DDoS protection service provider Radware says threat actors are employing more types of amplification attacks to bring down networks, while also targeting the application layer to cause enterprises more harm.
Radware recently published research that showed how DDoS attack types are evolving and increasing. For example HTTPS floods, which generate seemingly authentic HTTPS requests at servers and web applications, grew 20% in 2018. DNS amplification attacks, which abuse DNS resolvers and so-called burst attacks that feature massive volumes at short intervals both grew 15%, the report found.
Daniel Smith, head of security research at Radware's emergency response team, sees DDoS attacks becoming more targeted over time, with attackers using fewer resources and causing more damage.
"The threats from DDoS attacks are evolving in a very interesting way," Smith said." When I first got into this industry it was simple DoS attacks and [attack tools like] Low Orbit Ion Cannon. Now we're looking at huge botnets and massive amplification attacks."
Smith spoke with us at the recent SecureWorld Boston conference about the evolving threats of amplification attacks and what makes them effective. He also offers pointers on mitigating DDoS attacks, includes measures like network auditing and the use of machine learning and AI.
Editor's note: This interview was edited for clarity and length.
What are some of the current DDoS attack trends?
Daniel Smith: The big trends at the moment are the obvious ones -- we are seeing several IoT botnets such as Mirai and Qbot that are being leveraged across multiple platforms and multiple devices. You have botnets that contain up to 29 exploits; it's basically opening up the horizon that they can attack.
Daniel SmithHead of security research, Radware
One of the bigger attack trends outside of IoT botnets would be amplification attacks. In 2018, we saw several new amplification vectors. An amplification attack is a little different than an IoT botnet attack in the sense that an IoT botnet has 100,000 compromised routers. They are all launching a single message, at a single target. An amplification attack is basically a single person that's querying information from a service -- say DNS or NTP -- and that request will be spoofed, so the information request will actually go to the target.
The problem with that is you can get high into bandwidth volume. The world record attack was an amplification attack directed at GitHub [recorded at 1.35 Tbps].
The ultimate problem is that with IoT devices these botnets are very loud and obnoxious and very obvious when they go around a network, while an amplification attack is very quiet. You don't know what's coming because there's not a lot of preparation for the build-out. It's just an attacker that's scanning and finding microservices such as memcached and they're requesting that information and having it directed back to the targets.
How can companies defend themselves against amplification attacks?
Smith: The same thing as any other type of denial-of-service attack: It's coming down to mitigation as far as on premise and cloud devices.
A lot of times when the attack traffic comes in, we're looking to create a signature base of that traffic. We're looking for specific patterns. We're also flagging IP addresses through our deception network. We do have a list of IP addresses that we know they're actively launching attacks or IP addresses for servers and microservices that are actively being abused. That way what we can do would be a simple blacklist saying 'Don't receive any traffic from this actual known IP.' But when those blacklists aren't there, that's where we're actually have to go in and analyze the traffic, create a signature and block it from there.
In general, DDoS attacks are very painful to deal with: [Losing] service availability and having your application not be available is a huge problem. The best practice in dealing with DDoS attacks is you want to audit your network and understand your weak points; you also want to be able to do a little forecasting and understand what your risks are.
For example, if you're in the e-commerce industry, your main risks from bots in general are going to be in the summertime when traffic is slow. Everybody is competing for price, so there's going to be a lot of bots out there scraping, trying to get credentials. But when you look at the holidays like Black Friday and Cyber Monday, these are two days in which you see mainly DDoS attacks on applications and service availability where people can't make purchases.
Once an industry understands what the threat is, they can forecast what kinds of threats are coming; it gives the network operators a chance to prepare. You do need hardware, but you also need threat intelligence, and with that combination, you'll definitely be able to solve a lot of problems out there.
Can AI and machine learning help stop these attacks?
Smith: I believe machine learning and AI is a double-edged sword: With everything that we do that's positive, there's also a negative to go with it. You can use AI and machine learning to stop attacks and it's very much a necessary thing right now considering the power and the people that are needed to stop these attacks. There is an incredible overhead.
If you can have AI and machine learning come in, of course it's a great thing, but at the same time for me, as a security researcher, you are losing that human oversight.
At the end of the day you're still going to have to have AI and machine learning with a human looking over it. An alert, report or notification of a threat can say, 'this person is a bad actor,' and everybody might think that person is a bad actor. But when someone like me with threat intelligence specialty comes in, I might be able to tell you that actually that account's a troll and that this whole thing has been set up to make you think there's a threat when there's not.
In the long run we do need AI and machine learning to catch these advanced attacks. But it is just a tool in our monitoring toolkit.