DDoS attacks: Stronger than ever and increasingly used for extortion

Ransomware has taken center stage in the cybercrime ecosystem, causing over $1 billion in losses last year around the world and earning criminals hundreds of millions of dollars in profits. At the same time, distributed denial-of-service (DDoS) attacks, which have also traditionally been used to extort businesses, returned in force. Ransomware groups are even using them to put additional pressure on their victims.

According to recent annual reports from different content delivery networks and DDoS mitigation providers, 2020 was a record-breaking year for DDoS attacks, both in number of attacks as well as size of attacks and the number of attack vectors used. This resurgence in DDoS extortion was likely driven by the COVID-19 pandemic, which forced companies to enable remote working capabilities for most of their employees, making them more vulnerable to disruptions of business operations and probably, in the eyes of the attackers, more willing to pay extortion fees.

The trend continued in 2021 with Akamai seeing three of the six biggest volumetric DDoS attacks in history during February and more attacks that exceeded 50Gbps in the first three months of 2021 than the whole of 2019. The company estimates that attacks over 50 Gbps can take offline most online services that don’t have anti-DDoS mitigation due to bandwidth saturation.

The return of DDoS extortion

The motives behind DDoS attacks are varied, ranging from unscrupulous business owners wanting to disrupt the competition’s services to hacktivists wanting to send a message to organizations they disagree with to simple vandalism caused by rivalries between different groups. However, extortion has long been one of the biggest factors driving this type of illegal activity, and arguably the most profitable one because launching DDoS attacks does not require a huge investment. DDoS-for-hire services cost as little as $7 per attack, making them affordable to virtually anyone.

In fact, according to application and network performance monitoring firm Netscout Systems, cybercriminals demonstrating their DDoS capabilities to potential customers is the top motivation for such attacks, followed by motives related to online gaming—a popular pastime during the pandemic—and extortion. Attackers also often use DDoS attacks as cover to distract the IT and security teams of organizations from detecting other malicious activities on their networks, such as infrastructure compromises and data exfiltration.

The cases of ransom DDoS (RDDoS) incidents have spiked beginning in August 2020, due to several ransomware groups adopting DDoS as an additional extortion technique but also due to campaigns launched by one particular gang that impersonates other threat actors including state-sponsored groups such as Fancy Bear (Russia) or Lazarus Group (North Korea). The group, which has been dubbed the Lazarus Bear Armada (LBA), first launches demonstration DDoS attacks that range between 50 to 300 Gbps against selected targets. It then follows up with an extortion email claiming to have 2 Tbps of DDoS capability and demanding payment in Bitcoin. In these emails the attackers claim to be affiliated with groups whose names often show up in media reports to boost their own credibility. In many cases the group doesn’t follow up with additional attacks if the ransom is not paid, but sometimes they do. After a while they target the previous victims again.

The group predominantly targets organizations from the financial, retail, travel, and e-commerce sectors from around the world and seems to do reconnaissance and planning. They identify non-generic email addresses that the victim organizations are likely to monitor and they target critical yet non-obvious applications and services as well as VPN concentrators, indicating an advanced level of planning. The group’s activities have prompted alerts by multiple security vendors and the FBI.

Unlike groups like LBA that rely only on RDDoS to extort money from organizations, ransomware gangs use DDoS as an additional leverage to convince victims to pay the original ransom, much in the same way they use data leak threats. In other words, some ransomware attacks are now a triple threat that combine file-encryption, data theft, and DDoS attacks. Some of the ransomware gangs known to use or claim to use DDoS attacks in this way include Avaddon, SunCrypt, Ragnar Locker and REvil.

Just like with ransomware, it’s hard to say how many victims of RDDoS actually pay the ransom, but the fact that the number, size, and frequency of these attacks is on the rise suggests the activity is profitable enough. This might be because it has a lower barrier to entry than ransomware itself due to the widespread availability of DDoS-for-hire services whose use doesn’t require a lot of technical knowledge. “In 2021 Q1, 13% of surveyed Cloudflare customers that were hit by a DDoS attack reported they were either extorted by an RDDoS attack or received a threat in advance,” Cloudflare said in a recent report.

Akamai observed a 57% increase in the number of unique organizations being attacked year over year and Netscout reported that the number of DDoS attacks per year exceeded the 10 million threshold for the first time.

“Clinging to the hope of a major Bitcoin payout, criminal actors have started to ramp up their efforts and their attack bandwidth, which puts to rest any notion that DDoS extortion was old news,” Akamai researchers said last month in a report. “The most recent extortion attack—peaking at more than 800 Gbps and targeting a European gambling company—was the biggest and most complex we’ve seen since the widespread return of extortion attacks that kicked off in mid-August 2020. Since the start of the campaign, show-of-force attacks have grown from 200+ Gbps in August to 500+ Gbps by mid-September, then ballooned to 800+ Gbps by February 2021.”

Attack complexity increases as new attack vectors added

According to Akamai, almost two-thirds of DDoS attacks observed last year included multiple vectors, with some including as many as 14. Netscout reported a sharp rise in multivector attacks, too, especially toward the end of 2020 and across attacks that exceeded 15 different vectors. The company saw attacks that combined up to 25 different vectors.

DDoS reflection and amplification that is achieved by abusing multiple UDP-based protocols remains very popular. This technique involves attackers sending packets to poorly protected servers on the internet with a spoofed source IP address to force those servers to send their responses to the intended victim instead of back to the attackers. This achieves two goals: reflection, because the victim doesn’t see the traffic coming from legitimate servers instead of the attacker’s bots, and amplification, because some protocols can be abused to generate larger responses to short queries, amplifying the size or frequency of the packets the attackers can trigger. The size of DDoS attacks is calculated in traffic volume per second, which can saturate bandwidth, and packets per second, which can saturate a server’s processing power.

The most popular DDoS vector in 2020 and for the past several years has been DNS amplification. Other protocols that are often abused for amplification include Network Time Protocol (NTP), Connection-less Lightweight Directory Access Protocol (CLDAP), Simple Service Discovery Protocol (SSDP) and Web Services Discovery (WSD or WS-DD), Remote Desktop Protocol (RDP) over UDP and Datagram Transport Layer Security (DTLS).

Attackers are constantly looking for new attack vectors and protocols to abuse that could bypass existing defenses and mitigation strategies. In March, Akamai started seeing a new attack vector that relied on the Datagram Congestion Control Protocol (DCCP), also known as protocol 33. This is a network data transmission protocol similar to UDP, but with additional congestion and flow control capabilities that UDP doesn’t have. The attacks seen so far by Akamai were typical floods intended to bypass UDP and TCP-based mitigations. The protocol could also technically be used in a reflection and amplification scenario, but not enough servers are on the internet using this protocol that could be abused to reflect traffic through.

“Abusable open-source and commercial applications and services based on UDP remained a valuable asset for attackers, who mined them to discover new reflection/amplification DDoS attack vectors to power a new wave of attacks,” Netscout researchers concluded. Some examples of that include the SSDP implementation of Plex Media Server and the UDP-based network discovery protocol used by the Jenkins software development automation server.

Other DDoS vectors that were common last year according to Netscout were TCP ACK, TCP SYN, ICMP, TCP reset, TCP ACK/SYN amplification and DNS floods.

DDoS botnets ensnare IoT and mobile devices

Botnets made up of compromised devices and servers are the driving force behind DDoS attacks. Variants of the Mirai malware that infects IoT devices continued to feature prominently in the top of DDoS botnets in 2020. These devices are often compromised using weak or default credentials and Netscout observed a 42% increase in Telnet and Secure Shell (SSH ) brute-force attacks last year compared to 2019.

Additionally, compromised Android mobile devices are also used to launch DDoS attacks. In February, researchers from Netlab, the network security division of Chinese firm Qihoo 360, reported a new botnet dubbed Matryosh that was compromising Android devices with their ADB (Android Debug Bridge) interface exposed to the internet. In an annual Netscout survey of cloud and internet service providers, nearly a quarter of respondents reported seeing mobile devices being used to launch DDoS attacks.