Is There a DDoS Attack Ceiling?


Today, it’s rare for a month to pass without reports of new distributed denial-of-service (DDoS) attacks. Lately, geopolitical instability and hacktivist groups (e.g., Anonymous Sudan and NoName057(16)) have driven attacks, and these types of attacks show no sign of stopping anytime soon. One thing is sure: businesses need to implement safeguards into their overall cybersecurity posture to mitigate an evolving array of DDoS attacks. The relentless barrage of attacks may also make IT practitioners consider whether there will be a ceiling at some point and whether DDoS attacks will indeed level off.

While there isn’t a predefined ceiling for DDoS attacks, the practical limitations and risks of launching such attacks mean that they’re typically constrained within certain bounds. However, the evolution of technology and tactics means that attackers continually adapt, and defenses must evolve accordingly to mitigate the impact of DDoS attacks. Let’s dive deeper into how some hacktivist groups work to engineer new DDoS attacks.

Unpacking Hacktivist Groups to Understand Increasing DDoS Threats

Infamous for its widespread cyber operations, NoName057(16) garnered notoriety for developing and distributing custom malware, notably the DDoSia attack tool, the successor to the Bobik DDoS botnet. The group strategically concentrates its efforts on targeting European nations. NoName057(16)’s motives are geopolitical, aligning closely with pro-Kremlin interests.

NoName057(16) relies on free or low-cost public cloud and web services as a launchpad for DDoS botnets that flood target web servers. In addition, the attacks are almost exclusively HTTP/HTTPS floods meant to consume targets’ bandwidth and resources. NoName057(16) gamifies DDoS by offering digital currency payments via Project DDoSia to crowd-sourced participants who conduct attacks and rack up “points” as incentivized top performers. So, not only is it straightforward for groups such as NoName057(16) to orchestrate DDoS attacks, but they also incentivize bad actors to join their exploits.

By encouraging ideologically motivated volunteers to deliberately provision cloud computing and VPN nodes with their multi-platform DDoS-capable botnets, NoName057(16) has essentially outsourced the growth and maintenance of their attack infrastructure while at the same time seeking to make it more challenging for defenders to successfully mitigate attacks due to the presence of these botnet nodes on the networks of well-known computing, content, and networking services.

Similarly, Anonymous Sudan is a highly prolific threat actor conducting DDoS attacks to support its pro-Russian, anti-Western agenda. Although the attacks attributed to this adversary are of political and (ostensibly) religious motivation, this group also retaliates against messaging platforms that restrict its communications.

Staying Ahead of The Hacktivists

Furthermore, Anonymous Sudan appears to use standard DDoS-for-hire services and botnet rentals, breaking from the traditional hacktivist mentality and capabilities and behaving more like an organization with substantial financial backing. Their DDoS attacks are predominantly multi-vector—a combination of TCP-based direct-path and various UDP reflection/amplification vectors.

Anonymous Sudan and NoName057(16) are just the latest in a long line of hacktivist groups engineering new attacks. Although these threat actors often use well-known DDoS attack vectors and methodologies, their propensity to follow through on threatened occurrences, combined with unpreparedness on the part of targeted organizations, ensures that they have achieved a relatively high attack success rate to date. How can the IT department help organizations mitigate this new onslaught of attacks?

Real-time threat intelligence’s role in an actual DDoS defense strategy can’t be stressed enough. Attacks are now more adaptive and continue to change course to evade defenses. Today, threat intelligence solutions exist for businesses to use machine learning (ML) from rich data lakes of known DDoS attack vectors, sources, and behavioral patterns. Additionally, DDoS defenses are now sophisticated enough to identify changing attack vectors. This analysis is continuously updated as characteristics of the atypical traffic change. All of that means that the value of having better visibility tools with actionable threat intelligence to remediate attack vectors is a step in the right direction for any organization. Having better visibility means an improved ability to contend with shifting DDoS attacks from highly sophisticated hacktivist groups and other bad actors.

In theory, there is a maximum throughput for DDoS attacks based on a variety of internet and infrastructure constraints. There is also no way to fully eradicate these types of attacks, and it’s more so a matter of when they will happen, and how organizations choose to protect themselves. Bad actors will continue to conduct meticulous research to get past even the most astute security teams. Despite this inconvenient reality, enterprises can stay one step ahead of hacktivist groups and other threat actors. By leveraging decades of attack mitigation experience combined with ML algorithms, IT departments can ensure that business-critical services don’t fall prey to future attacks that will persist in the years to come.

About the Author

Gary Sockrider, Director, Security Solutions, NETSCOUT, is an industry veteran bringing over 20 years of broad technology experience including routing and switching, data center, wireless, mobility and collaboration but always with a focus on security. His previous roles include security SME, consultancy, product management, technical marketing, and customer support. Gary seeks to understand and convey the constantly evolving threat landscape, as well as the techniques and solutions that address the challenges they present. Prior to joining Netscout in 2012, he spent 12 years at Cisco Systems and held previous positions with Avaya and Cable & Wireless.



Source link