Analysts Warn: DDoS Attacks Likely to SurgeThreat Actors Will Use Extortion Methods, Cloud Services and Scare Tactics
Distributed denial-of-service attacks have not garnered much attention this year. But analysts say such attacks could surge in the months ahead, and they have the potential to be just as damaging as ransomware and other types of cyberthreats.
DDoS-style attackers who demand a ransom to stop their attacks are finding that model profitable, says Roger Barranco, vice president of global security operations at Akamai.
"The simple fact that they are making profits indicates this could be a very real threat to continue into 2021, incentivizing other threat actors who also want a piece of the lucrative action via the model of 'RDDoS'," Barranco tells Information Security Media Group.
Researchers at the security firm Digital Shadows point out that the largest DDoS attack on record occurred this year, when several businesses were taken down by a 2.3 terabyte per second attack using hijacked Connection-less Lightweight Directory Access Protocol web servers.
Meanwhile, DDoS threat actors are adding to their arsenals.
Imperva's Research Labs has seen new tactics, such as launching low-volume attacks to distract security teams and then hitting targets with a more damaging high-volume effort.
And the use of DDoS-as-a-Service tools is spreading. These allow unskilled attackers to wage powerful attacks, attempt extortion and take advantage of the massive number of 5G IoT devices that are coming online (see: Analysis: The Security of 5G Devices, Networks).
Stefano De Blasi, threat researcher at Digital Shadows, says toolkits that are readily available for sale, rent or lease will likely bring in new DDoS players.
"Throughout this year, we have not attributed any major attacks to unskilled or inexperienced cybercriminals; however, low-level threat actors may be carrying out these attacks due to a lower barrier of entry and an increased likelihood of monetary gain," De Blasi says.
Although it was never expensive to invest in a DDoS-as-a-Service operation, costs have dropped over the last few years, with a typical kit now available for lease for about $7, down from $25 in 2017, he notes.
"The number of online searches of 'stresser DDoS' - legitimate services used to test the strength of a website - increased significantly in 2020. This suggests there's growing interest in DDoS toolkits by first-time and unskilled attackers," says Johnathan Azaria, a data scientist at Imperva.
The success of ransomware gangs' extortion efforts, forcing victims to pay or run the risk of having their data released, is leading to similar tactics by DDoS players. De Blasi expects DDoS-related extortion could become far more common in the months ahead.
"We may eventually see the DDoS extortion landscape populated by heavy-hitting names, similar to the increase of ransomware operations beginning in late 2019," he says.
A group attacking the New Zealand Stock Exchange in August posed as the Armada Collective and Fancy Bear to strike fear into their victims (see: New Zealand Stock Exchange Trades Again After DDoS).
"We have already observed threat actors impersonating famous APT groups to establish credibility and instill fear in the victim; if an established DDoS extortion actor emerges, extortion attempts will likely become more successful and increase in frequency," De Blasi says.
Azaria expects increased use of cloud services for malicious purposes - enabling attackers to conduct longer, low-volume DDoS attacks.
"As tools readily available online are becoming more sophisticated, expect attack infrastructure to expand in the next year as attackers leverage cloud services to scale their operations," he says. "This will contribute to more DDoS attack activity and a larger volume of low-intensity attacks that can obstruct a website's performance and can result in some loss profits."
The Impact of IoT
IoT devices have become a preferred tool for waging DDoS attacks because many are easy to take over and control due to poor security features.
As a commoditized industry, IoT product developers are rewarded for speed to market - not for building secure products, Azaria notes. "That's the reason IoT devices continue to be vulnerable and have become a global threat to privacy. While some advances have been made, security remains an afterthought."
Akamai's Barranco says that, although IoT devices are now built better, security is not improving.
"When it comes to IoT, security isn't something that is usually built-in, and that is intentional," he says. "Security has a cost, and components and firmware require testing and development. IoT devices are cheap and plentiful. ... A lot of development and component manufacturing is kept at as low a cost as possible. Security would add to the costs, so a lot of manufacturers just don't do as much as they can do."