Amazon is a company that is known for setting records. However, in February 2020, Amazon Web Service, easily considered one of the most comprehensive cloud platforms, set a record that the company might have been happy to do without. Amazon sustained a 2.3 terabit per second DDoS attack. Thankfully, they could successfully defend against this attack that was reported to last multiple days. Before this, GitHub had the record for sustaining the largest DDoS attack, a 1.3 Tbps second attack that happened in 2018.
Photo: Creator: Tashatuvango / Credit: Getty Images/iStockphoto
As it has with many other things, reports show that the COVID-19 pandemic has facilitated an increase in DDoS attacks. The first quarter of 2020 saw not only an increase in the number of attacks but also an increase in the intensity and length of attacks. We should note that the first quarter of every year typically sees an increase in DDoS attacks, but the first quarter of 2020 saw an 80 percent increase over 2019. This was unexpected.
Imperva also sustained several unprecedented attacks in May 2020. Two of these attacks lasted for up to six days. The attacks had over 150,000 requests per second. What was even more impressive about these attacks is that they originated from thousands of unique IP addresses. In one case, they originated from over 28,000 unique IPs. In another attack, they were from over 3,000 unique IPs.
What was the source of these attacks? They came from China, the United States, and the Philippines.
They also came from computers around the country - specifically cheap and discounted hosting servers.
In a 12 month study of uptime and downtime across all major hosting companies in Australia, ecommerce expert Nathan Finch found that free VPS hosts and discounted hosting companies were being actively targeted by malware to act as bots in a larger cheaper botnet army. VPS instances were being used to send our malware to adjacent networks effectively recruiting an army of computers.
When we are measuring attack by bandwidth, we are looking at the capacity to send the data via an Internet connection. When measuring an attack by the packet forwarding rate, we are looking at the number of packets network devices are processing.
Larger scale DDoS attacks usually are two-pronged, using both the bandwidth and packet forwarding rate to saturate the victim’s network and forcing it to crash.
Attackers are becoming more sophisticated and aggressive in their approach. Attacks that in times past were large are now viewed as commonplace. Just because higher packet attacks are happening with greater frequency does not mitigate the threat they pose or the frustration they cause for businesses that are bombarded by them daily.
In response to the pandemic, many organizations were forced to transition to having their employees work from home. This meant that millions of employees were relying more heavily on the Internet to do their work, and they were using Internet connections that lack high levels of security.
To counteract this, many businesses have sought out third-party software designed to improve security for work at home employees. However, because of the sudden onset of the pandemic, businesses have been making these decisions quickly. They have tried to implement new security procedures without having time to properly train their employees how to use them or on the importance of taking extra precautions now that they are working from home.
Since work from home employees are unfamiliar with the new security software being installed on their devices, many become frustrated and revert to using personal email addresses and other forms of communication that lack the needed security.
Criminals are taking advantage of these vulnerabilities, especially by using phishing scams that are targeted at certain employees. It’s interesting to note that while DDoS attacks have been targeting corporate interests, DNS hijacking is also on the rise.
DNS hijacking is a technique where a cyber criminal will change DNS settings, redirecting a person to a website that seems legitimate but has malware. A troubling trend in DDoS that seems to have picked up since the COVID-19 outbreak are attacks that originate from multiple countries instead of originating from just one region or one country.
For example, the AWS shield is a tool that Amazon uses to manage DDoS protection. In February’s record-breaking attack, it seems like the attacker hijacked a Connection Less Lightweight Directory Access Protocol server. CLDAP is a protocol that is often targeted in DDoS attacks because it makes it possible to significantly amplify the data being sent.
However, it is telling that the record-breaking DDoS happened in February 2020 and it has only been in the public consciousness during the summer months. This is an obvious indication that these types of attacks do not have the same impact that they did years ago. Or, more accurately put, it shows that if a company or service takes the appropriate measures to protect against DDoS attacks, they are more of an annoyance than a threat.
This by no means indicates that DDoS attacks are going anywhere. As the Internet of Things continues to grow and as we find ourselves in a world where our refrigerators can be hacked, it is likely that more devices will become victims of DDoS attacks. Routers, cameras, and similar devices have been and will continue to be targets for cyber criminals. As vulnerabilities surface with these devices, they will be exploited. Devices take a lot longer to patch than operating systems, so the duration of these attacks will be longer.
What Is a Denial of Service Attack?
A DDoS attack is an onslaught that happens in rapid succession. The goal is to make a computer system unresponsive, rendering it unavailable. The attack is carried out by sending excessive requests, communications, and additional data input. The goal is to overload the system of the victim. The force of the attack is multiplied by using several Internet connections and multiple devices to send simultaneous attacks as opposed to using one computer and one Internet connection.
Photo: Creator: Tashatuvango / Credit: Getty Images/iStockphoto
As it has with many other things, reports show that the COVID-19 pandemic has facilitated an increase in DDoS attacks. The first quarter of 2020 saw not only an increase in the number of attacks but also an increase in the intensity and length of attacks. We should note that the first quarter of every year typically sees an increase in DDoS attacks, but the first quarter of 2020 saw an 80 percent increase over 2019. This was unexpected.
Imperva also sustained several unprecedented attacks in May 2020. Two of these attacks lasted for up to six days. The attacks had over 150,000 requests per second. What was even more impressive about these attacks is that they originated from thousands of unique IP addresses. In one case, they originated from over 28,000 unique IPs. In another attack, they were from over 3,000 unique IPs.
What was the source of these attacks? They came from China, the United States, and the Philippines.
They also came from computers around the country - specifically cheap and discounted hosting servers.
In a 12 month study of uptime and downtime across all major hosting companies in Australia, ecommerce expert Nathan Finch found that free VPS hosts and discounted hosting companies were being actively targeted by malware to act as bots in a larger cheaper botnet army. VPS instances were being used to send our malware to adjacent networks effectively recruiting an army of computers.
What Is the Best Way to Measure a DDoS Attack?
DDoS attacks can be measured by bandwidth or by forwarding rate. The criteria used to measure an attack can affect how the largest attack in history is determined.When we are measuring attack by bandwidth, we are looking at the capacity to send the data via an Internet connection. When measuring an attack by the packet forwarding rate, we are looking at the number of packets network devices are processing.
Larger scale DDoS attacks usually are two-pronged, using both the bandwidth and packet forwarding rate to saturate the victim’s network and forcing it to crash.
Attackers are becoming more sophisticated and aggressive in their approach. Attacks that in times past were large are now viewed as commonplace. Just because higher packet attacks are happening with greater frequency does not mitigate the threat they pose or the frustration they cause for businesses that are bombarded by them daily.
Why We Have Seen a Rise in Cyber Attacks during the Pandemic
The first reason is that cyber criminals are opportunist. The COVID-19 pandemic has exposed several vulnerabilities simultaneously that bad-faith actors have been trying to expose.In response to the pandemic, many organizations were forced to transition to having their employees work from home. This meant that millions of employees were relying more heavily on the Internet to do their work, and they were using Internet connections that lack high levels of security.
To counteract this, many businesses have sought out third-party software designed to improve security for work at home employees. However, because of the sudden onset of the pandemic, businesses have been making these decisions quickly. They have tried to implement new security procedures without having time to properly train their employees how to use them or on the importance of taking extra precautions now that they are working from home.
Since work from home employees are unfamiliar with the new security software being installed on their devices, many become frustrated and revert to using personal email addresses and other forms of communication that lack the needed security.
Criminals are taking advantage of these vulnerabilities, especially by using phishing scams that are targeted at certain employees. It’s interesting to note that while DDoS attacks have been targeting corporate interests, DNS hijacking is also on the rise.
DNS hijacking is a technique where a cyber criminal will change DNS settings, redirecting a person to a website that seems legitimate but has malware. A troubling trend in DDoS that seems to have picked up since the COVID-19 outbreak are attacks that originate from multiple countries instead of originating from just one region or one country.
Are DDoS Attacks Losing Some of Their Bite?
There was a time when DDoS attacks were bigger news. However, it seems like they are losing some of their power. This is thanks in part to content delivery networks that mitigate their power.For example, the AWS shield is a tool that Amazon uses to manage DDoS protection. In February’s record-breaking attack, it seems like the attacker hijacked a Connection Less Lightweight Directory Access Protocol server. CLDAP is a protocol that is often targeted in DDoS attacks because it makes it possible to significantly amplify the data being sent.
However, it is telling that the record-breaking DDoS happened in February 2020 and it has only been in the public consciousness during the summer months. This is an obvious indication that these types of attacks do not have the same impact that they did years ago. Or, more accurately put, it shows that if a company or service takes the appropriate measures to protect against DDoS attacks, they are more of an annoyance than a threat.
This by no means indicates that DDoS attacks are going anywhere. As the Internet of Things continues to grow and as we find ourselves in a world where our refrigerators can be hacked, it is likely that more devices will become victims of DDoS attacks. Routers, cameras, and similar devices have been and will continue to be targets for cyber criminals. As vulnerabilities surface with these devices, they will be exploited. Devices take a lot longer to patch than operating systems, so the duration of these attacks will be longer.
