Although the strength and number of distributed denial of service (DDoS) attacks in Australia dropped precipitously during 2017, one expert warns that the change in attack patterns actually reflects an intentional move by threat actors seeking to do as much damage as possible in ever-smaller windows of opportunity.
The largest reported service-provider DDoS attack dropped to 600Gbps, from 800Gbps in 2016, according to NETSCOUT Arbors’ latest Worldwide Infrastructure Security Report (WISR).
That decline – which come after four successive years of exploding DDoS volumes – “is a surprise given the latent capability within some of the weaponized DDoS services and botnets currently active across the Internet,” the report’s authors note.
That said, service providers and enterprises reported a surge in more carefully-targeted attacks, with 57 percent reporting their Internet bandwidth was saturated due to DDoS attacks – up from 42 percent the previous year – while 48 percent reported being hit with multi-vector DDoS attacks, up from 40 percent the previous year.
The largest attacks against an Australian target measured 228Gbps and 39.9 million packets per second, respectively, with 131,700 total attacks detected during the year. The United States, China, UK and Russia were almost evenly represented as the source countries for attacks on Australia.
Ongoing use of DDoS attacks was likely to see new surges this year as Internet vandals sought to disrupt the upcoming Pyeongchang Winter Olympics and Gold Coast Commonwealth Games.
“We have already started to see spikes in both Korea and Australia,” NETSCOUT Arbor ANZ country manager Tim Murphy told CSO Australia. “Global events tend to attract threat actors and perpetrators, and [the detected activity] is preparation for what we anticipate to be larger and more targeted attacks.”
The prevalence of DDoS attacks has made them the second and third highest threats to businesses, behind ransomware. A third of respondents reported that they were being hit with 1 to 10 DDoS attacks per month, while fully 17 percent said they were getting hit by 500 or more DDoS attacks per month.
Average attack time dropped from around 20 minutes to just 12 minutes – suggesting, suggesting, Murphy said, that DDoS attack perpetrators were limiting their attacks knowing that better DDoS protections could stop them in around 20 minutes anyway.
“Threat actors are starting to understand what the Arbors and other companies are doing about DDoS, and they are aggressively trying to fly under the radar,” he explained. “They know getting a DDoS mitigation up and running can take a period of time – so they’re attempting to do the majority of damage in a period under that window.”
This behaviour had increased the onus on businesses to develop a capability that would allow them to detect and respond to DDoS attacks much faster than they could in the past – and to respond in an appropriate way, as failed to happen in the wake of the notorious 2016 Australian Census DDoS debacle.
“You need to be more in your ability to detect and to mitigate,” Murphy said, “or the damage will be done by the time you’ve commenced your mitigation.”
The potential repercussions are driving businesses to embrace new forms of DDoS remediation. Use of automatic DDoS attack mitigation tools jumped in 2017, with 36 percent of respondents saying they were using such tools compared with 27 percent the year before.
A quarter of the companies had a special security group to deal with DNS-related threats, with 43 percent indicating they had application-layer (Layer 7) visibility while 73 percent were relying on visibility at layers 3 and 4.
SNMP-based monitoring overtook firewall logs as a favoured method for detecting DDoS attacks but NetFlow-based tools remained the most popular tool amongst the service providers and enterprises analysed
Failure to get more proactive about DDoS protections is increasingly leaving businesses at the potential mercy of online threat actors that may have any number of reasons to target a business with a DDoS attack.
Fully half of all DDoSes, for example, were said to be related to online gaming and 49.1 percent happened when criminals demonstrate their DDoS capabilities to potential customers. Some 44.4 percent of attacks were linked to criminal extortion, while 35.1 percent were attributed to nihilism or vandalism.
Some 24.4 percent of DDoS attacks were said to be diversions to cover data compromise or exfiltration, while 20 percent were said to have resulted from competitive rivalry between business organisations.
Whatever the motivation, such attacks were proving quite successful: 71 percent of respondents to the latest WISR said they had suffered increased operational expenses as a result of a DDoS attack. Some 48 percent said they had lost customers in the wake of such an attack, while 3 percent reported revenue loss and 19 percent, employee turnover.
Australian businesses were generally fortunate because telcos like Telstra had been proactive in building infrastructure to detect and filter DDoS attacks before they reached our shores, Murphy said.
But with DDoS “not going away”, Internet of Things (IoT) devices increasingly being commissioned into DDoS botnets, and many companies receiving extortion demands threatening DDoSes for noncompliance, he said it remained imperative on every company to revisit and refine its approach to handling the DDoS threat.
That included monitoring IoT activity on the company network and extending protections to employees’ homes, where IoT compromises could easily spread laterally onto corporate networks.
“Most DDoS infrastructure has been geared for inbound detection and mitigation,” he explained, “but the biggest threat for enterprises is that their carriers can’t protect them from outbound activity from their own environments.”
“I think there will be a renaissance in domestic-style perimeter security because there is such growth in connected devices in domestic environments. Enterprises have to be much more aware of this.”