CISO DDoS Handbook - The DDoS Threat to Digital Transformation

This blog was originally published by MazeBolt here.

Written by Yotam Alon, MazeBolt.

As the global economy and its reliance on technology continue to evolve, so do cyberattackers’ strategies and techniques - working on launching debilitating DDoS attacks with the intent to cause downtime and havoc. Staying ahead of these attackers requires precise and real-time information/insights into the threat landscape and new forms of attacks. Also, an understanding of ongoing DDoS network vulnerabilities, the existing mitigation solution’s capabilities, and ensuring that both works in harmony to close all DDoS system vulnerabilities before a damaging attack is launched. Any gap left open can be taken advantage of by an attacker often leaving it too late to mitigate without downtime.

The New DDoS Attack

1. WS-Discovery Attacks - Attackers use a protocol called WS-Discovery (WSD) which allows unauthenticated traffic to flow through and amplify attacks. Amplification as a method is not new and has been used in the past under the names of Simple Network Management Protocol and Simple Service Delivery Protocol.

2. Multi-modal DDoS Attacks - Instead of just one single form of attack, multi-modal involve the launch of several different types of attacks at one point in time. For example, an attacker will launch one attack, and as the mitigation solution tries to mitigate it, another vector is launched, one which could penetrate the network.

3. Ransom DDoS Attacks – or RDDoS as they are known are attacks that are launched with ransom demands as the underlying motive. Attackers launch small attacks with the promise of a larger attack on their web applications unless their demands are met.

4. Zero-Day Attacks - These are attacks that involve vectors that haven't been previously used by attackers. As they are new and unknown, mitigation solutions are unaware of them, and therefore, blocking them is not possible. In parallel, they target unknown vulnerabilities in the network.

5. IoT DDoS Attacks - IoT devices are constantly increasing; there are thousands of them out there. As IoT devices are created to serve an array of purposes their manufacturers are not primarily concerned with ensuring security within these new devices. DDoS attackers are not interested in corrupting a single device. They on the other hand look to penetrate the network using the vulnerabilities in the IoT devices to launch DDoS attacks.

6. Low-rate attacks – Most enterprises struggle to distinguish between the low-rate attacks and the legitimate traffic, and at the same time, find it difficult to maintain a low false-negative rate. Like the big attacks, small size attacks can bring down the services rapidly and can create an equivalent impact on the businesses; urging companies to be prepared and review their web security arrangements.

7. Small Sized Attacks - Research confirms that large attacks of 100Gbps and above have fallen by 64% in 2019. However, there has been a startling 158% increase in attacks sized 5Gbps. or less. Enterprises struggle to distinguish between the low-rate attacks and the legitimate traffic, and at the same time, find it difficult to maintain a low false-negative rate. Similar to the big attacks, small size attacks can bring down the services rapidly and can create an equivalent impact on the businesses; urging companies to be prepared and review their web security arrangements.

Recurrent DDoS Attacks Despite Mitigation

DDoS Testing and Mitigation are the available solutions that digital enterprises rely on to ensure DDoS protection. However, even with the most sophisticated DDoS mitigation and testing solutions deployed, most companies are left with major DDoS vulnerabilities. This is because DDoS Mitigation security policies don't adapt to dynamic changes happening in the network, leaving around 50% of DDoS vulnerabilities undetected and therefore unprotected. Furthermore, mitigation solutions & infrequent Red Team DDoS testing are reactive, rather than automatically and continuously detecting and closing vulnerabilities. This is the reason why attacks continue to occur on a regular basis. Our monthly list of `Worldwide DDoS Attacks’ shares the latest updates on DDoS attacks. But this list only captures publicly reported attacks and there are many more that go unreported. For example, just in Q1’ 21, there were 2.9 million DDoS attacks with the longest attack lasting over 24 hours.

Learn more about how to stop DDoS attacks in our CloudBytes webinar.

About the Author

Yotam is Head - R&D at MazeBolt and is in charge of all R&D activities, infrastructure and security. With five years in the security industry, Yotam brings fresh perspectives and insights into current technologies and development flows. He holds a BSc. in mathematics and philosophy and enjoys hitting the archery range in his spare time.