DDoS Threat Landscape

Why is this article created ?

An uptick in Distributed Denial of Service (DDoS) attacks has been noted in 2023 [1], with notable incidents drawing significant media attention, including those targeting Singapore's public healthcare institutions [2] and the ChatGPT platform [3]. Thus, this article is written with intention to give individuals and organizations a quick glimpse of the DDoS threat landscape. By understanding the DDoS threat landscape, proactive measures can be taken to defend against DDoS threats. In addition, individuals using online services can have an understanding of how DDoS attacks can cause website outages [1].

What is Denial of Service Attack (DoS Attack) ?

It is a type of cyber attack that attempts to crash a computer or network, making it unavailable to its intended users. It can be accomplished by flooding the target with excessive requests to cause it to crash. For non-technical readers, a simple analogy would be to imagine yourself calling a phone line to order a food delivery. If it is peak hour and there are many people calling the same phone line at the same time, you may not be able to get through as the line may be overloaded.

What is DDoS Attack ?

It's intend is the same as DoS, which is to disrupt the regular functioning of network, service, website or server by overwhelming it with excessive network requests. The difference is in the scale of the attack. A DoS attack is used to describe an attack that is launched from a single source (e.g. a single computer or network device), while DDoS attack describes an attack launched from multiple sources (e.g. a network of computers controlled by an attacker known as a botnet). As the scale of a DDoS attack is larger, it is harder to defend against and the impact is generally more disruptive.

Who are the reputable vendors with DDoS Mitigation Solutions ?

The top 5 vendors with products in DDoS Mitigation Solutions Market based on gartner [4] (as of 11/11/2023) are:

2023 Global Trends in DDoS Attack

As CloudFlare is one of the top vendors in DDoS protection, it's 2023 DDoS threat reports was used as as references to help us understand the Global DDoS Attack Trends in 2023. CloudFlare has since published 3 quarters of DDoS threat reports for 2023. The table below show the summaries of the 3 reports [5][6][7] (Refer to Annex A below for brief explanation on the different types of DDoS attacks):

Closer Look at Q3 2023 Global DDoS Attack Trends

Generally, nearer history can give us more accurate insights into the future than distant history. Thus, it is useful to have a closer look at CloudFlare's Q3 2023 DDoS threat report [7], and below is quick summary (Refer to Annex A below for brief explanation on the different types of DDoS attacks):

• Surge in HTTP DDoS attacks against Israeli websites.

• Starting in late August 2023, Cloudflare and various other vendors were subjected to hyper-volumetric DDoS attacks exploiting HTTP/2 Rapid Resets vulnerability (CVE-2023-44487).

• Botnets that leverage cloud computing platforms and exploit HTTP/2 (known as VM-based botnets) are able to launch hyper-volumetric DDoS attacks with smaller number of botnet nodes compared to IoT based botnets.

• HTTP DDoS attacks:

  • Top 3 countries which HTTP DDoS attacks originated from were US, China and Brazil based on worldwide DDoS traffic (HTTP DDoS / worldwide DDoS). Some countries naturally receive more traffic due to various factors such as the population and Internet usage, and therefore also receive/generate more attacks.

  • The top 3 attacked industries by HTTP DDoS attacks were Gaming & Gambling, IT and Internet and Cryptocurrency based on worldwide DDoS Traffic. The Gaming and Gambling industry has long been one of the most attacked industries compared to others.

  • The top 3 targeted countries were US, China and Singapore.

• L3/L4 DDoS attacks:

  • US was the largest source of L3/L4 DDoS attacks.

  • The top attacked industry was IT and Internet.

  • Chinese Internet networks and services remain the most targeted by L3/4 DDoS attacks.

• Commonly observed attack vectors were DNS flood, SYN flood , RST flood , UDP flood and mirai botnet attacks.

• DNS laundering attack was observed as an emerging threat.

• Top 3 emerging DDoS threats were mDNS, CoAP and ESP DDoS attacks.

• Occasionally, DDoS attacks are carried out to extort ransom payment (Ransom DDoS). While the occurrence has decreased over the past quarters, it was observed to be seasonal and ransom DDoS attacks is expected to increase during the months of November and December.

Possible Mitigation Measures

Below is a list possible mitigation measures that can be undertaken to address the DDoS threats explained formally:

Common Mitigation Measures

• Subscribe to cloud based DDoS mitigation service (E.g. Akamai's Prolexic service).

• Subscribe to traffic scrubbing service.

• Keep software and systems up to date to remove vulnerabilities that can be exploited for DDoS.

• Formulate a robust DDoS incident response plan.

• Implement continuous network and application traffic monitoring (E.g. network traffic analysis) to identify malicious traffic.

• Implement blackholing to drop or redirect traffic from malicious source IP addresses.

• Implement rate limiting and throttling to limit requests or responses that can be received or sent within a specified timeframe.

• Implement IP source address spoofing protection.

• Utilize botnet detection solution (e.g. Radware Bot Manager) to identify and protect against bots.

• Utilize IP traceback to identify source of attack.

DNS DDoS Specific Mitigation Measures

• Subscribe to cloud based DNS services which offer DDoS mitigation capabilities.

• Implement DNSSEC to authenticate DNS responses.

• Limit access to DNS resolver.

• Update DNS records to ensure they point to legitimate servers.

Application Layer DDoS Specific

• Employ web application Firewall (WAF) to filter out malicious traffic.

• Utilize load balancers to distribute incoming traffic across multiple servers.

Network layer Specific DDoS Specific

• Implement TCP SYN cookies to resist SYN flood.

• Utilize network traffic shaping and prioritization to ensure critical traffic is prioritized.

• Implement network level access control lists (ACLs) to filter out malicious traffic at network. perimeter.

• Coordinate with internet service providers (ISPs) to coordinate mitigation efforts (e.g. ISPs can filter malicious traffic at their network edge).

Emerging Threat - mDNS DDoS specific

• Minimize exposure of mDNS service.

Emerging Threat - CoAP DDoS specific

• Employ CoAP request validation to check for malformed or invalid requests.

• Deploy CoAP message authentication.

Emerging Threat - ESP DDoS specific

• Implement IKEv2, latest version of internet key exchange protocol with enhanced security features.

• Enable IKEv2 Cookie challenge to enable establishment of secure connection.

• Implement IKEv2 SA timer to prevent unauthorized connections.

• Utilize infrastructure access lists (iACLs) to restrict IKE/ISAKMP traffic to authorized clients or service.

Overall Summary

1. The number of DDoS attacks have increased in 2023, and global geo-political tensions (E.g. Russia Ukraine conflict and Gaza Israel conflict) have fueled the increase.

2. Volumetric DDoS attacks from were observed to have increased in scale (E.g. from Gps to Tps), and botnets were observed to be leveraging cloud computing platforms and exploiting HTTP/2 (known as VM-based botnets) to launch hyper-volumetric DDoS attacks.

3. Security vulnerabilities can be exploited to launch DDoS attacks (E.g. CVE-2023-44487).

4. Countries with higher internet usage naturally receive/generate more attacks.

5. Businesses that are more internet centric (E.g. Gaming and Gambling) are more prone to being targeted.

6. Lesser known network protocols (e.g. mDNS) can be used to launch DDoS attacks.

7. Ransom DDoS attacks were observed to be seasonal and expected to increase during the months of November and December.

8. There are a range of mitigation measures that can be undertaken to address DDoS threats.

Conclusion

As DDoS attacks continue to increase in frequency, scale and complexity, it is necessary for businesses to continue to review and update their mitigation strategies against DDoS attacks.

References

[1] https://cybermagazine.com/cyber-security/zayo-group-confirms-ddos-attacks-in-2023-are-up-200

[2] https://therecord.media/singapore-public-health-services-ddos-attack

[3] https://therecord.media/singapore-public-health-services-ddos-attack

[4] https://www.gartner.com/reviews/market/ddos-mitigation-solutions

[5] https://blog.cloudflare.com/ddos-threat-report-2023-q1/

[6] https://blog.cloudflare.com/ddos-threat-report-2023-q2/

[7] https://blog.cloudflare.com/ddos-threat-report-2023-q3/

Annex A - Attack Type Quick Glossary

Volumetric DDoS Attack. Attack that aims to overwhelm target with large amount of traffic, and traffic can go up to gigabits per second (Gbps). Common techniques used for volumetric attack to consume bandwidth and resource:

• UDP floods: sendinglarge amount of User Datagram Protocol (UDP) packets to target.

• ICMP floods: sending large amount of Internet Control Message Protocol (ICMP) packets to target.

• HTTP floods: sendinglarge amount of Hypertext Transfer Protocol (HTTP) requests to target such as mobile application servers, ecommerce websites, API gateways.

• DNS Flood attack: overwhelm DNS server with flood of queries to make it unable to respond to legitimate requests and potentially causing a website outage.

• DNS amplification attacks: send specially crafted queries to cause DNS server to return much larger response, and UDP spoofing is used to allow attacker to send queries that appear to be coming from victim’s IP address. As a result, the victim will be overwhelmed with large response traffic.

CVE-2022-26143. Vulnerability in Mitel MiCollab business phone systems that can be exploited to launch UDP amplification attacks, such that UDP traffic will be reflected and amplified off a vulnerable Mitel MiCollab phone system.

Ack Flood. In a TCP connection (3 way hand shake) ACK packets are typically used to acknowledge the receipt of data packets. However, in an ACK flood attack, attacker will send these packets without actually receiving any data. This can cause the target server to become overloaded with processing the unnecessary packets, eventually leading to a denial of service.

Mirai-variant botnet. Mirai is a malware that turns networked devices into remotely controlled bots as part of a botnet (group of internet connected devices running as bots) which can be used to perform DDoS attacks.

Hyper Volumetric DDoS. Volumetric DDoS attack in Terabit per second (Tbps).

L3/L4 DDoS Attack. Attack that targets network layer and transport layer of the OSI model, and typically carried out by sending large amount of UDP packets, SYN packets, or ICMP packets to the server.

SYN Flood (half-open attack). Make victim’s server unavailable to respond to legitimate requests by repeatedly sending initial connection request packets (SYN) with spoofed IP address. In this way, the server will respond to each connection request (SYN ACK) and leave open ports ready to receive ACK response (3 way hand shake in TCP communication) which will never arrive. Once all available ports are utilized, the server will not be able to function normally.

RST flood (a.k.a FIN flood). In a typically TCP communication, RST or FIN packets are exchanged between client and server to close a connection session. RST or FIN flood attack aims to disrupt the normal functioning of victim’s server by repeatedly sending RST or FIN packets unrelated to any connection sessions. In this way, the victim server is forced to allocate significant amount of system resources to match incoming packets with current connections, resulting in degraded server performance and partial inaccessibility.

DNS Laundering. In a DNS laundering attack, attacker can send large amount of DNS queries for random subdomains of a domain managed by the victim. As the recursive DNS servers may not have cached response for the subdomains, it will need to forward the query to the victim’s authoritative DNS server. In this way, the authoritative DNS server will be overwhelmed by the queries.

mDNS DDoS Attack. Multicast DNS (mDNS) is a UDP-based protocol that is used in local networks for service/device discovery. Vulnerable mDNS servers respond to unicast queries originating outside the local network, which are ‘spoofed’ (altered) with the victim's source address. This results in amplification attacks.

CoAP DDoS Attack. The Constrained Application Protocol (CoAP) is designed for use in simple electronics and enables communication between devices in a low-power and lightweight manner. However, it can be abused for DDoS attacks via IP spoofing or amplification, as malicious actors exploit its multicast support or leverage poorly configured CoAP devices to generate large amounts of unwanted network traffic. This can lead to service disruption or overloading of the targeted systems, making them unavailable to legitimate users.

ESP DDoS Attack. The Encapsulating Security Payload (ESP) protocol is part of IPSec and provides confidentiality, authentication, and integrity to network communications. However, it could potentially be abused in DDoS attacks if malicious actors exploit misconfigured or vulnerable systems to reflect or amplify traffic towards a target, leading to service disruption. Like with other protocols, securing and properly configuring the systems using ESP is crucial to mitigate the risks of DDoS attacks.

Annex B - Top Attacked Industry by Region