Starting on the afternoon of June 15, a wide outage appeared to be affecting ISPs, social media platforms and mobile carriers. A Twitter account associated with Anonymous announced that the US was currently under “a major DDoS attack.” It included a map showing the US being bombarded by internet traffic from all over the globe.
— Anonymous (@YourAnonCentral) June 15, 2020
The internet was soon abuzz with speculations about “the world’s largest ever DDoS attack”. But was it?
Matthew Prince, CEO at DDoS protection company Cloudflare, answered with his own tweet, stating that the outage wasn’t the result of a massive-scale DDoS attack. It was, rather, “far more boring,” Prince said, resulting from US carrier T-Mobile making network configuration changes that “went badly,” affecting both its voice and data networks.
It starts with T-Mobile. They were making some changes to their network configurations today. Unfortunately, it went badly. The result has been for around the last 6 hours a series of cascading failures for their users, impacting both their voice and data networks. 2/X
— Matthew Prince 🌥 (@eastdakota) June 15, 2020
Later that day, T-Mobile CEO Mike Sievert issued a statement confirming the voice and text issues, blaming “an IP traffic related issue that has created significant capacity issues in the network core throughout the day.” The issue was eventually resolved in the early hours of June 16.
While the incident seems to be a case of crying wolf, denial of service attacks are, in fact, making something of a comeback. Those branding themselves as Anonymous hacktivists are partly to blame.
Riots and Denial of Service
During the recent waves of riots sweeping the US, members of the hacktivist group launched several DDoS attacks against law enforcement agencies and municipalities. Minneapolis website was hit by a DDoS attack, followed by an attack on the Minneapolis Police Department.
On the law enforcement side, the latest victim is the Atlanta Police Department’s website.
This isn’t surprising. In the past, DDoS was the weapon of choice for this group. What is surprising is that this time around, the attacks weren’t limited to anarchists fighting the establishment. Subsequent attacks were launched from the opposite end of the political spectrum, targeting advocacy groups that fight for Black rights.
Cloudflare saw 1120 times as many attacks in May as it did in April.
“In fact, those groups went from having almost no attacks at all in April, to attacks peaking at 20,000 requests per second on a single site,” the company said. Others may have also been victimized after taking a side in the Black Lives Matter debate, including government and military websites, Cloudflare said.
Cybercrime and DDoS
But DDoS isn’t just used to punish political opponents. It can also be a formidable tool in the hands of cyber criminals. The method is crude, but effective: Cybercriminals demand a ransom, threatening to unleash an attack that will knock a targeted victim offline for a considerable amount of time, costing it in terms of both traffic and associated revenue if it refuses to pay. A slightly more sophisticated business model was employed by vDOS—a now-defunct DDoS as a Service shop run by two young criminals from Israel. Arrested nearly four years ago, the pair was sentenced last week, having been given a mere 6 months of community service plus a meager fine and probation. While it’s extremely rare that DDoS enablers get caught and sentenced, the actual sentence is disappointing, given the scope of their crimes: they facilitated the launch of 2 million attacks and netted about USD $600,000.
But money isn’t the only criminal motive for launching DDoS attacks. Shame can also be a reason.
Naturalized US citizen Andrew Rakhshan, previously convicted in Canada for fraud in 2013, was sentenced last week to a maximum of five years in prison and ordered to pay over $500,000 after being found guilty of launching DDoS attacks against several websites. When one target—the website Leagle.com—refused to pay, Rakhshan next tried to bribe its operators. Finally, he threatened to DDoS the site—a threat he carried out by using a DDoS for hire service in January 2015.
A Global Decline in DDoS Attacks, But a Surge During Covid-19 Months
While DDoS attacks seem to be fewer in number, they’re getting bigger and more complicated. A new report suggests that DDoS attacks are bigger on average, longer and more sophisticated, with some combining up to 30 attack methods in one assault.
And while the overall trend is a decline in DDoS, Covid-19 has brought with it a surge of denial-related activities. There’s been a significant increase in DDOS attack volumes during March, April and May, with the aggregate volume of DDoS traffic now at 40% to 50% above pre-pandemic levels from February, according to telecom operator Nokia Deepfield.
New Techniques, Targets and Records
Traditional DDoS methods have been around for decades, and most attacks can be successfully mitigated by DDoS protection solutions.
But that may not be the case for much longer.
Researchers from Tel Aviv University and the Interdisciplinary Center of Herzliya in Israel discovered a new technique that could allow a relatively small number of computers to carry out DDoS attacks on a massive scale. The new technique, which the researchers called NXNSAttack, takes advantage of vulnerabilities in common DNS software. The NXNSAttack technique can cause a DNS server to perform hundreds of thousands of requests every time a hacker’s machine sends just one, effectively amplifying the attacker’s firepower tenfold. This means an attacker has to compromise a relatively small number of machines to achieve massive impact: something that up until now has required the creation of a huge botnet.
At this point, the race to the DDoS championship is wide open. The most prominent DDoS attack against a specific website—a large hosting provider used by a number of political and social sites—happened in early June, topping a bandwidth of 1.44 terabits per second and 385 million packets-per-second. Akamai, which repelled the attack, wouldn’t name the victim site, but it did mention that the provider was targeted for “social” reasons, which might indicate the motive was similar to the political attacks associated with the Black Lives Matter debate, as described above.
That attack was impressive, but it was topped by a record, three-day DDoS attack of 2.3 Tbps aimed at AWS servers in February. Amazon published the findings in its recent AWS Shield Threat Landscape Report – Q1 2020, stating that the massive attack was caused by a version of UDP reflection vector called CLDAP reflection. It was observed with a previously unseen volume of 2.3 Tbps. This is approximately 44% larger than any network volumetric event previously detected on AWS.
Recruiting IoT Devices and Cloud to the Ranks
Last but not least, it’s not just computers taking part in DDoS attacks. Connected devices (also known as “IoT devices” or “smart devices”) are aggressively targeted and recruited into botnets for hire, later to be used for DDoS attacks. A newly discovered vulnerability in UPnP (Universal Plug and Play) can exacerbate this process. The vulnerability—CVE-2020-12695, aka “CallStranger”—allows attackers to subscribe to devices so they can force them to send traffic to any IP address. This enables attackers to launch large-scale, amplified TCP DDoS reflection attacks, by using a spoofed IP address to send a request to a third-party server. The response is much larger in size and is returned to the spoofed IP address of the unwitting victim, creating powerful DDoS attacks.
DDoS is one of the most established cyber threats. It’s been around for ages. Hence, there’s a general tendency to downplay its severity. It’s true that the overall number of attacks are decreasing, and that modern web infrastructure is more resilient to primitive DDoS attacks than ever before. But given the massive adoption of connected devices by consumers and enterprises, it wouldn’t surprise us to see this attack vector gaining in popularity. Another scenario worth keeping in mind is that DDoS attacks are a perfect smokescreen: they can be used by sophisticated attackers to divert the attention of security teams while the intruders infiltrate the organization in another way.