Ransomware has been dominating cybersecurity headlines for a while now, so it’s completely understandable if you haven’t been keeping up with the latest news about distributed denial-of-service (DDoS) attacks. But there have been some startling recent developments.
Here’s a breakdown of some important developments you should be tracking if you want to understand how today’s DDoS attackers are operating — and what you need to do to protect your organization.
New targets for DDoS attacks
Several recent DDoS attacks have targeted VoIP service providers, including Bandwidth, VoIP.ms, Voip Unlimited, and Voipfone. In some cases, this resulted in significant degradations of service for the companies’ clients.
Another industry enduring a barrage of DDoS attacks is healthcare, especially hospitals. This trend began around the same time as the Covid-19 pandemic as organizations adopted remote-work arrangements and began relying on online services to schedule and track virus testing and vaccinations. This made healthcare organizations tempting prey, along with the widespread use of IoT medical devices, which in many cases are not adequately protected against malware. If these devices are not isolated from the network, they could be impacted by attacks, which might have severe consequences.
Blended DDoS attacks
DDoS attacks in the past have primarily been malicious in intent — the attackers mainly wanted to harm the targeted organizations by disrupting their ability to operate. Now, however, it is increasingly common for attackers to demand a ransom in exchange for ending the attack. This was part of the attack on Voip Unlimited.
It’s also widely reported that some DDoS attacks are meant to create a distraction, keeping IT personnel occupied while ransomware, data theft, or another type of attack is launched simultaneously.
Nasty new kinds of attacks
So-called “Black Storm” attacks are especially hazardous for communications service provider (CSP) networks. This type of attack does not require a large botnet to initiate and is generally easier to pull off than traditional amplification attacks. In a Black Storm attack, the attacker sends User Datagram Protocol (UDP) requests to many different closed devices and servers within the network, spoofed to look like they are coming from other devices in the same network.
These errant requests trigger a standard ICMP response from each receiving device, which creates a kind of “pinball effect” that can quickly overwhelm the CSP network with a storm of internal traffic. As of this writing, Black Storm attacks have only been theorized, but CSPs are strongly advised to plan for them to appear in the wild.
A new botnet is breaking records
Known as “Meris,” the newly discovered botnet consists of some 250,000 compromised devices. The majority of these devices are not computers per se but rather network routers, switches, Wi-Fi access points, and other devices built and sold by a single Latvian vendor, MicroTik.
That’s important because the company discovered and patched a vulnerability back in 2018, but due to the nature of the devices, owners are not typically in contact with MicroTik and in many cases have never used the patch from 2018. It seems likely that someone learned about the still-present vulnerability and exploited it to take control of these devices.
Meris has been used to launch record-breaking application-layer attacks. Unlike traditional bandwidth attacks that clog the target’s bandwidth with fake traffic, these attacks overwhelm computing resources with a storm of process and transaction requests. This summer, Meris launched two consecutive record-breaking application attacks. The first, targeting a U.S. financial organization, hit a high of 17.2 million requests per second (RPS). The second, apparently targeting a Russian bank via its cloud-hosting provider, achieved 21.8 million RPS.
How to defend against these attacks
So, what’s the good news? Well, if you’ve got a robust application and network security infrastructure, with the right capabilities, then you’re likely to have strong protection against DDoS attacks. In particular, Barracuda Cloud Application Protection and Barracuda Web Application Firewall with active DDoS protection delivers excellent security against both volumetric (bandwidth) and application DDoS attacks.
For more information about Barracuda DDoS-protection capabilities, please contact your Barracuda reseller or request a free trial of Barracuda Web Application Firewall.
Tony Burgess is a twenty-year veteran of the IT security industry and is Barracuda’s Senior Copywriter for Content and Customer Marketing. In this role, he researches complex technical subjects and translates findings into clear, useful, human-readable prose.
You can connect with Tony on LinkedIn here.