Distributed denial-of-service (DDoS) attacks have long been a major threat – primarily because attackers don't need a vulnerability or access to an organization’s systems to overwhelm them with requests or traffic.
But even so, threat actors have refined nearly every aspect of their attack leading to a rapid evolution of the DDoS landscape in recent months. This includes focusing on high-value targets, evading common DDoS defenses, and upgrading botnet infrastructure to enable much larger attacks.
Most cybercriminals are in it for the money. Many of the main types of cyberattacks — data breaches, ransomware, etc. — have a clear path to profit.
So, it’s no surprise that recent trends have indicated that attackers are focusing their efforts on where the money is. Western banks and the SWIFT system — used for settling inter-bank payments — have become a primary target. Additionally, the cryptocurrency sector was identified as the most targeted industry for HTTP DDoS attacks by share of overall traffic with a 600% increase from the prior quarter.
These targeted attacks are intended to cripple critical systems in the financial sector and beyond.
One of the biggest technical challenges that attackers face is bot detection algorithms. Anti-bot solutions identify various factors that differentiate human users from malicious bots, enabling bad traffic to be filtered out with minimal impact on legitimate users.
In recent months, sophisticated evasion solutions have filtered down from nation-state actors to mainstream cybercriminals. These tools and techniques enable automated attackers to more accurately mimic legitimate users and browsers and overcome mitigation systems. Two of the most commonly-used evasion techniques include:
Randomized HTTP properties: Fingerprinting automated bots and tools is a core function of many bot mitigation systems. To combat this, attackers have begun randomizing certain properties — such as User Agent strings and JA3 fingerprints — to make signature-based detection less accurate and effective.
Low and slow attacks: HTTP request rates higher than humans can generate are a clear sign of an automated DDoS attack. Recently, attackers have been focusing on lower-volume, slower attacks to make their campaigns more difficult to detect.
Another common tactic for slipping past a target’s defenses is DDoS amplification, which abuses a legitimate service to send large volumes of data to a target. DNS-based attacks made up nearly a third of all network-layer DDoS — cybercriminals are taking advantage of the fact that DNS is universally trusted and a crucial component of Internet infrastructure.
In the past, a botnet was usually composed of a set of compromised Internet of Things (IoT) devices. These devices often have poor security, making them easy to compromise. They have Internet connectivity and limited computational power, enabling them to perform simple, automated attacks such as credential stuffing or DDoS.
In recent months, cybercriminals have shifted to virtualized botnets. These virtual devices have substantially more network bandwidth and computational power, enabling them to launch attacks up to 5,000x stronger than IoT devices.
The rise of this hyperscale, VM-based botnet has enabled much larger DDoS attacks than were previously possible like in the case of this record-breaking 71 million request-per-second attack that was traced back to one of these VM-based botnets.
Cyber security is a fast-paced industry where the threat landscape can change overnight. While DDoS attacks don’t exploit vulnerabilities; they do attempt to overwhelm systems or use up valuable resources. With these attacks growing larger and more sophisticated, deploying advanced DDoS prevention systems is essential to filtering attack traffic and keeping these systems online.
Cloudflare’s web, application & network DDoS protection is designed to protect anything connected to the Internet. Cloudflare offers protection against DDoS attacks at Layers 3, 4, and 7, including the ability to catch and block the large-scale and subtle attacks enabled by VM botnets, low-and-slow campaigns, and HTTP randomization.
For more Internet trends, visit Cloudflare Radar.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
David Belson — @dbelson
Head of Data Insight, Cloudflare
After reading this article you will be able to understand:
How cybercriminals have refined their attack methods
3 of the latest attack trends
Mitigation strategies to get ahead of the threat