Distributed denial of service (DDoS) attacks soared in the third quarter, giving organizations yet another cyber threat to worry about.
Kaspersky researchers reported that total attacks were up by about a third from the second quarter. Even the slowest days saw 500 DDoS attacks; the busiest day, Aug. 18, saw a whopping 8,825 attacks.
Kaspersky observed that “Q3 was unusually explosive for the number of DDoS attacks,” with “several thousand attacks per day on some days.”
U.S.-based organizations were the primary targets, accounting for 42.13% of all DDoS attacks, up more than three percentage points from the second quarter. In second place was Hong Kong (14.36%, a huge jump from 1.8% of all attacks from the second quarter), followed by China (6.68%) and Brazil (5.14%).
Hackers targeted a wide range of organizations, such as banks, mail services, Bitcoin sites, VoIP providers, vaccination registration portals, information security media, gaming platforms, government sites, and even security agencies.
DDoS Attackers Target Middleboxes, UDP
Middleboxes – devices located between the client and the server – are becoming an increasingly popular target.
The Kaspersky researchers revealed that hackers now use security devices such as firewalls, load balancers, or network address translators (NAT) to interfere with TCP connections, spoof IPs, and perform amplification attacks. It’s pretty new as those attacks often rely on the UDP protocol to overwhelm a victim’s system with fake UDP traffic, as happened in a record-setting Microsoft Azure attack.
UDP is a connectionless protocol that does not validate IP addresses, sometimes allowing hackers to forge packets and make the destination server respond to the victim instead of the attacker. This technique is also called “reflected DDoS attack.”
It’s challenging for communications service provider (CSP) networks and large corporate environments, as the origin is not a compromised system that can be isolated. Besides, any connected device is a potential target, as the attackers divert a native function that responds to errant requests, and those requests consume lots of resources, which can exhaust the infrastructure and ultimately stop legitimate communications.
According to Kaspersky, most TCP attacks relied on SYN flooding, which consists of saturating the TCP layer, preventing the TCP three-way handshake between client and server, where the client sends a SYN message to the server, and the server sends a SYN-ACK message back to the client. The client then confirms the connection with a final ACK message.
This three-way operation is used to secure communications, but when SYN flood attacks happen, the target receives too many SYN packets with spoofed IP addresses. The server is forced to open a port for each request, but the final ACK message never comes. When all ports have been opened, the server ceases to function normally.
If the attackers use a botnet (a “robot network” of infected computers remotely controlled by a hacker), it’s almost impossible to trace back.
See our picks for Top DDoS Products
Meris Botnet Dominates
Another noticeable event in Q3 was the discovery of the Meris botnet. Meris is Latvian for “plague.” It’s one of the most powerful botnets in history, and it acts similarly (not exactly) as the Mirai botnet, exploiting vulnerabilities in IoT devices and networks.
Meris may have infected more than 250,000 devices manufactured by Mikrotik, a Latvian company that develops routers and wireless ISP systems. Operations targeting a manufacturer on such a large scale are pretty unusual, and the specific vulnerabilities exploited in the attacks remain unclear.
The botnet has been responsible for devastating attacks in New Zealand, the United States, and Russia, and could overwhelm even highly robust networks. It attacked routers that were compromised in 2018 when MikroTik RouterOS had a vulnerability.
Many RouterOS users do not actively monitor their devices, and even if the vulnerability has been patched since then, the patch neither checks firewall rules nor modifies leaked passwords. Mikrotik claims their product has been independently audited by several contractors and suggests that users disable SOCKS and look in the System -> Scheduler menu.
Ransom Now a DDoS Strategy
The technical aspect is not the only change, as hackers now use DDoS attacks to intimidate companies and even security agencies, pursuing financial and political goals.
For example, cybercriminals performed DDoS attacks on VoIP providers, affecting Britain, Canada, and the U.S., and asked for a huge ransom to stop the attacks. They claimed to be members of REvil, a notorious ransomware group (there’s no clear evidence, though).
According to Kaspersky, politically-motivated attacks hit the security agencies of Russia and Ukraine this summer.
Among all the Q3 statistics, two trends stand out:
- the number of DDoS attacks has significantly increased
- the average DDoS attack duration has also significantly decreased
Kaspersky expects DDoS attacks to grow further in Q4.
How to Protect Against DDoS Attacks
You can switch to a more robust hosting provider. The caveat is that hackers can scale up too if you are a primary target, so it can turn into a vicious circle with huge costs.
There are DDoS protection and mitigation services, such as Cloudflare:
You can also invest in resilient systems such as cloud architectures. Also, investing in newer hardware can be a great choice, as they usually include better monitoring and defense against common attacks such as SYN flooding.
However, the most efficient strategy is probably an incident response plan. This plan usually includes a detailed list of contacts to alert and some escalation measures to apply when the attack strikes.
Another good practice is to do post-event analysis. Indeed, you can collect helpful information after an attack to better respond to future attacks and learn from your potential mistakes. In addition, Threat Hunting can answer critical questions such as “Who are the attackers behind it?” or “Is this the first episode of a long series?” In that perspective, SIEM tools are recommended to prioritize tasks and classify threats.
Further reading: Best Incident Response Tools and Software