While Distributed Denial of Service (DDoS) attacks have been around for over a decade, they still continue to evolve and escalate, particularly during 2022. The tense geopolitical situation caused by the Russian invasion of Ukraine has affected the nature and intensity of these types of attacks, making states official participants in the DDoS mitigation market.
In the first six months of 2022, the number of DDoS attacks globally increased 203% compared to the first half of 2021, as reported by Radware. From cases of hacktivism to terabit attacks, the first half of 2022 saw 60% more DDoS events than in all of 2021.
In previous years, attackers targeted one particular vector such as taking down a website and asking for a ransom. More often today, we see attacks with multiple attack vectors. For example, criminals distract IT teams by taking down a website or an application while at the same time they perform an act of money laundering, account takeover, or any other type of a serious financial crime.
25% of all DDoS attacks in 2021 affected the financial industry, making it the most targeted sector.
In February 2022, Ukraine was subject to DDoS attacks, the largest of which hit the Ukrainian government. The attacks disrupted Ukraine’s defense ministry web portal as well as banking and terminal services at several large state-owned lenders. The Ukrainian government attributed the attacks to Moscow, suggesting they were precursors to a possible invasion.
Russia has been the victim of DDoS attacks as well. Bad actors targeted colleges and universities in June 2022, as well as Russia’s homegrown mobile app store. NashStore was subject to a serious DDoS attack on the day it opened on May 22, likely instigated by pro-Ukrainian interests.
Here are some common types of DDoS attacks:
Volumetric DDoS attacks
Volumetric DDoS attacks are the most prevalent type. They overwhelm the network layer with traffic that seem legitimate, but in fact is not. Criminals use brute force techniques to flood the target infrastructure with data packets to consume bandwidth and resources. Bad actors very often use IoT botnets for these types of attacks.
Examples of volumetric attacks include TCP flood, UDP flood, and DNS reflection or amplification. In the latter, open DNS servers flood a target with DNS response traffic.
Protocol DDoS attacks
These types of attacks exploit weaknesses in layers 3 and 4 of the OSI-model to cause a service disruption. It can be a SYN attack that consumes all available server resources, making it unavailable. The inherent complexity of many protocols makes them attractive to bad actors, as very often fixing existing flaws in them opens opportunities for more vulnerabilities.
One of these attacks happened in 2018 when traffic for MyEtherWallet was redirected using a Man-in-the-Middle (MiTM) attack on the Border Gateway Protocol (BGP) to hijack traffic and send it to Russian servers that presented a fake version of the site. Using the attack as a cover, bad actors stole the contents of cryptocurrency wallets of the company’s users.
Application-layer DDoS attacks
Application-layer attacks paralyze the operations of business applications. The usual protection from such attacks includes Intrusion Prevention Systems and Web Application Firewalls (WAFs). These DDoS attacks exploit specific vulnerabilities or issues within applications and can be quite complex and serious in nature. Slowloris, HTTP flood, and Low and Slow are examples of application-layer DDoS attacks.
Today’s sophisticated DDoS attacks, driven by intelligent bots, are increasingly able to mimic human behavior and can frequently bypass existing defenses. Application-layer attacks can bypass existing WAFs and other defenses (e.g. CAPTCHA) to attack web servers and API gateways. Existing solutions can be slow to detect attacks and may necessitate analysts spending hours identifying attack vectors before they can mitigate them.
Ransom DDoS attacks
A ransom DDoS attack happens when bad actors threaten to disrupt an organization’s infrastructure or services with a DDoS attack if a certain sum of money isn’t paid to them. Attackers send an email to the victimized company or post the threat on social media.
While Ransom DDoS attacks are usually associated with lower threat losses and amounts, we note a recent case of such an attack on Bandwidth.com that cost the brand up to $12 million in reputational damages and actual revenue losses.
In 2020, the Silence gang used these types of DDoS attacks to extort money from Australian financial institutions, asking for large ransoms in Monero cryptocurrency.
Protecting Business Infrastructure from DDoS Attacks
When determining how to mitigate an attack, teams often have to decide between the lesser of two evils: block all traffic or block no traffic. This is because WAFs block at the IP address and Port level. When legitimate and malicious transactions share the same IP address and port, such as when they come from an intermediary, blocking malicious transactions also blocks legitimate transactions. The result is angry and frustrated customers, lost revenue, and brand damage.
In 2021, a major US financial institution became a victim of a serious DDoS attack. They used WAFs that were top-rated by Gartner and Forrester for cybersecurity. The attack was carried out by bots that overwhelmed their servers by registering millions of fake accounts.
This attack went undetected, as existing WAFs couldn’t pick up that there was a rise in interactions because these interactions did not have the signature of a typical DDOS attack. Intelligent bots’ interactions were well-formed and looked completely legitimate.
INETCO BullzAI© is designed to provide an essential layer of defense against today’s sophisticated application layer cyber attacks. INETCO BullzAI for Cybersecurity is an intelligent firewall driven by machine learning, that automatically detects and surgically blocks application layer DDoS attacks, including those generated by intelligent bots.
With its ability to automatically and rapidly differentiate between human and bot traffic, INETCO BullzAI for Cybersecurity detects zero-day attacks in milliseconds – not hours or days. And unlike traditional WAFs, BullzAI can automatically block malicious transactions without interfering with legitimate traffic – even where malicious and legitimate transactions use the same IP address and port. Malicious transactions are blocked; legitimate ones are not. Customers are happy, networks are protected, and malicious traffic is neutralized.
By: Stephen Lazenby [INETCO]