The protracted arms race between criminals who wage distributed denial-of-service attacks and the defenders who attempt to stop them continues, as the former embraces “alarming” new methods to make their online offensives more powerful and destructive, researchers from content-delivery network Cloudflare reported Wednesday.
With a global network spanning more than 300 cities in more than 100 countries around the world, Cloudflare has visibility into these types of attacks that’s shared by only a handful of other companies. The company said it delivers more than 63 million network requests per second and more than 2 trillion domain lookups per day during peak times. Among the services that Cloudflare provides is mitigation for the attacks, which are typically referred to by the abbreviation DDoS.
“In recent months, there’s been an alarming escalation in the sophistication of DDoS attacks,” Cloudflare researchers Omer Yoachimik and Jorge Pacheco wrote Wednesday in a threat report that recaps highlights during the second quarter of this year. “And even the largest and most sophisticated attacks that we’ve seen may only last a few minutes or even seconds—which doesn’t give a human sufficient time to respond.”
DDoSes work by pummeling a web server or other online property with more traffic than their infrastructure can handle. The goal is to cause the service to buckle and, as a result, deny service to legitimate users attempting to access the property. DDoSing is akin to a large group of teenagers who call a pizza shop phone number all at once. The flood of junk calls uses up all available phone lines and exhausts the personnel available to answer. People trying to place legitimate orders are then unable to get through.
Traditionally, DDoSes haven’t been particularly sophisticated. In many respects, they’re not much different from a Neanderthal wielding a giant club against enemies. The caveman with the biggest club will generally win. More recently, that has begun to change. As Cloudflare, Microsoft, and other large companies devise new measures to curb the effects of DDoS attacks, threat actors, some aligned with the Russian government, are pioneering new ways to counter those defenses.
The newer methods attempt to do two things: (1) conceal the maliciousness of the traffic so defenders don’t block it and (2) deliver ever-larger traffic floods that can overwhelm targets even when they have DDoS mitigations in place.
These methods include:
HTTP DDoS attacks. These attacks use the plain-vanilla hypertext transfer protocol to flood websites and HTTP-based API gateways with enough requests to exhaust their computing resources. DDoS mitigation services traditionally block such attacks by singling out the attacker requests from the legitimate ones. Now, the attackers are fighting back using methods that make it harder to distinguish between malicious and benign traffic. As the researchers explained:
We’ve observed an alarming uptick in highly-randomized and sophisticated HTTP DDoS attacks over the past few months. It appears as though the threat actors behind these attacks have deliberately engineered the attacks to try and overcome mitigation systems by adeptly imitating browser behavior very accurately, in some cases, by introducing a high degree of randomization on various properties such as user agents and JA3 fingerprints to name a few. An example of such an attack is provided below. Each different color represents a different randomization feature.
Furthermore, in many of these attacks, it seems that the threat actors try to keep their attack rates-per-second relatively low to try and avoid detection and hide amongst the legitimate traffic.
This level of sophistication has previously been associated with state-level and state-sponsored threat actors, and it seems these capabilities are now at the disposal of cyber criminals. Their operations have already targeted prominent businesses such as a large VoIP provider, a leading semiconductor company, and a major payment & credit card provider to name a few.
Exploitation of servers running unpatched software: Another method on the rise is the exploitation of servers running unpatched software for the Mitel MiCollab and MiVoice Business Express collaboration systems, which act as a gateway for transferring PBX phone communications to the Internet and vice versa. A vulnerability tracked as CVE-2022-26143 stems from an unauthenticated UDP port the unpatched software exposes to the public Internet. By flooding a vulnerable system with requests that appear to come from the victim, the system in turn pummels the victim with a payload that can be 4 billion times bigger. This amplification method works by issuing what’s called a “startblast” debugging command, which simulates a flurry of calls to test systems.
“As a result, for each test call, two UDP packets are sent to the issuer, enabling an attacker to direct this traffic to any IP and port number to amplify a DDoS attack,” the Cloudflare researchers wrote. “Despite the vulnerability, only a few thousand of these devices are exposed, limiting the potential scale of attack, and attacks must run serially, meaning each device can only launch one attack at a time.”
DNS Laundering attacks. These were the third DDoS technique in vogue last quarter. As the resource that translates domain names into IP addresses, the domain name system is crucial for data to get from one place to another. By flooding a target’s DNS infrastructure with more lookup requests than it has the resources to handle, attackers have long been able to make targeted services unavailable.
This type of attack can have devastating consequences for the entire Internet, as the world learned in 2016, when a relatively small network of infected routers and other devices exhausted the resources of DNS provider Dyn. As a result, Twitter, GitHub, the PlayStation network, and hundreds of other properties that relied on Dyn came to a standstill.
Now that defenders are better at filtering out malicious DNS requests, attackers have begun leveraging DNS Laundering attacks. The Cloudflare researchers explained:
In a DNS Laundering attack, the threat actor will query subdomains of a domain that is managed by the victim’s DNS server. The prefix that defines the subdomain is randomized and is never used more than once or twice in such an attack. Due to the randomization element, recursive DNS servers will never have a cached response and will need to forward the query to the victim’s authoritative DNS server. The authoritative DNS server is then bombarded by so many queries until it cannot serve legitimate queries or even crashes all together.
From the protection point of view, the DNS administrators can’t block the attack source because the source includes reputable recursive DNS servers like Google’s 220.127.116.11 and Cloudflare’s 18.104.22.168. The administrators also cannot block all queries to the attacked domain because it is a valid domain that they want to preserve access to legitimate queries.
The above factors make it very challenging to distinguish legitimate queries from malicious ones. A large Asian financial institution and a North American DNS provider are amongst recent victims of such attacks. An example of such an attack is provided below.
Virtual-machine botnets. The last technique the researchers identified as on the rise was the use of virtual-machine botnets. Rather than relying on infected routers and other Internet-connected devices, attackers use VMs or virtual private servers. The computational and bandwidth resources of these botnets dwarf the capacity of more traditional botnets to deliver “hyper-volumetric” DDoSes.
Wednesday’s report said that such a botnet was responsible for delivering an attack of 71 million requests earlier this year, making it one of the biggest DDoSes ever.
Last quarter, cryptocurrency websites were the biggest DDoS target, followed by gaming and gambling sites, and marketing and advertising sites. The US was the biggest source of DDoSes, followed by China and Germany. Given the larger market sizes of these countries, it follows that they would account for more DDoSes as well. When removing such bias, the researchers said, the biggest sources were Mozambique, Egypt, and Finland. Close to a fifth of all HTTP traffic originating from Mozambique IP addresses were part of DDoS attacks.