Over the past year, businesses around the globe have accelerated their digital transformation efforts to stay operational. The explosion in demand for remote connectivity required extensive infrastructure remodelling, and whilst these changes took place at pace, they also opened the door to a greater threat of cyber crime. Although cyber crime in its many forms saw a boost, whether it be double extortion ransomware or the supply chain attacks most notably seen with SolarWinds, distributed denial-of-service (DDoS) attacks have perhaps seen the greatest uptick. The most recent NETSCOUT Threat Intelligence Report revealed record-breaking DDoS activity in 2020, as attackers launched more than 10 million DDoS worldwide.
These DDoS attacks have targeted a variety of different sectors, from manufacturing to financial services, travel, education and more, but fundamentally the goal has been the same: to take critical systems offline and cause maximum disruption.
Creating and rolling out an effective cyber security strategy
New attack types – reflection/amplification
What’s more, attackers are leveraging new DDoS attack types in their bids for disruption, and the rise in threats has forced security professionals to forge new strategies for securing networks and systems. One such popular attack type is the reflection/amplification attack, which enables attackers to generate higher-volume attacks. Attackers achieve this by combining two distinct methods.
The first, reflection attacks, see adversaries spoof a target’s IP address and send a request for information, using either the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP). The server responds to the request, sending an answer to the target’s IP address instead of the adversaries IP address. This “reflection”— spoofing the source IP of the packet and having the reply reflected to the target’s IP address — is why this is called a reflection attack. As such, any UDP- or TCP-based service on the Internet can in theory be targeted and used as a reflector.
The second method of attack, amplification attacks, generate a high volume of packets which overwhelm the target website without alerting the intermediary. The attacker sends a small request, often called the trigger packet, which results in a vulnerable service responding with a large reply. The attacker sends many thousands of these requests to vulnerable services, resulting in responses which are far larger than the original request, amplifying the size and bandwidth issued to the target. The amplification can include multiple response packets to a single packet, or larger packet sizes than the original.
By using both of these approaches in concert, attackers can both magnify the amount of malicious traffic they can generate, as well as direct the flood of malicious traffic towards the target. The millions of exposed DNS, NTP, SNMP, SSDP, and other UDP/TCP-based services have made reflection/amplification attacks highly prevalent.
The seven elements of successful DDoS defence
Defending against reflection/amplification
As with all DDoS attacks, the ultimate goal of reflection/amplification is to overwhelm systems and cause disruption to services. However, what makes this type of attack especially dangerous is that ordinary servers or consumer devices, with no clear sign of compromise, can be used as a vector. This, coupled with the low barrier to entry to launch a reflection/amplification attack (it doesn’t require any sophisticated knowledge or tools), means that not only are these attacks hard to detect, but attackers can create very large volumetric attacks using only a modest source of bots or a robust server.
Blocking the spoofed source packets is the first line of defence against reflection/amplification attacks. However, because the spoofed attack is often crafted to look like it stems from legitimate services and trusted sources, it’s difficult to determine which traffic is genuine user workloads and what is reflected traffic generated by attackers.
Additionally, when a service does indeed come under attack, legitimate user traffic may be forced to retry responses due to the slowdown in service. These retries could then themselves be falsely identified as a DDoS attack, obfuscating the real cause of the slowdown. However, there are several means to mitigate reflection/amplification attacks.
Rate limiting restricts sources and destinations based on previously established access policy. However, rate limiting may inadvertently impact legitimate traffic, so rate limiting must be used only as a last resort type mitigation.
Port blocking unneeded ports can reduce organisations’ vulnerability to attacks. However, this doesn’t prevent attacks on ports that are used by both legitimate and attacker traffic.
Traffic signature filters can be used to identify those repetitive structures that can signal an attack. However, the downside of filtering is a potential impact on performance.
Threat intelligence services can be a useful tool for security professionals for identifying the vulnerable servers which attackers use to launch attacks on a regular basis. This enables organisations to more proactively block IP addresses and cut attacks off at the knees.
Whichever method, or combination of methods, an organisation chooses, they need to take action sooner rather than later. The DDoS attacks being mounted against businesses today are more sophisticated and coming in higher volumes than ever before. As digital transformation efforts continue at pace, it’s likely cyber criminals will see more opportunities to profit, and businesses need to ensure their security posture stacks up to their changing infrastructure.