Distributed denial-of-service attacks—those floods of junk traffic that criminals use to disrupt or completely take down websites and services—have long been an Internet scourge, with events that regularly cripple news outlets and software repositories and in some cases bring huge parts on the Internet to a standstill for hours. Now there’s evidence that DDoSes, as they’re usually called, are growing more potent with two record-breaking attacks coming to light in the past week.
DDoS operators hack thousands, hundreds of thousands, and in some cases millions of Internet-connected devices and harness their bandwidth and processing power. The attackers use these ill-gotten resources to bombard sites with torrents of data packets with the goal of taking the targets down. More advanced attackers magnify their firepower by bouncing the malicious traffic off of third-party services that in some cases can amplify it by a factor of 51,000, a feat that, at least theoretically, allows a single home computer with a 100 megabit-per-second upload capacity to deliver a once-unimaginable 5 terabits per second of traffic.
These types of DDoSes are known as volumetric attacks. The objective is to use machines distributed across the Internet to send orders of magnitude more traffic volume to a circuit than it can handle. A second class—known as packet-per-second focused attacks—forces machines to bombard network gear or applications inside the target’s data center with more data packets than they can process. The objective in both types of attacks is the same. With network or processing capacity fully consumed, legitimate users can no longer access the target’s resources, resulting in a denial of service.
Hugely disproportionate negative impacts
DDoS attacks over the past two decades have grown increasingly powerful. The ones that a 15-year-old Canadian used in 2000 to take down Yahoo ETrade and Buy.com measured in the hundreds of megabits per second, roughly comparable to many of today’s home broadband connections but enough to clog the sites’ pipelines with enough traffic to completely block legitimate connections.
By 2011, attackers had increased DDoSes to the tens of gigabits per second. Record attacks reached 300Gbps, 1.1 terabits per second, and 1.7Tbps in 2013, 2016, and 2018 respectively. While less common, packet-per-second attacks have followed a similar upward trajectory.
The race upward is showing no signs of slowing. Last week, Amazon reported that its AWS Shield DDoS mitigation service went head-to-head with a 2.3 Tbps attack, a 35-percent increase over the 2018 record. Meanwhile, network provider Akamai said on Thursday that its Prolexic service repelled a DDoS that generated 809 million packets per second. That’s a 35-percent increase over what’s believed to be the previous high-water mark of the 600Mbps DDoS that Roland Dobbins, principal engineer at competing mitigation service Netscout Arbor, said his company handled.
“We anticipate continued innovation in the area of DDoS attack vectors due to the various financial, ideological, and social motivations of attackers,” Dobbins told me. “DDoS attacks allow attackers to have a hugely disproportionate negative impact on both the intended targets of attacks, as well as uninvolved bystanders.”
The attack, which Akamai said hit an unnamed European bank, was notable for how quickly it ramped up. As the image below illustrates, attackers needed less than three minutes to unleash its peak of 809 Mpps.
One of the more recent innovations DDoSers have hit upon is exploiting misconfigured servers running CLDAP, short for Connectionless Lightweight Directory Access Protocol. A Microsoft derivation of the LDAP standard, the mechanism uses User Datagram Protocol packets to query and retrieve data from Microsoft servers.
While CLDAP should be available only from inside a network, Dobbins said that Netscout has identified some 330,000 servers that have the mechanism exposed to the Internet at large. Attackers have seized on this mass blunder. By sending the misconfigured servers CLDAP requests with spoofed IP addresses, the servers unwittingly bombard targets with responses that are 50 or more times bigger.
“It’s frequently administrative sloppiness that allows this attack to exist,” Roger Barranco, vice president of global security operations at Akamai, said. He added that locking down network ports such as 389 and installing patches will generally prevent a server from being abused this way.
In the past, DDoSers abused servers running other widely used protocols that had been misconfigured. When not set up correctly, memcached, a database caching system for speeding up websites and networks, can amplify DDoSes by an unthinkable factor of 51,000, an innovation that powered the 2018 record of 1.7Tbps. Four years earlier, attackers abused the Network Time Protocol that servers rely on to keep clocks synchronized across the Internet. The technique, which magnifies junk traffic by about 19 fold, led to the 2014 DDoses that took down servers for League of Legends, EA.com, and other online game services.
Usually, when misconfigurations of widely used protocols or services are abused en masse, Internet watchdogs will push administrators to clean them up. When admins finally do, attackers find new ways to increase their firepower. The cycle continues.
A growth in bots threatens gamers, banks, and you
Besides seizing on amplification methods, the growing size of DDoSes is the result of attackers taking control of an ever-growing number of devices. Whereas Windows and later Linux computers were once the sole dominion of botnets that sent targets junk traffic, the mushrooming number of routers, Internet-connected cameras, and other so-called Internet of things devices have now become active participants as well.
In Thursday’s report, Akamai said that 96 percent of the IP addresses used to deliver the record 809 million packets-per-second DDoS over the weekend had never been observed before. The growing number of compromised IoT devices is likely fueling that increase.
Among the most common DDoS targets are online game players and the companies, platforms, and broadband ISPs they use. Rivalries between gamers are one motivation. Another objective is to disrupt the flow of large amounts of money that’s often wagered in gaming.
Financial institutions, government agencies, political advocacy organizations, and retailers are also frequent marks, often by hacktivists motivated by ideology. DDoSers sometimes strike so they can demand ransoms to stop the attacks. Other times, DDoSers attack out of plain meanness.
The intended targets aren’t the only ones who suffer the adverse effects of DDoSes. Once-unimaginable data storms can overwhelm ISP peering connections, DNS servers, and other infrastructure that everyday people and businesses rely on to shop, send email, and do other important tasks.
“The collateral damage footprint of DDoS attacks is often far larger than the impact on the intended targets,” Dobbins said. “Suffice it to say that far more uninvolved people and organizations often have their activities disrupted by the collateral damage of DDoS attacks than those who are the actual targets of these attacks.”