The first half of 2020 saw a significant uptick in the number of distributed denial-of-service (DDoS) attacks compared to the same period last year — a phenomenon that appears to be directly correlated to the global coronavirus pandemic.
Neustar’s Security Operations Center (SOC) saw a 151 percent increase in DDoS activity in the period, including one of the largest and longest attacks that Neustar has ever mitigated – that attack came in at 1.17 terabits-per-second (Tbps), and lasted five days and 18 hours.
“These figures are representative of the growing number, volume and intensity of network-type cyberattacks as organizations shifted to remote operations and workers’ reliance on the internet increased,” the company noted in its first-half status report, released on Wednesday.
DDoS attacks are getting bigger, with what Neustar said is a “noticeable spike” in volume: The number of attacks sized 100Gbps and above grew a whopping 275 percent. Emblematic of this is a 2.3Tbps attack targeting an Amazon Web Services client in February – the largest volumetric DDoS attack on record. And the aforementioned 1.17Tbps attack was 192 percent bigger than the largest attack the company mitigated during the first half of 2019.
That said, the increase in the total number of attacks was felt across all size categories, with even attacks sized 5Gbps increasing by more than 200 percent. Overall, small attacks sized 5Gbps and below represented 70 percent of all attacks mitigated by Neustar between January and June.
“While large volumetric attacks capture attention and headlines, bad actors increasingly recognize the value of striking at low enough volume to bypass the traffic thresholds that would trigger mitigation to degrade performance or precision target vulnerable infrastructure like a VPN,” said Michael Kaczmarek, Neustar vice president of security products, in a statement. “These shifts put every organization with an internet presence at risk of a DDoS attack.”
He added that the threat that is particularly critical with global workforces working remotely. The snowballing of growth across all DDoS metrics correlates with the COVID-19 pandemic and companies sending their employees home to work.
That workforce shift has contributed to higher than ever internet traffic: Neustar reported that internet use is up between 50 and 70 percent, while streaming video rose more than 12 percent in the first quarter alone.
“This has meant that attackers of all types, whether serious cybercriminals or bored teenagers stuck at home, have had more screen time to be disruptive,” according to the report.
The firm added that other aspects contribute to the rise in attacks as well, like the fact that firms are often heavily reliant on VPNs these days for secure remote access: “VPN servers are often left vulnerable, making it simple for cybercriminals to take an entire workforce offline with a targeted DDoS attack.”
Also, while the most-hit website segments are still the traditional quarry of e-commerce and gaming sites, DDoS-ers are now focused more on healthcare organizations that contain sensitive patient information and a growing number of insecure IoT devices; and, online video traffic for services like Zoom is booming – and unsurprisingly, attacks in this vertical has increased by 461 percent over the last six months, researchers said.
Meanwhile, attackers are also mounting more sophisticated attacks than ever before. Almost half (52 percent) of the threats leveraged three vectors or more, with the number of attacks featuring a single vector “essentially nonexistent,” according to the report.
Neustar also tracked new amplification methods, which are contributing to more intense attacks. An attack of more than 800 millions-of-packets-per-second (Mpps) was recorded during the analysis period – compared to the previous record of 500 Mpps.
These methods include an increase in burst and pulse DDoS attacks, broadening abuse of built-in network protocols such as ARMS, WS-DD, CoAP and Jenkins to launch DDoS amplification attacks that can be carried out with limited resources and cause significant disruptions, NXNS attacks targeting DNS servers, RangeAmp attacks targeting content delivery networks (CDNs), and a resurgence of Mirai-like malware capable of building large botnets through the exploitation of poorly secured IoT devices.
The attacks dovetail with similar findings by researchers in August.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.