The proliferation of the Internet of Things (IoT) is giving hackers fresh ammunition.
As IoT devices continue to prioritize convenience over security, cybercriminals are easily gaining control of these devices and using them to build botnets to launch Distributed Denial of Service (DDoS) attacks. Kaspersky Lab’s Q1 2018 DDoS Intelligence Report revealed the number of attacks rose significantly, as did the number of long-duration attacks.
As the IoT industry grows, DDoS attacks will similarly rise in scale, severity, and frequency. The most sustained DDoS attack lasted 297 hours —more than 12 days— making it one of the longest in recent years. Communication service providers (CSPs) are often caught in the crosshairs, but this also places them in a unique position to mitigate attacks at the network level.
CSPs can help protect their network and services – and by extension, their consumer and business subscribers – from these threats, but they need to be aware of the top DDoS attack vectors to quickly identify and stop attacks.
Protocol
Protocol attacks are significantly different from the other methods as they focus on exhausting the protocol resources of a target. The attacker doesn’t usually take over all the target’s available bandwidth, but just enough to consume a specific server resource.
A protocol attack example includes:
- SYN flood – SYN flood attacks are designed to consume resources of the victim server by attacking a firewall or other perimeter defense elements. The goal of this attack is to overwhelm the server’s capacity limits to then bring it down. Both consumer and enterprise customers, along with the CSP’s services, remain unprotected and exposed to security threats once the SYN flood takes down the perimeter defense elements.
SYN attacks are the most popular vector, responsible for 57.3% of the total volume of incidents during Q1 2018. The good news is that CSPs can help by providing security options to their business and consumer customers that detect and mitigate traffic anomalies at the network level before any damage is done.
Volumetric
Volumetric attacks are the simplest DDoS attack type with a goal of flooding a target with as much traffic as possible to prevent normal operation. For a successful attack, it needs to override enough of the target’s Internet connection capacity to impact as many clients of the target as possible.
A volumetric attack example includes:
- UDP flood – UDP flood attacks are known for being difficult to detect and block because they usually don’t match a consistent pattern, and therefore can exhaust a network effectively and efficiently. This unpredictable network congestion can affect network performance and customer Quality of Experience (QoE).
UDP flood attacks have dropped off by 1-2% compared to last quarter, according to Kaspersky, but still account for 13.2% of the total volume of DDoS attacks.
Application
Application attacks are low-and-slow, focused on specific application resources and vulnerabilities, whereas other attacks target a broader range of resources existing on several devices. Unlike volumetric attacks, these don’t need to be as coordinated since they focus primarily on specific vulnerabilities.
An application attack example includes:
- HTTP flood – HTTP/S flood attacks occur when the attacker exploits legitimate HTTP requests to attack a web service or application. In a successful attack, botnets such as infected IoT devices are used, causing CSP web services to become overwhelmed— denying customers any type of service. In the case of CloudFlare’s HTTP flood attack, servers are constantly being targeted by DDoS attacks and it sees everything from attempted DNS reflection attacks to L7 HTTP floods involving large botnets as a part of normal business.
HTTP floods have also dropped by 1-2% from last quarter, but are still responsible for 8.8% of the total DDoS attack volume.
You’ve Been DDoSed— What’s Next?
Although many common DDoS attacks typically fit within these three categories, attacks have also appeared in combination. Take the infamous attack on Dyn’s DNS infrastructure, for example, which was a unique combination of an application and protocol attack that later transformed into a volumetric attack.
DDoS records have already been set (and re-set) in 2018. In March, one week after a record-breaking DDoS attack on GitHub, a U.S. service provider suffered an even larger attack, peaking at 1.7Tbps. For improved DDoS security, a holistic approach is highly recommended and is best delivered through the network, by CSPs, coordinating both preventative and reactive measures. Having centralized, granular visibility into the network using deep-packet inspection (DPI), behavior profiling tools and analytics can help CSPs detect and mitigate DDoS attacks in real time, preventing network elements from being overwhelmed and ensuring the quality of legitimate traffic during attacks.
