The first documented widespread distributed denial-of-service (DDoS) attack occurred in 1996 when New York City-based internet provider, Panix, was attacked. The New York Times described it:
Beginning Sept. 6 and continuing through at least last Tuesday, a hacker intent on shutting Panix down successfully did just that, by bombarding the service provider’s servers with a flood of phony connection requests that prevented real requests by legitimate customers from getting through.
DDoS attacks spike again in 2021
The full article is an eye-opening account because it shows just how little DDoS attacks have changed in 25 years and how security experts still struggle to contain them. In fact, the past year has seen a resurgence in DDoS attacks, which, beyond being an inconvenience, are often used as a cover for cybercriminals to cause even greater damage to a system. Think of a DDoS attack as a decoy explosion to attract the attention of law enforcement while a bank is being robbed simultaneously elsewhere.
Cybersecurity firm Netscout recently released a report citing a 20 percent increase in DDoS attacks in 2020, with a spike in the latter part of the year.
The report describes hackers emboldened by newer, easier tools to work with, and plenty of COVID-19 chaos to use as cover. The report, in part, says:
“Armed with an ever-improving set of tools that lowered the bar to entry for launching more-complex, higher-throughput attacks, cybercriminals eagerly leveraged new weaknesses, setting the stage for a banner year for DDoS activity. “
Q&A with Dr. Greg Moody
Smarter MSP caught up with Dr. Greg Moody, Associate Professor, Lee Professor of Information Systems, Program Director of the MS in Cybersecurity Program at the University of Las Vegas. We asked Dr. Moody whether he thinks COVID-19 contributed to the rise in DDoS attacks and what MSPs and others can do to prevent these attacks.
Q: How did the COVID-19 pandemic help spur an increase in DDoS attacks?
Overall, DDOS, like phishing, increased during the pandemic. Why? Without a survey to attackers, we can only really guess. But the most likely rationale is that attackers saw a golden opportunity.
Organizations had abandoned their routines to respond to novelties in their environment. Most companies sent workers home and this required IT to focus a lot more resources on support, and VPNs, and other at-home issues that simply weren’t around before.
Q: So COVID-19 put a lot of strain on traditional IT resources that created conditions ripe for DDoS attacks?
The past year strained network resources as work was being done outside of the firewall, so the boundary was being hit more, which it was supposed to do. Most IT departments had to increase the ability of outsiders to enter the perimeter of the organization.
Thus, attackers, witnessing a busier IT staff preoccupied with supporting all the changes to the business and distracted by changes in their own lives, would experience an increased in their ability to successfully launch an attack that breaches a company. Granted, most DDoS attacks are not about creating a breach, but are more annoyances to make a website slow, or inaccessible. But, they are good red capes to wave at a bull and distract the cyber staff while the real attack occurs.
Q: Does an attacker need deep pockets to launch a DDoS?
Most attackers have limited resources, so their ability to run a DDoS depends on either 1) harvesting a bunch of machines to do the attack, or 2) renting a lot of machines from the dark web to run an attack. Given that more people were distracted, working from home and nervous, the ability to breach devices went up (both personal or work) and thus I presume the cost of obtaining a zombie (machine that could be controlled by a remote user) would have decreased and thus either 1 or 2 above would have been easier/cheaper to do, and thereby resulting in more DDoS attacks.
Also, I am sure some hacker groups that are motivated not by profit, but by some other values, i.e opposition to increased profits for corporations that were allowed to amass more wealth during quarantine periods, would have driven more DDoS attacks that are heavily targeted based on that ideology.
Q: What can MSPs, CISOs, and other security stakeholders do to defend themselves against DDoS attacks?
From my knowledge there are two real types of defenses. The first is good perimeter defensive design and tools that identify such blatant attacks and then instruct the perimeter to simply ignore such attacks. There are several ways for this to happen including white list, black list, smart network devices, and firewalls, etc.
Secondly are arrangements, per the SLAs, with an ISP to identify and automatically remove such types of attacks.
Q: We saw an increase in DDoS attacks in 2020, do you think the trend will continue?
I think the trajectory will continue as it has been. DDoS attacks are easy to do, so they will continue. And as we develop ways to automatically block them, attackers will identify options for getting around those.
Twenty five years ago, the New York Times article predicted much the same. An expert quoted in the article said of the Panix attack: “Filtering is not a panacea, rather, it’s an attempt to saw off the top half of 1 percent of an iceberg. There’s always more.” And in 2020, there was 20 percent more.
Photo: Stanislaw Mikulski / Shutterstock