Complex Made Simple

Why DDoS attacks dropped in Q4 but increased in H2 2020 and how to stop them

DDoS, the most common cyber attacks, are becoming a real nuisance to people and businesses. What are the ways to ward them off?

As people began to spend more time online in 2020, it resulted in a boom of DDoS attacks DDoS attacks aim to simply overwhelm an organization’s defenses with a massive flood of service requests The SSDP protocol, with more than 2.5 million unique systems, led the list of amplification attack weapons in 2020

The number of DDoS attacks detected by Kaspersky DDoS Prevention in Q4 2020 increased slightly in comparison to the same period in 2019. However, it is 31% less compared to Q3 2020. This drop can be connected to the growing interest in cryptocurrency mining. 

As people began to spend more time online in 2020, it resulted in a boom of DDoS attacks. And in the fourth quarter, attacks on educational institutions continued and online gaming services also suffered DDoS attacks.

However, in Q4 2020 there were only 10% more attacks than in Q4 2019.  

Experts suggest that this can be caused by a surge in cryptocurrency costs. As a result, cybercriminals may have had to ‘re-profile’ some botnets so that C&C servers, which are typically used in DDoS attacks, could repurpose infected devices and use their computing power to mine cryptocurrencies instead. 

Throughout 2019, as well as in the beginning of 2020, the number of crypto miners was dropping. However, from August 2020 the trend changed, with the amount of this form of malware increasing slightly and reaching a plateau in Q4.

Read: DDoS attack landscapes on financial services over past 3 years

Read: Recent hack attacks, and 2020 stats for exposed data and paid ransomware

“The DDoS attack market is currently affected by two opposite trends. On the one hand, people still highly rely on stable work of online resources, which can make DDoS attacks a common choice for malefactors. However, with a spike in cryptocurrency prices, it may be more profitable for them to infect some devices.”  

To stay protected against DDoS attacks, Kaspersky experts recommend assigning specialists who understand how to respond to DDoS attacks and validating third-party agreements and contact information, including those made with internet service providers to quickly access agreements in case of an attack.

Kaspersky DDoS Protection combines Kaspersky’s extensive expertise in combating cyber threats and the company’s unique in-house developments.

Read the full report on Securelist.

Defending against increasing DDoS attacks 

Amr Alashaal, Regional Vice President – Middle East at A10 Networks said that tracking of DDoS attacks, DDoS attack methods, and malware activity, A10 Networks has observed a steady increase in the frequency, intensity, and sophistication of these threats, most recently in the State of DDoS Weapons Report for H2 2020, which covers the second half of the past year. 

“During this period, we saw an increase of over 12% in the number of potential DDoS weapons available on the internet, with a total of approximately 12.5 million weapons detected. The good news is that proven methods of protection continue to be effective even as threat levels rise,” Amr said.

Botnets drive DDoS attack levels to new heights

In June 2020, Amazon revealed a DDoS attack on its public cloud earlier that year that peaked at 2.3 Terabit per second (Tbps), almost twice the size of the previous largest recorded attack. 

Soon afterward, Google revealed details of an even larger DDoS attack that peaked at 2.5 Tbps.  

Unlike other types of cyberattacks that depend on concealment, DDoS attacks aim to simply overwhelm an organization’s defenses with a massive flood of service requests delivered from a large number of sources. The distributed nature of the attack makes it especially difficult to repel, as the victim can’t simply block requests from a single illicit source. 

In recent years, hackers have evolved their methods and broadened their base of attack by using malware to hijack vulnerable compute nodes such as computers, servers, routers, cameras, and other IoT devices and recruit them as bots. 

In the second half of 2020, the top locations where botnet agents were detected include India, Egypt, and China, which together accounted for approximately three-quarters of the total. 

Blocking botnet recruiters

The identification of IP addresses associated with DDoS attacks gives organizations a way to defend their systems against questionable activity and potential threats. To protect services, users, and customers from impending DDoS attacks, companies should block traffic from possibly compromised IP addresses unless it is essential for the business, or to rate-limit it until the issue is resolved. 

Automated traffic baselining, artificial intelligence (AI), and machine learning (ML) techniques can help security teams recognize and deal with zero-day attacks more quickly by recognizing anomalous behavior compared with historical norms. 

Another important step is to make sure that your organization’s own devices are not being recruited as bots. All IoT devices should be updated to the latest version to alleviate infection by malware. To detect any pre-existing infections, monitor for unrecognized outbound connections from these devices, and check whether BitTorrent has ever been seen sourced or destined to these devices. 

Outbound connections should be blocked as well. This will prevent the device from making the call required for the installation of malware such as mozi.m or mozi.a as part of the bot recruitment process. 

Amplification attacks and how to prevent them 

The scope of a DDoS attack can be vastly expanded through amplification, a technique that exploits the connectionless nature of the UDP protocol. 

The attacker spoofs the victim’s IP address and uses it to send numerous small requests to internet-exposed servers. Servers configured to answer unauthenticated requests, and running applications or protocols with amplification capabilities will then generate a response many times larger than the size of each request, generating an overwhelming volume of traffic that can devastate the victim’s systems. 

Amplification reflection attacks have resulted in record-breaking volumetric attacks and account for the majority of DDoS attacks.

The SSDP protocol, with more than 2.5 million unique systems, led the list of amplification attack weapons exposed to the internet in 2020. 

With an amplification factor of over 30x, SSDP is considered one of the most potent DDoS weapons. The most straightforward blanket protection against such attacks is to simply block port 1900 traffic sourced from the internet unless there is a specific use case for SSDP usage across the internet. 

As recent trends make clear, the DDoS threat will only continue to grow as rising online activity across sectors, a rapidly expanding universe of IoT devices, and increasingly sophisticated methods offer new opportunities for cybercriminals.