institutions and schools, there’s always the threat of students instigating and perpetrating attacks just to disrupt the school and get out of class. With access to readily available DIY DDoS attack tools and low-cost DDoS for Hire services – which are sometimes called booter/stresser services – it’s increasingly easy for students to launch DDoS attacks to disrupt online school services, such as testing, scheduling, or online classes.
In my day, students pulled the fire alarm to get out of exams…today they launch a DDoS attack.
Ultimately, educational institutions are frequent targets because they have fewer resources and a lot at stake. They have a lot of critical capabilities online, including online classes, classrooms, parent portals, and testing. They also store critically sensitive data, including staff member data, student data, family financial data, Social Security numbers, and sometimes even medical information. This is especially true at colleges and universities, which makes them a top target for hackers. That’s why we observed a 41 percent increase in attacks against schools from 2018 to 2019.
GCH: Are modern DDoS attacks different than DDoS attacks of the past? How would a DDoS attack in 2020 be different than – say – the attacks that hit Bank of America, JP Morgan Chase, U.S. Bancorp, Citigroup, and PNC Bank in 2012?
Tom Bienkowski: They’re different in that they’re more complex and sophisticated. They’re also much bigger. In fact, today’s average DDoS attacks are approximately ten times larger than the largest attacks that were being perpetrated back in 2012. In 2012, the maximum size of a DDoS attack was approximately 60 Gbps. For the last few years, the average maximum attack size has hovered in the 600 Gbps range – with a maximum of 1.7 Tbps in 2018.
But, size aside, the real difference is the increased complexity. It’s ironic that you mention these 2012 attacks. At that time, we were, in fact, helping some of our customers stop these attacks. What was unprecedented about these attacks, was that they used multiple attack vectors. They launched separate volumetric, TCP state exhaustion, and application-layer attacks. Today, it’s common for DDoS attacks to utilize multiple vectors. The difference is that they are launched simultaneously using as many as 11 or more vectors.
Today’s advanced reflection and amplification attacks routinely take advantage of a large number of open protocols to weaponize an army comprised of millions of IoT devices to launch attacks. We’ve also seen the evolution of a technique called carpet bombing that can target an entire IP address range with short-duration DDoS attacks, making it very difficult to defend against.
All told, in 2019, we identified seven new or increasingly-used DDoS attack vectors, including Intelligent Platform Management Interface/Remote Management Control Protocol (IPMI/RMCP) and OpenVPN vectors. Simultaneously, the number of vulnerable IoT devices worldwide that could be used to launch attacks using these seven vectors skyrocketed to more than 2.5 million.
Combined, these new sophisticated techniques and vectors enable attackers to raise the bar for defenders in terms of accurately detecting, classifying, tracing, and mitigating bespoke DDoS attacks. This is exasperated by the fact that they’re designed to bypass traditional defenses by having lower packet-per-second rates or bandwidth than traditional attacks. Instead, they bypass poorly constructed network access policies or combine existing attacks into new powerful attacks.
GCH: What could and should organizations be doing to shield themselves from DDoS attacks?
Tom Bienkowski: Defense against DDoS attacks is difficult since they’re constantly evolving and changing. As government agencies and other organizations implement advanced DDoS defenses, the attackers evolve more sophisticated strategies and techniques. This may mean that downtime is unavoidable when an agency is hit with a new attack because they need time to detect, mitigate and follow-up.
That being said, there are things that they can do to make a successful DDoS attack less impactful. And much of it involves preparation.
They should take the time to learn about and understand their own networks and traffic flows to ensure they can spot attacks. They should constantly be researching and gaming out advanced tactics to ensure that they’re ready for new attacks. They should be working to ensure that they’ve implemented situationally appropriate architectural principles, operational practices, and mitigation countermeasure capabilities. They should secure vulnerable devices and services in their own networks. And, most importantly, they should optimize DDoS defenses around the systems, services, and applications that require protection, rather than solely against specific attack vectors.
Considering how rapidly DDoS attacks are evolving and becoming more sophisticated and complex, having a trusted partner that can help protect networks is possibly the best thing for government agencies. DDoS defense requires dedicated products and expertise, and the agencies best positioned to defend against them are the ones that outsource DDoS attack protection to managed security service providers who specialize in them.
For additional information about the rapidly evolving and increasingly complex nature of DDoS attacks, click HERE to download a complimentary copy of the NETSCOUT Threat Intelligence Report.