UDP-protocol attacks, often used in ransom-driven assaults, surged 2,680%
Distributed Denial-of-Service (DDoS) attacks directed at networks became more numerous but less powerful on average in the third quarter of this year, according to new data from Cloudflare.
However, the DDoS protection provider pointed out that even sub-500 Mbps assaults – accounting for nearly 85% of attacks – can disrupt poorly protected web-facing assets.
“Smaller attacks can indicate that amateur attackers may be behind the attacks” or may “serve as a smokescreen to distract security teams from other kinds of cyber-attacks that might be taking place simultaneously”, said Cloudflare’s Omer Yoachimik and Vivek Ganti in a blog post.
Accounting for 56% of this year’s attacks so far, the number of DDoS attacks in the third quarter climbed each month and were double the total observed in the second quarter.
Follow the money
John Graham-Cumming, CTO at Cloudflare, believes Covid-19 may have played a role in the fourfold increase since the first quarter.
“Willie Sutton famously said he robbed banks because that’s where the money was. The same is true for cyber-attacks,” he told The Daily Swig.
“2020 saw a huge increase in online working, learning, and shopping, and so the bad guys and the DDoS attacks followed.”
Analysis of traffic at 200 Cloudflare data centers around the world also revealed an explosion of CDP-protocol attacks as well as a rise in ransom-driven (RDDoS) and distributed botnet attacks.
Peaking at 654 Gbps, the fierce assault originated from 18,705 unique IP addresses associated with Moobot-infected devices.
The campaign lasted nearly 10 days, although Cloudflare says its customer observed “no downtime or service degradation”.
Size isn’t everything
Some 87% of attacks were under 1 Gbps, down from around 52% the quarter before.
However, the many organizations using ISP-provided uplinks well below 1 Gbps could still suffer considerable disruption from such incidents, noted Cloudflare.
The average packet rates also shrank, with 47% of third-quarter attacks under 50 Kpps compared to just 19% in the second.
Like previous quarters, most attacks were fairly short-lived too, with around 88% finishing within an hour.
‘Short-burst attacks’ can evade detection until after they’ve finished by DDoS services that rely on manual analysis and mitigation, and help attackers “understand the security posture of their targets before they decide to potentially launch larger attacks at larger rates and longer durations – which come at a cost”, said Yoachimik and Ganti.
Your money or there’ll be strife
The short average duration may have been partly fueled by the growing popularity of RDDoS attacks, where UDP reflection attacks lasting 30 minutes or less sometimes accompany a ransom note threatening large-scale attacks if the target declines to pay up.
The RDDoS phenomenon is associated with cybercrime groups such as Fancy Bear, Cozy Bear, and Lazarus.
“Some of those attacks are sophisticated with criminals doing reconnaissance on a company to know exactly where to hit them with an attack,” said Graham-Cumming. “Others are copycats that send out threats hoping to make some easy money.”
TCP-based attacks remained the most widely used DDoS techniques, with SYN floods accounting for by far the greatest proportion at nearly 65%, followed by RST floods (less than 10%).