July 30, 2020
In the first six months of 2020, rather than the use of traditional tactics exploited by the criminal underworld to carry out DDoS attacks, more complex and cunning tactics have been employed to hamper the detection and mitigation of attacks on infrastructures of enterprises, Internet Service Providers (ISPs), Communications Service Providers (CSPs), and the like. In our research, we came across some techniques that are designed to specifically bypass most DDoS detection technologies.
Compared to traditional DDoS attacks, which are costly and exhaust resources, attackers have been seeking ways to execute attacks using the minimum amount of resources, and at low cost. Although volumetric attacks can be easily achieved by exploiting public resolvers to reflect huge attacks to target networks, they usually involve a huge amount of effort and are very costly. Moreover, given the successful mitigation of recent high-profile DDoS attacks, and ramped up precautions taken to stop future attacks in their tracks, large-scale attacks can usually be resolved in a relatively short period of time.
In light of the above, attackers have changed tactics, opting for a more stealthy, methodical and economical approach to flood victim networks’ bandwidth, by leveraging a combination of three attack techniques tailor-made to bypass the detection and mitigation mechanism of DDoS protection schemes. The three increasingly common techniques used in unison by attackers to produce bypass attacks are detailed below.
Short-duration, high frequency attack packets are sent to a network intermittently, creating false congestion on the network and causing serious damage to the quality of the connection between the client and the server, which prevents the server providing normal services for legitimate users, and results in a significant decline in the quality of service connection. As these attacks have low average detection rates and long incubation periods and are mixed into the network data stream, it is difficult to distinguish them from the normal traffic flow by traditional detection methods.
The easiest and most practical way to mitigate DDoS attacks is to scrub unwanted traffic and let clean traffic pass. I-BGP, one particular routing method, is used to route attack traffic heading for a particular destination IP to mitigation devices. Similarly, detection can also be performed based on a particular destination IP of attack traffic - if attackers only take aim at a single IP, this detection method is hugely effective. Nowadays, however, attackers spread the traffic to cover multiple IPs in the same prefixes, making detection futile, resulting in congestion of the entire network. Small-sized attack traffic designed to evade the threshold’s radar is capable of overwhelming the same network prefix and have a lasting impact on the class C network, while the sheer volume of accumulated small-sized attack traffic can also hijack normal traffic and overload other security devices in the process.
Differentiating between attack traffic and normal traffic is not as easy a task as it seems. Rather than directing abnormal large-sized packets to saturate bandwidth, attackers customize Layer 3 and Layer 7 traffic patterns to resemble that of normal traffic to wreak havoc on target networks. To minimize the risk of this type of threat, it is imperative that detection and mitigation methods, as well as other defence mechanisms are fortified to keep pace with the myriads of traffic patterns.
DDoS attacks have skyrocketed QoQ by 542.46% in Q1 and 60.04% in Q2 according to Nexusguard’s 2020 Q1 DDoS Threat Report. Our analysis on DDoS botnet and malware also revealed that out of the many attacks launched by botnets, at least one kind of attack was advertised as a bypass attack. CSP’s shortcomings in delivering effective and full-fledged DDoS mitigation services has inadvertently contributed to the surge in attacks in the last two quarters, further spurred by the emergence of bypass attacks.
As strategies combining three-pronged attack techniques are becoming more widely employed, DDoS detection and mitigation is no longer an issue that can be resolved by means of a single on-premise device, hybrid solution or even a cloud-based solution. To solve this conundrum, CSPs need to step up and take an integrated approach to implement defence-in-depth and breadth, putting together best-of-breed solutions so that they can offer a comprehensive and effective solution, especially considering that bypass attacks may become the new normal.