In the middle of April, NSFOCUS held a seminar on “Are You Ready for the Evolving DDoS Landscape?”. In the seminar, David Gao, Principal Security Solution Architect of NSFOCUS summarized the findings of the Global DDoS Attack Landscape in 2022 and gave his insights on the trends to help customers protect against the evolving DDoS attacks.
Some topics attracted widespread attention during and after the seminar. So we’d like to pick them out and share them with you in this post.
1. As stated in the 2022 Global DDoS Attack Landscape report, high-volume traffic attacks are mainly based on UDP. What are the characteristics of those attacks?
David: UDP is a connectionless network protocol. Compared to TCP, UDP traffic does not require three handshakes to establish a connection, so the cost is little. This feature makes it very suitable for transmitting scenarios that require more transmission speed than integrity, such as voice calls, videos, etc. However, its connectionless and low-cost characteristics are also easily exploited by attackers to execute attacks with limited resources. Attackers can send large traffic attacks to victims and instantly reach a high peak in UDP flooding attacks. In addition to directly sending attack traffic to victims, UDP is also easily used as a reflection amplification attack, as many application protocols are also based on UDP protocols, such as DNS, NTP, etc. In 2022, 1/3 of TB-level attacks were initiated based on UDP reflection, and the remaining 2/3 were direct UDP large packet attacks. This also indicates that DDoS attackers now have abundant attack resources and can directly launch TB-level attacks without amplifying traffic through UDP reflection.
Figure 1. UDP-based attacks were favored by hackers to launch massive DDoS attacks
Defense against UDP attacks is challenging. DDoS traffic scrubbing devices should be deployed locally as much as possible to screen for UDP traffic. When traffic abnormalities are observed, network devices can also be protected through speed limits and other tactics. If the attack traffic is too large, although local scrubbing devices can alleviate the attack, congestion may still occur in the upstream link. In this situation, BGP Anycast can be used for near-source scrubbing to prevent attack traffic from reaching the victim’s network and causing network congestion. It is also necessary to pay attention to the local DNS server, NTP server, etc., and optimize the protection strategy of the local server to prevent UDP attacks from being launched from within the network. Given that UDP is the most commonly used method for high-traffic attacks, it is recommended that users adopt a hybrid DDoS protection which is the combination of cloud and on-premises service. Because local bandwidth and server resources are limited, it is difficult to resist UDP flood DDoS attacks without cloud scrubbing services.
2. What are the differences between application-layer DDoS and network-layer DDoS attacks?
David: In application layer DDoS attacks, attackers use more sophisticated mechanisms. Application layer attacks do not flood the network with traffic or sessions, but instead, slowly exhaust the resources of specific applications or services at the application layer. These attacks can be effective even at low traffic rates, and from a protocol perspective, the traffic involved in the attack may appear legitimate. This makes application layer attacks more difficult to detect than other types of DDoS attacks. Examples of application layer attacks include HTTP floods and Slowloris attacks.
To defend against application layer attacks, NSFOCUS ADS has developed customized defense algorithms based on the traffic characteristics of different application layers. For example, in the case of an HTTP Flood, if a botnet uses tools to launch an attack with a real TCP/IP protocol stack, TCP/IP source authentication alone cannot recognize it as an attack. Therefore, we need to enable application-layer source authentication, such as using HTTP 302 to redirect requests and verify whether the “browser” sending the request is trustworthy. Only real browsers have a complete HTTP protocol stack verification mechanism, and through this authentication, it can be determined whether the traffic at that time is legitimate or an attack.
Figure 2. Fine-grained application-layer DDoS protection
3. DDoS attack methods are constantly evolving. Although DDoS protection technology is relatively mature, responding to DDoS attacks still poses challenges. How is NSFOCUS keeping up with the changing threat landscape and how to provide clients with the best possible protection against DDoS attacks?
David: NSFOCUS has developed a global threat hunting system that can monitor major DDoS attack activities worldwide and identify key attack events. This system plays an important role in the development of threat mitigation capabilities and the exploration of new threats.
Figure 3. DDoS threat hunting
By combining global monitoring and traceability capabilities, NSFOCUS can analyze attack events, botnet organizations, malicious files, domain names/IPs, etc. through correlation analysis. This allows for the profiling of DDoS attack organizations such as botnet groups or reflector control groups, which enables the launch of defensive actions before a DDoS attack occurs.
One example of NSFOCUS’s advanced defense capabilities is the MagicFlow platform, which integrates network traffic analysis, bidirectional traffic anomaly monitoring, DDoS global situation monitoring, attack tracing, attack group identification, and attack IP intelligence extraction capabilities. This platform helps customers to defend against DDoS attacks in advance.
Figure 4. NSFOCUS MagicFlow
4. The 2022 Global DDoS Attack Landscape report highlights that DDoS attacks are now lasting longer against individual targets, indicating that attackers are more persistent in their attempts to disrupt the target’s services. What does it mean for enterprises? Do you have any suggestions?
David: The targets of DDoS attacks are becoming clearer and the attacks are becoming longer in duration. Based on the frequency of attacks on affected targets, there has been a significant increase in the number of IP addresses that are repeatedly attacked in 2022 compared to 2021. Moreover, the DDoS attack cycle against a single target is becoming increasingly persistent. In 2021, 57% of victims only experienced one DDoS attack, but victims in 2022 were more likely to experience multiple DDoS attacks once they were identified as a target. This trend undoubtedly poses greater challenges to DDoS protection.
Figure 5. Targets were repeatedly attacked
For enterprises, a persistent DDoS attack can lead to prolonged service interruptions, resource depletion, reputational damage, and business losses. Additionally, attackers may use DDoS attacks as a diversionary tactic to carry out other malicious activities such as exploiting vulnerabilities or stealing data. To address this trend, NSFOCUS provides an all-in-one DDoS protection solution that uses intelligent learning to identify network traffic trends and multi-dimensional monitoring to efficiently mitigate various types of DDoS attacks, thereby ensuring business availability. Additionally, it’s crucial to have the capability to monitor attacks globally and trace their origins, detect major global activities, explore new threats, identify the true attack controllers, and thoroughly profile the attacking organization to form a deterrent force and tackle the DDoS attack problem at its root.
David: With the abundance of DDoS attack resources and methods, and the growth of industries such as DDoS as a service, the technical difficulty and cost for attackers to launch large-scale attacks has decreased. Currently, it is common to see attacks with peaks of 100 to 500 Gbps.
Figure 6. High-volume DDoS attacks were on the rise
Service Providers with sufficient bandwidth resources generally adopt a hybrid protection solution, combining cloud and on-premises protection. On-premises protection can respond to daily small and medium-sized attacks, providing greater flexibility and manageability. Cloud protection focuses on large-scale attacks, allowing for more flexible and cost-effective protection.
However, for most enterprises, governments, and NGOs, their limited local bandwidth has become a bottleneck in preventing large-scale attacks. The best industry practice is to use cloud-based DDoS scrubbing and WAAP services. The typical Cloud WAAP service should include web application protection, API protection, Bot protection, and DDoS protection. It is important to confirm with the vendor that the Cloud WAAP service can provide high-capacity DDoS protection for 100G or higher levels in addition to the basic application layer DDoS.
NSFOCUS’s Cloud DPS service can provide volumetric DDoS protection for service providers, enterprises, governments, and NGOs. We also provide Cloud WAAP service. Customers can flexibly choose multiple levels of DDoS protection capacity.
NSFOCUS releases the global DDoS landscape report every year to help customers protect against ever-evolving DDoS attacks. NSFOCUS also has a world-class security research team engaging in the research of cutting-edge security technologies. If you have any questions or need assistance with your network security, please feel free to contact us at any time.