This week sees the NIS Regulations (the UK’s implementation of the EU NIS Directive) take effect. Consequently, operators of essential services and industrial control systems need to up their game to be resilient to today’s cyber-threats.
Earlier this year, Corero surveyed over 300 critical infrastructure organisations in the UK, under the Freedom of Information Act. The survey revealed that more than two thirds of organisations (70%) have suffered from service outages on their IT networks in the past two years; leaving them potentially vulnerable to receiving fines under the new NIS Regulations.
What is the EU NIS Directive’s Purpose?
The implementation of the EU’s Network and Information Systems (NIS) Directive aims to raise levels of security and resilience of network and information systems and offers a golden opportunity to improve the UK’s cyber-security posture. Indeed, after the legislation is implemented into UK law, critical infrastructure outages would have to be reported to regulators, who have the power to impose financial penalties of up to £17 million where operators of essential services have failed to protect themselves against loss of service. With 432 UK organisations falling within the NIS remit, these fines represent a potential liability measured in £ billions.
Critical Infrastructure Attacks Are on the Rise
In the last few years, there have been a greater number of sophisticated and damaging cyber-threats across all parts of critical national infrastructure (CNI). Keeping CNI systems secure greatly reduces the risk of a catastrophic outcome that risks public safety, service disruption and/or regulatory fines.
A successful attack on critical systems can cause widespread disruption. For example, last October’s DDoS attack on the Swedish Railways took out their train ordering system for 2 days causing travel chaos. Similarly, last May’s Wannacry ransomware attack caused many NHS systems to be unavailable causing operations to be cancelled.
Previous reports have also highlighted the dangers of infrastructure attacks, such as last year’s attack on a Saudi Arabian petrochemical plant and Russia’s wide-ranging cyber-assault on the US energy grid. In addition, Ciaran Martin, the head of the National Cyber Security Centre (NCSC) warned in January that he expects the UK to suffer a major, crippling cyber-attack against its critical infrastructure within the next two years.
Mitigating the Cyber Threat
Despite the huge fines and multiple warnings, 11% of the critical infrastructure organisations that responded to the Corero study admitted that they do not always ensure that patches for critical vulnerabilities are routinely patched within 14 days, as recommended within the Government’s 10 Steps to Cyber Securityguidance. Paradoxically, almost all the organisations that responded to the study (98%) are following government advice about network security, by adhering to the Network Security section of the 2012 guidance.
Operators of essential services need to invest in proactive cyber-security defences to ensure that their services can stay online and open for business during a cyber-attack. Hopefully, the arrival of the NIS Regulations and updated National Cyber Security Centre (NCSC) guidance will be the spur for that.
The NCSC guidance is heavily weighted on procedural frameworks and reactive attack reporting rather than advising organisations on how to proactively defend themselves. As things stand, there is genuine risk that the NIS Regulations may be viewed as a mere ‘tick-box’ exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world-leading standards in this area.
DDoS attacks are on the rise and can have a damaging impact on a company’s bottom line, both in terms of lost revenue and the costs incurred in terms of manpower required to mitigate attacks. To investigate this problem, Corero surveyed over 300 security professionals from a range of industries including financial services, cloud, government, online gaming and media sectors, which revealed that DDoS attacks are costing enterprises up to $50,000 (£35,000) per attack.
Yet despite this figure, lost revenue was still only considered to be the fourth most damaging consequence of this type of cyber-attack. Most respondents cited the loss of customer trust and confidence as the single most damaging effect on business of DDoS attacks. This is because DDoS attacks can impact the ability of sales teams to acquire new customers in increasingly competitive markets and cause lasting damage to a company’s reputation. In turn this usually has negative consequences for customer loyalty, churn and corporate profits.
DDoS As a Smokescreen
The second most damaging threat revealed by the survey was the risk of intellectual property theft, followed by the threat of malware infection associated with a DDoS attack.Indeed, the majority of respondents believed that DDoS attacks are being used by attackers as a precursor or smokescreen for data breach activity. Incidents like the infamous Carphone Warehouse attack remind us of the dangers of enterprise IT teams being distracted by DDoS attacks, while hackers take advantage of degraded network security to exploit other vulnerabilities for financial gain.
When hackers use DDoS attacks as a smokescreen, they typically use low-volume, short duration attacks that are designed not to outright deny service but to distract from their alternative motives. In addition to service outages, latency and downtime, short attacks allow cyber-criminals to test for vulnerabilities within a network. Considering the huge liability that organizations can face in the event of a data breach, IT teams must be proactive in defending against the DDoS threat, and monitor closely for such malicious activity on their networks.
The IoT problem
The majority of respondents reported that their organization experiences between 20 and 50 DDoS attack attempts a month; equivalent to roughly one attack per day. Unsurprisingly, participants in the survey also viewed DDoS attacks as a bigger concern in 2018 than in the past, primarily due to the rise of insecure connected devices and the association between DDoS and data breach activity. Indeed, with the increased availability of cyber-attack tools and their capabilities, hackers can compromise IoT devices and enslave them into a botnet for use in DDoS attacks. For example, this year we’ve seen a new Mirai-style botnet known as Reaper which is reported to be targeting the financial sector. Reaper has been used to launch some of the largest botnet attacks since the infamous DDoS attack against DNS provider Dyn in October 2016 including those that hit three Dutch banks in January.
What’s next for DDoS?
With multi-vector attacks being the norm, DDoS attacks are becoming more complex to mitigate. The survey results indicate that more than 15 employees are typically involved in diffusing the threat when an attack strikes. In recent months we have also witnessed new records being set for the size of DDoS attacks, as cyber-criminals exploited the Memcached amplification attack vector to headline-grabbing effect. This has ushered in a new chapter in terms of DDoS attacks and made Terabit-scale events a reality.
As a result, any revenue and/or reputation sensitive organization with an online presence must take steps to ensure they are prepared for today’s DDoS attacks. The most effective way to defeat these threats is with always-on DDoS protection that can detect and mitigate the attacks in real-time.
Over the last few weeks, security researchers from around the globe have shared concerns about scans being carried out by a Hajime IoT botnet looking to mass-infect unpatched MikroTik devices. According to Bleeping Computer, the attackers were trying to use a vulnerability that affects MikroTik RouterOS firmware 6.38.4 and earlier, and which allows attackers to execute code and take over the device. This vulnerability, called "Chimay Red", was one of the flaws included in the WikiLeaks "Vault 7" leak of alleged CIA hacking tools, and has also been used to compromise MikroTik routers by changing hostnames of vulnerable devices in the past year.
This incident is a reminder of the widespread problem of security vulnerabilities within Internet-connected devices, which makes them an attractive target to hackers looking to recruit them within IoT botnets.
What is the Hajime botnet?
Hajime is an IoT worm that was discovered by security researchers at Rapidity Networks in October 2016. Like Mirai before it, Hajime takes advantage of default login details to brute-force its way into unsecured devices with open Telnet ports. These unsecured IoT devices offer huge spoils for malicious attackers, giving them the potential to harness thousands of devices and turn them into a botnet army and used to launch damaging DDoS attacks. Last year, Kaspersky Lab revealed that the botnet had already built up a compromised network of 300,000 devices.
So far the Hajime botnet has not been observed launching any high profile attacks, but it remains a concern for security experts due to its sophisticated mechanisms, its flexible design and the fact that its objectives remain unknown. In this recently reported activity, Hajime is being observed while performing its IoT worm activity. It is aggressively scanning specific network ports to find vulnerable MikroTik devices, including trying the Chimay Red exploit. If successful, it will install a new copy of itself on the victim. Bot herders do this to gather an ever-growing “herd” of bots that can be subsequently used to launch malicious activity, including DDoS attacks.
A step towards protection
The sheer volume of unsecured or vulnerable IoT devices in circulation poses a serious challenge for security. After all, any device that has an Internet connection and a processor can be an exploit target. In an ideal world, all devices should be forced to go through some sort of basic configuration check before being connected to the Internet to avoid default vulnerabilities. Many industry figures are arguing for increased regulation of IoT devices, but even if this is brought into effect, it will likely only relate to new devices being manufactured in the future, rather than the plethora of unsecured devices already available and currently acting as ‘sitting ducks’ waiting to be recruited into botnets. The best defence against IoT botnet-driven DDoS attacks is to deploy an in-line, automated solution at the network edge, which can detect and mitigate any unusual network activity in real-time, and eliminate threats from entering a network.
Are retail and investment banks in denial about being adequately protected from the frequent advanced DDoS attacks they’re getting hit with today? It is mid-March 2018 – just three months into the year and 3 major banks have already been taken offline by DDoS attacks, making global headlines. Reuters reported that ABN Amro, ING and Rabobank were targeted by hackers, temporarily disrupting online and mobile banking services at the end of January (Reuters Jan 29, 2018 Dutch tax office, banks hit by DDoS cyber attacks). Whatever DDoS attack protection they had in place proved to be insufficient.
So why are today’s DDoS attacks so successful against well-heeled financial institutions who spend more on cyber-security than most organizations spend on IT in total? The problem may lie with the “protection gap” within banks’ legacy DDoS attack protection solutions that have evolved over the last 20 years but focus principally on defending against large volumetric DDoS attacks. Banks typically rely on two DDoS architectural components:
Cloud DDoS Mitigation for elastic scalability during large volumetric attacks Web Application Firewalls (WAFs)for encrypted traffic and to provide confidentiality and integrity for encrypted “Layer 7” banking applications during attacks
Legacy DDoS attack defenses often lack the automation required to provide real-time mitigation of today’s short-duration DDoS attacks. Corero’s analysis shows that even the largest banks frequently have this protection gap and it is the Achilles’ heel within their DDoS defenses.
From the Verizon DBIR graph below we see that Financial Services organizations are twice as likely to be hit with a DDoS attack than any other industry. Despite this fact, the protection gap paradox suggests that banks remain either in ignorance or denial and, consequently, haven’t adjusted their DDoS defenses to be resilient to the short, sharp DDoS attacks that dominate today. Corero’s primary research shows that, in 2017, 96% of DDoS attacks were less than 5 Gbps and 71% lasted 10 minutes or less.
2017 Verizon Data Breach Investigations Report (DBIR)
Protecting all IP addresses presents economic and compliance challenges for banks using this legacy DDoS attack prevention architecture:
Always-on cloud DDoS mitigation across all IP address ranges is eye-wateringly expensive, soeven wealthybanks tend not to cover all IP addresses - leaving some of their IP addresses unprotected against DDoS attacks.
To cover encrypted traffic, they are required to surrender crypto-keys which layers-on non-compliance risk due to personal data protection regulations and privacy mandates.
These challenges effectively create a “Catch 22” scenario where these banks can’t be fully protected even by always-on cloud DDoS defenses.
Consumers now demand and regulations require that banks (and other enterprises) keep their services available with zero downtime and that personal data privacy is guaranteed. As the Dutch experience has demonstrated, modern DDoS cyber-attacks pose a serious threat to both service availability and data security. Consequently, banks are at risk from trading outages, punitive regulatory fines, and customer churn.
There is good news for banks. Corero’s SmartWall® can supplement their existing defenses to deliver fully automated, real-time protection against today’s DDoS attacks. SmartWall mitigates both the short, sharp attacks and the larger attacks including amplification attacks that exploit the recently publicized “Memcached” vulnerability. Learn more
Security researchers have long shared their concerns about potential cyberattacks on critical infrastructure systems. Over the past few weeks, there have been several reports highlighting the dangers of such attacks. According to the New York Times, investigators believe that a cyberattack against a petrochemical plant in Saudi Arabia in August last year was intended to not only sabotage the plant’s operations but also cause an explosion that could have killed people. The only thing that reportedly prevented the explosion was a mistake in the computer code used by the attackers. Experts believe that a nation-state attacker was responsible, given that there was no obvious financial motivation from the attack. Also this month, the US accused Russia of a wide-ranging cyber-assault on its energy grid and other parts of its critical infrastructure, with many of the reported tactics resembling the Dragonfly 2.0 campaign, in which hackers infiltrated energy facilities in North America and Europe.
We are at an alarming point in terms of our critical infrastructure security, where governments around the world are on high alert to the potential for damaging attacks. The head of the UK’s National Cyber Security Centre (NCSC) warned in January that he expects the UK to suffer a major, crippling cyberattack against its national critical infrastructure during the next two years.
Nation state attackers are well aware of the political fallout that could arise as a result of dangerous cyberattacks on control networks, and so it is imperative that security issues within these systems are addressed urgently.
Industrial control systems at risk
The National Cyber Security Centre is right to be concerned about potential cyberattacks against UK critical infrastructure. Across all parts of critical national infrastructure, we are seeing a greater number of sophisticated and damaging cyber threats which are often believed to be the work of foreign governments seeking, it is alleged, to cause everything from mischief through to political upheaval. While offering many benefits in terms of productivity and visibility, the greater connectivity arising from the Internet of Things has also exposed many industrial control systems to a range of damaging cyberattacks. For example, DDoS attacks can be used to disrupt the availability of critical services, while simultaneously allowing attackers to plant damaging, or as in the Saudi case even weaponized, malware. Last October’s DDoS attacks against the transport network in Sweden caused train delays and disrupted travel services, while the WannaCry ransomware attacks last May demonstrated the capacity for cyberattacks to impact people’s access to essential services. The current cyber security landscape has changed almost beyond recognition – ten years ago, only the most Orwellian futurists would have predicted that major national elections would be manipulated by cyberattacks.
The pressure is now on for the cyber security community and governments to act on this issue to defend against this apparent increase in nation state attacks. The NIS Directive with the UK/EU and the NIST framework in the US present a golden opportunity to improve critical infrastructure cyber security. But to be truly effective, these regulations must compel operators of essential services to deliver higher levels of cyber security and require that these essential services remain available during an attack. As seen in recent days with Facebook and Cambridge Analytica, it won’t matter if infrastructure operators claim ‘tick-box’ regulatory compliance as their defence if their essential service has failed to remain open for business during a nation state sponsored cyber-attack.
Over the last few months, UK media outlets have been filled with reports about the series of tough new measures being introduced on 9th May to protect our national critical infrastructure against cyber threats. In January, the government confirmed that UK critical infrastructure organisations may soon be liable for fines of up to £17m if they fail to implement robust cyber security measures, under its plans to implement the EU’s Network and Information Systems (NIS) Directive. But despite the tough talk, are the current proposals as rigorous as they sound?
In January, the government published its plans to implement the NIS Directive into UK law, following a public consultation. But despite the punitive penalty system, the response avoided making any hard recommendations and instead relies on a high level “appropriate and proportionate technical and organisational measures” regulatory approach of deferring responsibility to the National Cyber Security Centre (NCSC) and the Competent Authorities. Looking to the NCSC guidance, the series of measures it outlines are heavily weighted on reactive attack reporting rather than advising organisations on how to better shore up their perimeter with proactive defence solutions. As an example, within the guidance organisations are asked to define their own risk profile, and then prove their resiliency against that profile – the equivalent of being graded on a test you wrote yourself.
In this light, it’s unclear how the opportunity to set out a framework of minimum standards for CNI can be effectively achieved with the NIS Regulations. If the intended outcome is genuinely tied to resilience against cyber-attacks, then these essential services should be required to remain available during all but the most extreme cyber-attacks. The outcome described in the guidance points to merely the proper disclosure of failed protection and the swift recovery from that failure. My concern remains that implementation of the NIS Directive will be viewed as a mere “tick box” exercise which requires the bare minimum to be done, rather than allowing the UK to set world-leading standards in this area.
As a UK citizen, I fear that our government is failing to deliver on the promises outlined in its Digital Strategy, which pledged to make the UK “the safest place in the world to live and work online.” This is all deeply concerning, especially given that Ciaran Martin, the head of the NCSC, warned in January that it was a matter of “when, not if” the UK faces a major cyber-attack that might cripple infrastructure such as energy supplies or the financial services sector. Across all parts of critical national infrastructure, we are seeing a greater number of sophisticated and damaging cyber threats which are often believed to be the work of foreign governments seeking to cause political upheaval. Last year’s DDoS attacks against the transport network in Sweden caused train delays and disrupted travel services, while the WannaCry ransomware attacks last May demonstrated the capacity for cyber-attacks to impact people’s access to essential services. Only this month, we have seen a surge in record-breaking DDoS attacks that exploit the Memcached vulnerability.
As the draft NIS Regulations become UK law, we have a golden opportunity to improve the UK’s cyber security posture. Let’s hope we can still seize this moment and build an eco-system that genuinely protects our critical infrastructure against today’s cyber-attacks.
To follow up on that report, which was open to public comments for 30 days, the National Institute of Standards and Technology (NIST) conducted a 2nd workshop, called “Enhancing Resilience of the Internet & Communications.” The workshop was held February 28-March 1 at NIST’s National Cybersecurity Center of Excellence (NCCEO) in Rockville, Maryland.
The workshop discussed substantive public comments, including open issues, on the draft report about actions to address automated and distributed threats to the digital ecosystem as part of the activity directed by Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” According to the NIST website, “The Departments of Commerce and Homeland Security seek to engage all interested stakeholders—including private industry, academia, civil society, and other security experts—on the draft report, its characterization of the threat landscape, the goals laid out, and the actions to further these goals.” A final report from the departments of Homeland Security and Commerce, incorporating comments and other feedback received, is due to President Trump on May 11, 2018.
These workshops and reports are important steps in the right direction. It seems quite clear to various stakeholders across industry and government sectors that industry-government collaboration is essential to thwart cyber security threats. For starters, government can walk the talk by implementing best security practices and technologies in its operations, whether at federal or state levels. In addition, government can influence the marketplace via regulations and policies that are designed to make the Internet safer. For example, government may mandate that manufacturers build in tighter security for IoT devices, to make it harder for hackers to recruit those devices into botnets. Another possibility is that the government may impose regulations on Internet service providers, requiring them to provide protection from DDoS attacks, for example.
The Departments of Commerce and Homeland Security response to the Presidents’ Executive Order calls for businesses to improve their resilience to DDoS attacks. Corero released the “Government Response to Rise in IoT DDoS Botnet Threats” Solution Brief to detail how our solutions help our customers defend themselves against all DDoS attacks and to answer business and consumer requests for better protection from cyber threats. In general, businesses and consumers have influenced the marketplace by asking for (or in some ways, demanding) better protection from cyber threats. Competition inspires vendors to offer better solutions, and enterprises to adopt those solutions. For the sake of risk management, many companies have already taken steps to increase cyber security. And many telecommunications companies have responded to the market demand for DDoS protection, by offering DDoS protection as a service to their customers. On the other hand, some enterprises don’t understand the risks of DDoS attacks or take steps to mitigate them; the government can’t regulate or police all enterprises. If a major website gets attacked (perhaps a bank, or a hospital) and it impacts thousands of civilians, then both civilians and the enterprise are victimized. A case in point was the massive DDoS attack against Dyn, which impacted millions of end-users.
It’s crucial that the U.S. government take steps to advance cyber security. It can’t do it alone, however. When safeguarding the Internet for all users, a multi-stakeholder approach is essential. Though the government can help reduce IoT botnets, it cannot completely eliminate them, partly because the U.S. government can’t completely control what manufacturers do and what end-users do, especially in other countries. No one can assume that vendors around the world will bake in better security for IoT devices, or change their default passwords or update devices with security patches. No matter how heavily IoT devices are regulated or how many consumers are educated, millions of such devices around the world will still be unsecured and vulnerable to being recruited into a botnet.
It is less than 2 weeks since the “Memcached” reflection/amplification vulnerability became widely known and DDoS attackers began exploiting unprotected Memcached servers to launch massive denial-of-service attacks against target organizations.
The record for the largest DDoS attack ever reported has been broken twice in the last week. The bar was raised from ~800Gbps (DYN in October 2016) to 1.34Tbps (GitHub) and upwards to 1.7Tbps (undisclosed US Service Provider). These attacks have understandably been the focus of mainstream news headlines. At Corero, we’ve also seen a surge in in these larger DDoS attacks; all of them have been amplified by the Memcached vector.
Last week, our Corero SecureWatch® Team released a Threat Advisory after seeing a steady ramp in reflective Memcached attacks (Reflective UDP on port 11211). This exploit uses a reflective method in which the attacker makes a spoofed request (where the source IP address is that of the intended victim) to a Memcached server, which then replies to the victim with a large response. Amplification factors of 50,000 times are believed to be possible using this exploit.
Corero’s advisory coincided with delivering “zero day” protection to SmartWall® customers which detects and mitigates these attacks in less than 2 seconds. In contrast, the GitHub attack reportedly took around 10 minutes to mitigate. Undoubtedly, this meant that GitHub’s service was disrupted risking reputational damage.
Corero has gone a significant step further. Today, we announced that we’ve identified an “active defense” countermeasure which neutralizes the problem. In more emotive terms, we have found and implemented the “kill switch” for Memcached. Whilst this countermeasure causes no discernable impact to the unwitting participant in the DDoS attack (i.e. the unsecured Memcached server) Corero decided to share this discovery with national security agencies to allow them to determine if and when to more widely execute this countermeasure. Corero’s SmartWall® customers can immediately benefit from this discovery too; at their option, automatically sending the necessary command to any attacking server to immediately suppress all attacks.
Perhaps even more shockingly, Corero also disclosed that the same Memcached vulnerability can also be used for data exfiltration (i.e. theft to most of us) and even data modification. The difference in this case is that the victim is the organization that has the unsecured Memcached server. Thankfully, the same Corero discovery can temporarily take care of the problem.
The lasting solution to both the DDoS amplification and data exfiltration/modification threats are to secure the Memcached servers. However, with over 95,000 of these servers currently exposed on the Internet, Corero expects that we’ll be seeing these amplification attacks for many months to come.
Maintaining the resilience and stability of the global Internet requires collaborative efforts between Internet Service Providers (ISPs), government agencies, enterprises, security vendors and end users. Towards that end, The Internet Society recently published a report titled, The Internet Society 2018 Action Plan, in which it proposes several initiatives, one of which is to strengthen the global Internet routing system. In tandem with its Action Plan, The Internet Society also supports a best practice initiative that was created by members of the network operator community: the Mutually Agreed Norms for Routing Security (MANRS) initiative (formerly known as the Routing Resilience Manifesto).
The MANRS initiative is a commitment by network operators around the globe to “clean their part of the street” and improve the security of the global routing system. Some ISPs already have agreed (see list here) to adopt the MANRS practices. They are implementing at least the baseline security efforts defined by MANRS Actions:
Filtering – Ensure the correctness of your own announcements and of announcements from your customers to adjacent networks with prefix and AS-path granularity
Anti-spoofing – Enable source address validation for at least single-homed stub customer networks, your own end-users, and infrastructure
Coordination – Maintain globally accessible up-to-date contact information
Global Validation – Publish your data, so others can validate routing information on a global scale
The Internet Society provides support in the form of hosting the MANRS web site, providing email lists and the participation of Internet Society staff. “During 2018, we expect to increase the rate at which networks join MANRS, and to make significant progress towards achieving a critical mass of participating network operators and Internet Exchange Points (IXPs). Through outreach to organizations, enterprises, and industry groups, we aim to reach a tipping point where operators see MANRS compliance as a strategic business advantage.”
MANRS is on a very similar mission to what we have seen the National Cyber Security Center promote in the United Kingdom, to help make the UK Internet safer. The part that specifically relates to helping reduce distributed denial of service (DDoS) attacks is the source address anti-spoofing guidance, which relates to reducing the ability for attackers to leverage open reflectors (Domain Name Server, Network Time Protocol, etc.) on the Internet to send amplified DDoS attack streams to their targets. We have already seen a drop in the use of some reflection techniques, such as notably fewer NTP Amplification DDoS attacks, but much of that may also be attributed to that fact that several vulnerabilities in NTP were patched in mid-2016.
Most of the MANRS guidance is a set of best practices for service providers. The recommendations are good, but they fall into the same category as “IoT devices should have good password security.” That is, the MANRS guidance is desirable for any individual provider, but it’s unrealistic to think it will solve the global spoofing problem – many IoT botnets can attack without spoofing, for example. There has been decades of sensible progress to help make the Internet more secure, but there is no end in sight for DDoS, because the bad guys continue to innovate ahead of the curve (for example, by taking control of IoT devices to form zombie botnet armies). It is not as if this is the first time that anti-spoofing best practices have been recommended. The most well-known anti-spoofing guidance is BCP 38, which has been around for almost two decades. Despite BCP 38, DDoS attacks not only still exist, but have grown in scale and frequency!
It is certainly a good step in the right direction for ISPs, to reduce the possibilities of abuse of critical Internet services like DNS and NTP, but organizations that rely on the Internet for business shouldn’t think that this will be the end of DDoS attacks. We have already seen the massive rise of botnet sourced DDoS attacks—mainly comprised of IoT devices—and these MANRS activities will do little to reduce or stop those types of attacks. Real-time automated DDoS protection remains the only solution to these problems.
A recent Cisco report found that 42 percent of organizations experienced “burst” distributed denial of service (DDoS) attacks in 2017. Burst attacks, otherwise known as Pulse-Wave attacks, are gaining favor among hackers because they enable perpetrators to attack multiple targets, one after each other, with short, high-volume traffic bursts, in a rapidly repeating cycle. Corero’s DDoS research suggests that a likely reason for the use of “bursting” observed in pulsed DDoS attacks, is the timesharing or multiplexing of attack botnets, probably between two or more simultaneous targets of a DDoS-for-hire booter/stresser service. The hackers make more money by harnessing the power of one large botnetto service more than one customer simultaneously. Once a botnet is up and running, they can hit one target with a burst, then switch quickly to hit another target with a burst, then alternate between the targets.
This points to the increasing sophistication of hackers, in terms of their ability to better leverage large botnets and develop mechanisms which have the ability to evade detection. With short burst attacks, hackers can ramp the attack traffic faster and increase the chances of evading legacy protection on a network. These short duration burst attacks can also deliver more calculated, non-saturating traffic volumes, rather than using traditional massive brute-force attacks. Such surgical attacks are often crafted specifically to fly under the radar of conventional DDoS protection, as they can blend in with regular traffic volumes. Similar to a sleight of hand, while the target organization focuses on the ramifications of the DDoS attack, other attacks are launched to infiltrate the network and carry out activities, such as ex-filtrating valuable data.
Burst/pulse-wave attacks are of little concern for Corero customers because the SmartWall® Threat Defense System effectively mitigates such attacks – automatically, near-instantaneously and surgically – just like it would any other multi-vector attack. Whether the bursts are saturating the links, or not, the SmartWall TDS will handle it, blocking the attack traffic during the bursts and letting through any good traffic and then immediately recovering between bursts, to allow all the good traffic as it recovers to normal levels.
The comprehensive attack visibility provided by SmartWall TDS enables these Burst/Pulse attacks to be easily identified and additional mitigation techniques employed, if they are of a size that good traffic is unduly impacted. By looking at the attack trends over longer time periods, SmartWall can be configured to automatically switch to an upstream cloud mitigation service, regardless of the short-term oscillations, while continuing to block the attack traffic in the interim. At the cloud-service level, if the traffic is routed directly back to the on-premises solution too soon, this is not an issue as SmartWall TDS will automatically re-engage local mitigation and the upstream redirect process would start over again.
With legacy solutions there is typically a significant delay before volumetric DDoS mitigation engages. If attacks "start" and "end" in a periodic way, there is increased risk that enough of the attack gets through to still cause the intended impact on the target.
In the end, organizations should not underestimate burst/pulse attacks, because the capability of these well-managed botnet-sourced DDoS attacks can be many times more damaging. Any business that relies on service continuity and integrity to serve its customers should take steps to prevent such attacks.