Compared to the sophistication that ransomware attacks can have, or the « intrinsic beauty » that more complex phishing attacks can have, denial of service (DDoS) attacks can seem the crudest: millions of requests targeting a IP address to decommission a server or group of servers.
And despite the fact that the technique may seem « rudimentary » and without obvious economic advantage (the key word here being « obvious »), the truth is that the groups that organize themselves to carry out this type of attack are not only bigger and bigger, but in recent months they have demonstrated how their actions can affect the entire network.
A good example is Microsoft. Its Azure DDoS protection team just announced that last November it repelled what industry experts said was likely the largest DDoS attack in history: a torrent of unwanted data with a « deluge. » of 3.47 terabits per second . The attack comes from 10,000 different sites in at least ten countries. Redmond said the attack targeted a large Asian company and lasted two minutes.
In December, the company detected two more massive attacks against some of its customers. The first, which took place in four « waves », had a data rate of 3.25 TBps and lasted fifteen minutes. The second, in the same month, peaked at 2.54 TBps and lasted five minutes.
As the American multinational explains, these attacks are already 35% higher than those recorded in 2018, which indicates to us a trend which, far from disappearing, will and will continue to increase, especially of this last type which is detected these last time. It should be borne in mind in this regard that packet-per-second DDoS attacks operate by exhausting the computing resources of a server while more traditional volumetric attacks, on the other hand, consume available bandwidth, either within the targeted network or service, or between the target and the rest of the internet. In the new record last November, the attackers managed to deliver approximately 340 million packets per second.
The logic of a super DDoS attack
How are such massive DDoS attacks carried out? As Ars Technica explains, one of the « traditional » methods is to increase the number of computers, routers and other Internet-connected devices that have been compromised and therefore « recruited » into their « army. » This category also includes large infected servers that already have a increased bandwidth they can use .
Another way to do this is to use amplification vectors . In this type of attack, cybercriminals target misconfigured internet-connected devices, which then redirect a much larger attack to the final target. It is this latter method that is behind the recent “arms race” in the world of DDoS attacks.
It is well known that cybercriminals using this method are constantly looking for new amplification vectors. In 2014, the NTP (Network Time Protocol) attack became fashionable, bringing down the servers of companies such as Steam, Origin or EA. This method This method made it possible to multiply the performance of the attack by 206. which means that a gigabyte of data delivered by a vectorized device reaches 206 gigabytes by the time it reaches its final target.
In 2018, attackers began using memcachd, a database caching system to speed up websites and networks, which helped amplify the initial attack. up to 51,000 times . A year later, DDoS was supported by devices using WS-Discovery, a protocol found in a wide range of network-connected cameras, DVRs and other Internet of Things devices .
More recently, DDoS attacks have exploited Microsoft’s RDP and misconfigured servers running CLDAP (short for Connectionless Lightweight Directory Access Protocol) and Plex Media Server when running the Simple Service Discovery Protocol (or SSDP).
Unfortunately, there are still millions of devices connected to the internet that are not configured correctly. We will therefore continue to see these types of attacks in the months and years to come, occupying a particularly important place in acts of sabotage and cyberwarfare.