We’ve entered a new era of DDoS attacks. Using Mirai and other tools, hackers have at their fingertips a formidable array of attack styles and vectors drawing on the power of botnets gathered from the Internet of Things and encrypted, hidden from traditional defenses.
The ability to level a 1 Tbps attack, like the one that took down DNS provider Dyn and knocked scores of major websites offline, has given attackers new, more complicated firepower that many organizations are unprepared to defend against.
Five attack types in particular are growing in popularity and show how hackers often have the upper hand, until organizations can swing momentum in their favor with better defensive tools. Here are the top five DDoS threats organizations face in 2017 and how to combat them.
Advanced Persistent Attacks
This attack style changes vectors to evade mitigation, seeking weaknesses and keeping targets under fire for weeks at a time. It’s easier than ever to launch a long-term attack. Hackers need only download Mirai, rent a couple servers, and $100 later, they can attack around the clock with their own personal botnet. That accessibility has led to an explosion of Advanced Persistent Denial of Service attacks (APDoS).
Proton Mail is one organization that was hit by multiple vectors at a high rate and was pinned down for days, with attacks exceeding 100 Gbps. By implementing a DDoS mitigation solution that could sift the bad traffic from the good, without compromising the privacy Proton Mail promises its users, the email provider was able to get back on its feet.
DNS Water Torture
This flood of maliciously crafted, impossible-to-solve DNS lookup requests consumes network, bandwidth, and storage resources. It can also tie up network connections, causing time outs.
A powerful attack vector that has grown popular in the wake of Mirai, the water torture GRE attack – GRE stands for generic reading encapsulation – bombards servers with encapsulated packets that are hard to inspect. That means malicious traffic has a higher chance of bypassing mitigation.
Organizations should monitor their recursive DNS servers, looking for anomalous behavior such as spikes in the number of unique sub-domains being queried, or spikes in the number of timeouts or delayed responses from a given name server to spot these attacks.
DDoS attacks and advanced web application attacks increasingly leverage encrypted traffic as an attack vector. According to our research, as much as 39 percent of organizations reported experiencing an SSL attack.
Whether taking the form of encrypted SYN floods, SSL renegotiation, HTTPS floods, encrypted web application attacks, or others, encrypted traffic often passes through both DDoS and web application protections undetected. In the same way SSL and encryption protect the integrity of legitimate communications, they also veil many traffic attributes used to divide bad traffic from good.
To provide effective protection, solutions need to deliver full attack vector coverage (including SSL) and high scalability to meet the growing demands of the consumer. They also need to handle management of encryption technologies (predominantly SSL/TLS) in a manner that can be operationalized effectively and efficiently.
Look for stateless mitigation to ensure you can scale to the higher demands of these attacks. Asymmetric deployment options, certificate management, and the integrity of the trust model are all important considerations. Don’t forget a solution must balance the experience for legitimate users with the need for attack mitigation.
Permanent Denial of Service
Known as phlashing to some, Permanent Denial of Service (PDoS) damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of systems.
In the case of firmware attacks, the attacker may use vulnerabilities to replace a device’s basic software with a modified, corrupt, or defective firmware image that “bricks” the device, rendering it unusable. Other attacks include overloading the battery or power systems.
Some organizations, however, are more vulnerable than others. If you’re running a highly virtualized environment that leverages few hardware devices, depends on the IoT, has centralized security gateways, or runs critical infrastructure, one PDoS punch could knock out your systems.
If you fall into one of those categories, conduct an assessment immediately on the type of technology you’re running at or below the operating system level. Develop a clear understanding of the different firmware versions, binaries, chip-level software (like ASICs and FPGA), and technology used in your environment. Consider battery, power, and fan system vulnerabilities as well. Once you’ve assessed the risk, take the necessary precautions and onboarding controls to protect your most critical assets.
In 2016, we reached the 1 Tbps DDoS era. Fueled by DVRs, CCTV cameras, webcams, and other connected devices, IoT botnets can be the source of any one of the four threats above.
IoT devices are attractive targets for several reasons:
- They usually fall short on endpoint protection implementation.
- They operate 24/7 and can be in use at any moment.
- Unlike PCs and servers, there are no regulations or standards for secure use of IoT devices, such as changing default passwords and implementing access control restrictions (for example, to disable remote access to administrative ports).
We need to set manufacturing standards for internet-connected devices that make it harder to enslave them in a botnet, but for now, organizations fearing the threat of a botnet-fueled attack should put in place a DDoS protection solution with the highest mitigation capacity to guard against volumetric attacks.
Of course, the attack style doesn’t really matter when it’s coming at you with 1 Tbps of intensity. But by understanding these more complicated styles and vectors of DDoS attack, you can add protections against each type to stay one step ahead of the hackers, at least for now.