In 2020 DDoS attacks continue to increase both in volume and in frequency. Nexusguard Research¹ just reported a 542% increase in DDoS attacks in the first quarter of 2020 when compared with the last quarter of 2019. The NexusGuard research team also detected unusual traffic patterns from ISPs which included traffic generated from infected devices.
In rare harmony, Kaspersky also reported that DDoS attacks have doubled in the first quarter of 202 when compared to the last quarter of 2019². Kaspersky also found that DDoS cyberattacks are increasing in duration – the average attack duration increased by 24% in the first quarter of 2020 compared with the same quarter one year ago.
DNS and DDoS attack vectors have emerged as one of the critical weapons of choice to support fraud, extortion, and malicious attack. Threat actors may be politically motivated, part of organized crime, or even nation-state cyberwarfare operatives.
The COVID-19 pandemic was the genesis of this new opportunity as the disease continues to impact businesses and economies worldwide. The net result is that 2020 has become the year of the teleworker. The use of online services from home and other remote locations became more critical than ever. Students are online. Employees are serving customers online. Many of us are working from home and highly dependent on internet connectivity. The mix of devices we use often includes our laptops and mobile devices. Threat actors have moved with lightspeed to leverage this opportunity.
But just when you thought it could not get worse, it does. DDoS for hire (otherwise known as “booter” services) allows threat actors to access thousands of pre-configured servers that can be used to launch DDoS assaults against any organization. Booters are web-based services that provide criminal DDoS services for hire. These tools are often referred to in polite conversation as IP stressors, which are legitimately used to test your networks and servers for resiliency. Certainly, stress testing your own network is normal. But deploying such technology to create a DDoS attack against external parties is illegal and malicious criminal activity. The great majority of these servers are hijacked, and malicious activity is usually completely unknown to their owners.
As you would expect, booters are sold on the dark web using untraceable currencies such as Bitcoin. My last informal survey showed that you could “purchase” the use of a compromised server for between $10 to $150 or more. You get the passwords and access to the server. Some criminal enterprises sell access to the use of booters “as a service” and vary pricing by the number of attacks you wish to launch, the duration of the attacks, and even price out the addition of customer support!
As quickly as the FBI and other law enforcement agencies can find them and shut them down, new ones still seem to spring up. The number of these servers for sale at times looks quite large, with many tens of thousands of hijacked servers accessible at meager cost for a motivated attacker.
The DDoS attacks launched by these threat actor booter sites take us back to basics. As always, the mix of readily usable attack techniques includes DNS amplification and DNS reflection. They may be used alone and in combination. An amplification attack is a technique used by threat actors where a small query can trigger a massive response. In this scenario, threat actors flood the server with short requests that require long responses, allowing a small compute resource to overload the targeted DNS server. The DNS server is so busy attempting to respond to all these malicious requests that it doesn’t have time to respond to legitimate ones, and network activity grinds to a halt.
The reflection attack vector sends queries that appear to come from the target of the attack. The huge volume of responses, which are amplified, are then sent to the target effectively overwhelming the target. In this scenario, the attacker sends a query to a recursive name server with a spoofed source IP address. Instead of the real IP address, the threat actor places the target (victim) IP address as the source IP address. The recursive name server retrieves the answer to the query from the authoritative name server and sends it to the target.
A sophisticated threat actor can combine the two techniques by spoofing the targets’ IP address and sending a carefully crafted query that will result in a large payload. This double punch can be an overwhelming DNS DDoS attack scenario. This allows the threat actor to attack two different targets at the same time easily.
Comprehensive and intelligent protection against DNS DDoS attacks should be an essential part of your cybersecurity architecture. Infoblox uses various techniques to detect and drop attacks like DNS amplification, DNS reflection, NXDOMAIN, and protocol anomalies to keep both external Internet-facing DNS servers and internal DNS servers running. Call us – we’re glad to help – please refer to this datasheet for more information. Also, for more information on securing your teleworking environment, please see this report.
²https://securityintelligence.com/articles/avoid-ddos-attacks/