The changing DDoS threat landscape
The word Meris (Latvian for plague) will make any cybersecurity expert sit up. Staying true to its name, Meris has wreaked havoc by targeting thousands of computers worldwide since last year. The scale and sophistication of the distributed denial-of-service (DDoS) attacks launched by the new botnet, drawing power from compromised Internet of Things (IoT) devices, personal computers, routers and home gadgets, is unprecedented. Meris is not the first and won’t be the last. DDoS attacks are here to stay and evolving steadily to pose a major threat to a world heavily reliant on digital communications – a fact reinforced in the Nokia Deepfield Network Intelligence report: DDoS in 2021.
What is DDoS?
As the internet brings billions of devices online, thousands of common vulnerabilities and exposures (CVEs) get discovered and, while waiting to get fixed, become available to be exploited by hackers and cybercriminals. DDoS is another type of IP network traffic – albeit a malicious kind that has been around for over two decades. It has been used to disrupt servers, services or even entire networks by saturating them with a high volume of traffic, high intensity of packets, and flooding internet systems and devices with a high frequency of malformed requests to confuse or render them inoperable. The ‘distributed’ nature of DDoS refers to the fact that they emanate from different locations, sometimes hard to be tracked back because of IP spoofing – techniques used to hide originating IP addresses.
In recent times, at the core of most DDoS attacks are botnets. A botnet is a collection of compromised sets of individual devices like home computers, routers, IP cameras, digital video recorders (DVRs) and even parking meters. The end devices are commonly called bots or zombies because they have been taken over by hackers. The infected machines are usually triggered into action from a command center, a compromised server or a remote computer used by a hacker or cybercriminal.
DDoS is not a new concept and has been exploiting IP protocol and systems vulnerabilities for years. Some protocols, such as Domain Name System (DNS), have gained additional security features though these have not been deployed extensively or universally. However, many protocols still rely on open principles set by the internet community a long time ago. Some of them never envisaged malicious exploits that could jeopardize the intended operation of router-based networks.
Motivations behind DDoS attacks vary widely. Some are executed by lone individuals or hacktivists. Others have a financial angle, including disrupting competitor business or extortion, whereby the perpetrators install ransomware on the target company’s servers and demand a payout to restore services. DDoS is even used as a cyber weapon by nation-states, targeting critical network infrastructure and systems.
Figure 1 Tracing DDoS back to its origins. Source: Nokia Deepfield
Attacks on the upswing
At a time when the cloud, IoT and 5G are transforming the digital world, networks have become even more important. More so after the advent of COVID-19, which has increased the reliance on the internet manifold. Unfortunately, the pandemic has also led to a growth in DDoS traffic. Apart from the 100 percent increase in “high watermark levels” – daily peaks in DDoS traffic, DDoS has grown to be a terabit level daily reality for many networks globally, with imminent and more damaging potential for attacks over 10-15 Tbps. As more than 10,000 attacks from internet providers worldwide were analyzed in the DDoS in 2021 report, a perceptible shift has been noted in the threat patterns, with attacks moving beyond PCs and emerging from outside and inside service provider networks, aiming for internet hosts and servers, customers, users and network infrastructure globally.
“Over the last year, the vast majority of DDoS has now transitioned essentially to IoT devices, other types of cloud servers and compromised cloud accounts,” says Dr. Craig Labovitz, CTO of Nokia Deepfield.
“The IoT devices mostly come with exploitable bugs in their embedded operating systems or web servers. Others, including hundreds of thousands of devices, ship with a default password,” he adds.
While most DDoS attacks are treated as a nuisance, high-bandwidth and high-packet-intensity volumetric attacks are worrying. With volumetric amplification DDoS, attackers leverage increased bandwidth and connectivity to deploy millions of servers and unsecured and compromised IoT devices to target and saturate interfaces, routers, load balancers, firewalls and network hosts.
Large-scale DDoS attacks can be fatal for network routers and infrastructure, disrupting connectivity and service availability for communication service providers (CSPs), enterprises and consumers. They can lead to losses ranging from thousands to millions of dollars.
“It’s worth noting that although some big attacks get the headlines, many go unreported because service providers do not want to expose details about their security capabilities or vulnerabilities. Even worse, attacks can go undetected by service providers until reported by users on social media,” says Alex Pavlovic, Director, Product Marketing at Nokia Deepfield.
Figure 2 Peak daily DDoS traffic January 2020 – May 2021 across select service providers. Source: Nokia Deepfield
Spike in botnet DDoS
Botnet DDoS is one type of traffic that has exhibited significant growth since mid-2021. In the second half of the year, in marked contrast to the pre-IoT era, most of the largest DDoS attacks exclusively leveraged large-scale botnets. Today, botnet DDoS is the source of tens of thousands of attacks daily, with each of them involving anywhere between several thousand and several million IP addresses. It is estimated that between 100,000 and 200,000 active bots are engaged in these attacks.
Nokia Deepfield estimates IoT botnet and amplifier attack capacity to be over 10 Tbps, a significant two to three times increase from the size of any publicly reported DDoS attacks to date. In 2021, aggregate daily DDoS traffic volumes peaked at over 3 Tb/s, with further growth recorded in 2022.
What’s making the situation worse is the difficulty in detection and mitigation. In the past, the basic tool to counter DDoS were offline “traffic cleansing systems” called scrubbers, which identified and removed malicious traffic and returned genuine traffic back to the network. These countermeasures were successful in thwarting the common amplification/reflection and synthetic traffic which normally does not exist as such on the internet. But this approach worked well when traffic volumes were manageable. The sheer volume growth scale puts this approach’s cost effectiveness in question, along with additional delay and backhaul costs introduced.
Botnet DDoS, unlike predecessors, uses valid IP addresses, full TCP-IP stacks, legitimate OS-generated protocol headers, correct checksums, and payloads carefully crafted to match normal application traffic. The problem with the older detection algorithms used by legacy scrubber-based solutions is that they require meaningful features for extraction. Features most of today’s large-scale botnet DDoS attacks don’t carry.
“What changes with botnets is that the packets are often encrypted; they often use Transport Layer Security (TLS). And again, because they’re botnets and not just a few servers, you’ve gone from two or three servers launching a DDoS to now 10,000 or 100,000 bots, all of which have independent CPU memory capacity, often running full Linux stacks,” says Labovitz.
Figure 3 Average peak rates for DDoS attacks, per attack type (recorded in 2H 2021). Source: Nokia Deepfield
Addressing the new challenge
The big question facing network operators currently is how to prepare for this formidable threat, given the exponential rise in botnets and their ability to generate realistic application payloads. The current approaches to DDoS protection are hobbled by multiple factors, including protection provided only to a few customers or systems, inability to scale, performance degradation, and prohibitive cost.
According to Labovitz, three things need to happen to address the threat.
A better job must be done in educating IoT manufacturers. This, along with the implementation of industrywide best common practices. Secondly, security should not be an add-on to the network. “We’re approaching the point where we can no longer add security as an afterthought. It has to be foundational to the infrastructure,” he says. Finally, changing the way security experts should approach detection and mitigation. Nowadays, DDoS isn’t coming from specific countries or servers; it’s coming from botnets and from everywhere, including one’s own network.
To safeguard from the new generation of threats, a new and robust DDoS defense must:
- Protect everything and everyone
- Provide real-time detection with better accuracy
- Deliver cost-effective, agile, terabit-level mitigation
- Automate mitigation of complex security policies to drive real-time surgical removal of DDoS threats and attacks
The system needs to provide cloud-era visibility beyond IP addresses and include visibility into the larger internet context, including services, CDNs, websites and IoT devices. At the same time, it must be flexible and capable of detecting new and emerging threats as they develop and evolve.
Hybrid network architectures that combine physical and virtualized network domains are proliferating and creating even more distributed sets of network boundaries that need to be monitored for both ingress and egress DDoS. With the increased number of endpoints that need to be protected – customers, end devices and systems, plus network infrastructure – DDoS security must deliver improved performance with scalability and automation.
Advanced, big data IP network analytics and programmable routers can efficiently block most of the DDoS attacks on the internet. More scalable and cost-effective mitigation can be achieved using the concept of a self-defending network. This means embedding security in the IP network and combining advanced detection capabilities with sophisticated features of the latest generations of router silicon, which allow security enforcement at line speed.
“As the DDoS threat evolves and better tools emerge to combat the menace, the internet community needs to take a firmer stance. The battle against DDoS must be fought with technology and with more involvement and better cooperation from service providers, hyperscale cloud builders, end users, regulators and governments,” says Pavlovic.