Introduction
An increase in Internet activity almost always results in a corresponding rise in cybercrime, including DDoS attacks, which have increased significantly during the COVID-19 pandemic. Widespread changes in Internet use, such as a rise in remote workers and Internet usage during lockdown, have increased both the time and opportunities for attackers to strike. But even as the pandemic wanes, ongoing changes to Internet use like accelerated cloud migration and the increased use of IoT devices are certain to impact cybersecurity trends this year.
This article will provide crucial background information for understanding DDoS attacks, review the factors driving changes in attacks, and discuss this year’s DDoS attack trends and how to protect against them.
What are DDoS attacks?
Distributed denial of service (DDoS) attacks are a type of cybercrime that attempts to knock a website, network or application offline by overwhelming it with traffic from a variety of sources. Armies of botnets are amassed by infecting devices with malware that allows attackers to control them remotely without the knowledge of the device’s owner. As a result, huge amounts of traffic can flood a target using various techniques.
Types of attacks
Google’s Digital Attack Map, which tracks worldwide DDoS attacks on a daily basis, notes that DDoS attacks account for more than one-third of all downtime incidents. It divides DDoS attacks into four categories:
- TCP Connection Attacks: a state-exhaustion attack that exploits the TCP handshake process by making a large number of requests via spoofed IPs, leaving the target waiting for the final step of the handshake, which never occurs, exhausting the target’s resources
- Volumetric Attacks: an attack that consumes all bandwidth between the target and the broader Internet
- Fragmentation Attacks: an attack that saturates a target server with fragmented data packets that it cannot reassemble
- Application Attacks: an attack targeting a specific aspect of an application or service, sometimes effective even with very few machines attacking and a low rate of traffic
Amplification methods
For most attacks to be effective, they need to reach a certain volume, requiring amplification methods that multiply traffic. Digital Attack Map divides these methods into two categories:
- DNS Reflection: attackers forge a target’s IP address to send an open DNS server small requests that they know will trigger a large reply back to the target’s IP, amplifying each of the attacker’s request by up to 70x in volume
- Chargen Reflection: attackers leverage an outdated testing service (Chargen) used in many network-enabled printers that allow attackers to send strings of random characters from the printer to the target server
Factors affecting 2021 DDoS attacks
The global pandemic is one of the most obvious factors affecting changes in Internet use and, consequently, cybercrime. Lockdown and social distancing have not only driven increased Internet use, such as a rise in streaming media and ecommerce, but changes in how businesses operate, such as the widespread adoption of remote work policies and distance learning.
In addition, increased Internet usage resulted in accelerated technological efforts, such as cloud migration and 5G rollout. As businesses adopt new technologies, they become new targets for cybercrime, particularly if they have not yet tailored their security policies to changes in online operations. For example, the increased use in IoTs resulting from 5G rollout expands the range of new devices that can be used in DDoS attacks, particularly when IoTs are not updated in a timely manner or rely on weak security protocols.
As cybercrime is often financially motivated, increased online business means an increased opportunity for profits. In addition, other factors such as the rising price of Bitcoin, a hard-to-trace and thus appealing currency method for criminals, has added to the allure of financially motivated attacks, such as DDoS ransomware.
The factors affecting DDoS attack trends include:
- increased Internet use due to COVID-19
- new industries moving operations online
- widespread adoption of remote work policies
- accelerated cloud migration and 5G rollout
- rising price of Bitcoin
2021 DDoS Attack Trends
Increase in size and frequency
Last summer, two high-profile DDoS attacks drew attention to renewed DDoS risk as two of the largest tech companies in the world, Google and Amazon, were targeted by DDoS attacks of unprecedented size. In June 2020, BBC reported that Amazon suffered an attack in February that peaked at 2.3 Tbps, far surpassing the previous record of 1.7 Tbps, set in 2018. Shortly afterward, Google revealed that it had been targeted by an even larger attack of 2.5 Tbps.
Attacks are also growing more frequent. Businesswire stated that during the first half of 2020, attacks increased by over two and a half times their rate compared to the same period in 2019. This increase occurred not only with large businesses, but small businesses as well, who are particularly vulnerable to smaller attacks that are harder to detect, since they do not pass the traffic threshold that would trigger mitigation efforts. Businesswire noted that “These shifts put every organization with an internet presence at risk of a DDoS attack – a threat that is particularly critical with global workforces reliant on VPNs for remote login.
Complex attacks and new attack weapons
As DDoS mitigation tools grow increasingly sophisticated, so do DDoS weapons and attack methods. Businesswire noted in a September 2020 article that according to recent security reports, cybercriminals are increasingly leveraging DDoS attacks against multiple points of entry. The article stated that, “52% of threats mitigated by Neustar [in the first half of 2020] leveraged three vectors or more, with the number of attacks featuring a single vector essentially nonexistent.”
Hackers are also leveraging new DDoS weapons. Security Magazine reported that the second half of 2020 “saw an increase of over 12% in the number of potential DDoS weapons available on the internet, with a total of approximately 12.5 million weapons detected.”
Ransom-based DDoS attacks
One of the biggest recent trends in cybercrime is a rise in ransom-based DDoS attacks. These types of attacks often involve ransom emails sent to businesses that threaten to disrupt the target’s network or services with a DDoS attack unless the ransom is paid. Ransom-based attacks may be accompanied by a “teaser” attack to demonstrate the attacker’s capacity for disruption.
ZDNet linked this trend to a sharp increase in Bitcoin worth, which tripled in value between the first instance of ransom-based DDoS in August 2020 and January 2021, when the article was written. ZDNet writes that “the rise in the Bitcoin-to-USD price has led to some groups returning to or re-prioritizing DDoS extortion schemes.”
With Bitcoin rates continuing to surge, it is likely that these attacks will continue throughout 2021. At the time of writing this article, a single Bitcoin is valued at $56,000 USD, almost double its worth of $30,000 in January. A December 2020 article in CSO echoed this prediction, noting that “Increasing pressure to submit to extortion, targeting of the most vulnerable victims, and tactics that make it more difficult to recover encrypted data will keep ransomware the most profitable ‘line of business’ for cybercriminals in 2021.”
DDoS Attacks on APIs
As cloud migration prompts more and more companies to adopt cloud-native architecture, the use of APIs and microservices results in an increased attack surface, with more attack vectors for criminals to exploit. Radware, one of the leaders in bot migration, has linked 2020’s accelerated cloud migration to increased attacks on APIs. A recent research report from Radware stated that cloud migration efforts in 2020, “in combination with an increased reliance on APIs and the addition of unsecured mobile apps, has been a boon to criminals, leaving them ahead on the cybersecurity curve.”
Without security efforts, APIs, and any sensitive data they expose, are likely targets of attack. As Radware noted, “Some 55% of organizations experience a DoS attack against their APIs at least monthly.”
Protecting against DDoS attacks
Proactive strategies, such as leveraging threat intelligence and creating a strategic plan, or runbook, with information such as incident response processes, escalation paths, and other information that will proactively guide a successful response and ensure that those involved understand their responsibilities in the process. In addition, actions like limiting an application’s attack surface and creating built-in redundancy make it harder for attackers to find a point of entry and knock an application offline. Most importantly, however, companies must choose a provider that fits their strategic security needs.
When using Azion’s platform, you automatically benefit from our DDoS Protection at no additional cost. Thus, you get always-on mitigation that continuously monitors network flow to detect and block malicious traffic in real-time, with no impact on your applications, in addition to:
- Comprehensive protection for different business needs
- Protection of content, web applications, and APIs
- Add-on protection for infrastructure and DNS services
- Always-on mitigation with no need to configure or parameterize services
- Sophisticated algorithms and advanced routing for automated mitigation of complex attacks
- Data Stream that provides deep levels of visibility into DDoS attacks that can be integrated with 3rd-party analytic tools
As recent DDoS attack trends continue into 2021 and beyond, the most important step a company can take in protecting against DDoS attacks is to be prepared for them before they begin. Choosing a mitigation solution like Azion’s DDoS Protection can help companies guard against recent trends such as larger and more frequent attacks, attacks on APIs, and complex and evolving attack strategies.