2020 already holds more than enough challenges for most organisations, but sadly, cyber criminals are always eager to add to the pain. In late summer, Imperva became aware of a significant rise in serious Ransom Denial of Service (RDoS) attacks, targeting thousands of large commercial organisations worldwide. In an RDoS campaign, cyber criminals use the alias of notorious malicious groups to threaten a Distributed Denial of Service (DDoS) attack on a target network – unless that target pays a ransom. Perpetrated by what claims to be part of the notorious Lazarus cybercrime group, these threats are a symptom of a larger, troubling trend: an unprecedented increase in the size and frequency of network-level and application layer attacks.
DDoS attacks are growing in size and sophistication
Over the past 10 months, Imperva Research Labs has noticed the number of DDoS attacks against our customers increasing significantly – both in volume and level of intensity. In July, Imperva reported attacks of remarkable size and scope, and in the same month, it also reported the largest attack in terms of packets per second, at 139 MPPS. The following month, the largest attack in terms of bandwidth was recorded at 696 gigabits per second. While attacks in September didn’t match these peaks, they came close – making it the month with the highest overall network DDoS risk in 2020 so far. For context, the frequency and strength of these global DDoS attacks has eclipsed the levels of November 2019, a peak holiday shopping period.
Seeing through the smokescreen
Because multiple computers from a globally dispersed botnet “zombie army” of hijacked internet-connected devices are attempting to flood a server with fake traffic to knock it offline, DDoS attacks are already more destructive than Denial of Service (DoS) attacks perpetrated from one machine. However, in recent years we’ve monitored a disturbing trend: DDoS used as a smokescreen. The service disruption draws the IT team’s attention away from a separate and more sophisticated incursion, such as account takeover or phishing.
Over one in five UK employees received Covid-19 phishing emails
The damage of just the DDoS can be bad enough. It takes a targeted website minutes to go down in a strike, but hours to recover. In fact, 91% of organisations have experienced downtime from a DDoS attack, with each hour of downtime costing an average of $300,000. Beyond the revenue loss, DDoS can erode customer trust, force businesses to spend large amounts in compensations, and cause long-term reputational damage; particularly if it leads to other breaches.
The seven elements of successful DDoS mitigation
With many businesses already struggling, falling victim to a cyber attack could be the final straw that breaks the camel’s back. A comprehensive defence is essential, but with attacks ranging from massive volumetric bombardments to sophisticated and persistent application layer threats, what are the most important elements of potential solutions to consider?
- SLA for Mitigation. When just seconds of downtime can hurt a business, time to mitigation (TTM) – the time between the first DDoS packet hitting a system and the DDoS mitigation system starting scrubbing incoming traffic – is a vital consideration. Organisations should look for a solution whose service-level agreement (SLA) guarantees mitigation of any DDoS attack – not just simple attack vectors – in seconds.
- Technical capabilities. Organisations need technology purpose-built for each type of DDoS attack. For example, volumetric attacks (which flood victims’ systems with unwanted requests) and protocol attacks (which exploit the transport layer) can be thwarted with technology that profiles traffic via machine learning and defines and updates relevant DDoS security policies based on behavioural pattern variation. This combines with threat research algorithms as part of a multi-stage real-time mitigation process to address suspicious activity.
- Operational simplicity. Given their role in ensuring business continuity, DDoS protection shouldn’t be cumbersome to implement and operate. Enterprises can’t afford to lose precious seconds after an attack because their DDoS software is too complex.
- Network setup. DDoS protection can be an always-on operation or, if safeguarding data centres, on demand – i.e. only active when an attack is underway. Whether mitigation is triggered automatically or by manual approval, a wide range of connectivity options is also key to allow smooth adaptation to the organisation’s own topology.
- Geographic distribution. Comprehensive geographical coverage is critical. Look for vendors with a worldwide network of DDoS scrubbing centres as well as a wide range of direct peering agreements and Tier 1 transit providers. This allows companies optimal latency for the protection service regardless of the locations of data centres and/or cloud assets.
- Operational mitigation. DDoS protection is all about rapidly analysing, identifying and mitigating malicious traffic. Traffic information is the key element, and flexible ways to access it are crucial. In an always-on scenario, a solution needs to sample and analyse always-flowing traffic in real time. This information isn’t only needed for attack detection, but also for more granular traffic analytics, which can help provide the all-important “bigger picture” when it comes to recognizing DDoS smokescreens and underlying attacks.
- Integration. Native API functionality is a key ingredient in modern DDoS protection systems. Native integration with SIEM platforms, for example, allows capture, retention, and delivery of security information and events in real-time to the SIEM application of choice, where it can be readily accessed and viewed in a broader context.
Network security in a world of encryption
By focusing on these seven elements in their DDoS protection strategies, organisations can be aggressive and proactive in defending themselves against these rising attacks.