DDoS Extortion and Mitigation

By Christopher Kim

Distributed Denial-of-Service (DDoS) is a cyber attack that causes mass-disruption of services. To perform a DDoS attack with enough power to disrupt enterprise-level services, threat actors must use large botnets, which they can rent or develop. In addition, many actors use multiple attack vectors in one large assault; this makes mitigation difficult because no single DDoS protection system can resolve all types of attack methods. Over the past several years, actors who have successfully monetized DDoS campaigns via extortion have used the following DDoS attack vectors most often: DNS flood, DNS amplification, ARMS amplification, SNMP reflection, SYN flood, GRE flood, WS-discovery amplification, CLDAP reflection, TFTP amplification, NTP amplification, WordPress XML-RPC amplification, simple service discovery protocol (SSDP), and portmapper amplification.

So far in 2021, DDoS extortion attacks have been almost evenly distributed across various industries: energy, financial, insurance, manufacturing, public utilities, retail sectors, travel and hospitality, retail and e-commerce, high-tech and software, consumer packaged goods, and internet service providers.3 DDoS is one of the costliest cyber threats to mitigate, because it directly affects the availability of services crucial to business operations. Bulletproof’s 2019 annual cybersecurity report indicated that a DoS or DDoS attack could cost a small company up to $120,000 and an enterprise up to $2 million in damages

Categories of DDos attacks
At a high level, DDoS attacks can be categorized as volumetric, application-layer, and protocol-based, and they typically target layers 3, 4, and 7 in the Open Systems Interconnection (OSI) model.

  • Volumetric DDoS attacks abuse mostly layer 7 protocols of the OSI model, especially DNS and network time protocol (NTP), and they attempt to reduce a network’s bandwidth capacity by flooding the network with high amounts of traffic or with request packets. Some volumetric DDoS attacks are large enough to max out the bandwidth capacity of upstream internet service providers (ISP) or datacenters, and this prevents legitimate traffic from connecting to websites. Because generating a high number of requests is relatively easy, volumetric attacks are popular among DDoS actors. The requests are small, but they command a large response to the victim’s server, such as a DNS resolver.
  • Like volumetric attacks, application-layer DDoS attacks target mostly layer 7 of the OSI model. Unlike volumetric attacks, they try to exhaust server resources by attacking applications’ backend processes that are computationally expensive. In addition, they generate less traffic and use less total bandwidth but can inflict at least as much damage. The two most common web server requests in an application-layer DDoS attack are HTTP GET and HTTP POST. To direct their requests, the attackers that operate an application-layer attack must have deep knowledge of the application and its supporting endpoints. Application-layer attacks are effective because the server expends considerably more resources in responding to requests than the client does in generating them. If the conditions are right—for example, if the target application is not optimized or cannot manage CPU- and RAM-intensive operations due to low resource capacity—some attacks can disable web applications by using just one machine.
  • Protocol-based DDoS attacks target weaknesses in protocols in layers 3 and 4. These kinds of attacks are difficult to mitigate because the majority of online devices use internet communication protocols. Some protocols are complex and difficult to reengineer for resolving new vulnerabilities. Additionally, even if vendors release security patches relatively quickly, businesses might take a long time to deploy them, because the patches are often incompatible with existing systems. One of the oldest (first detected in 2014) and most common types of protocol-based DDoS attacks is a TCP synchronization (SYN) flood. This attack occurs when a DDoS actor sends a large number of SYN packets to the victim’s server; these packets often contain a modified source address, to hide the sender’s identity. The victim’s server responds to each of the connection requests and leaves a port open to receive the final ACK packet. However, the actors do not send the ACK packet but continue to send additional SYN packets until the server exhausts all available ports. This prevents the server from functioning normally or even processing legitimate requests.

Attack chains
DDoS extortion campaigns typically follow one of two kinds of attack chains (the Appendix includes attack chain diagrams):

  • The actors start with a DDoS demonstration: a show of force and an attempt to prove that the threat is real. They target a specific resource that belongs to the organization’s web service or network infrastructure. The demonstration is large enough to slow down the organization’s services but not large enough to knock them offline. After or during the demonstration, the actors send an extortion email, where they threaten to launch a larger DDoS attack if the organization does not make the specified bitcoin payment to the group’s cryptocurrency wallet. If the organization does not make the payment by the deadline, the actors follow up with the main DDoS attack and increase the extortion amount every day after the due date, until they receive the full payment.
  • The actors send the extortion email before the attack. The email contains the extortion demand, bitcoin wallet address, deadline, the attack’s capacity, and other details. The group might also use the email to boast about their ability to send several terabytes’ worth of traffic packets per second. However, in some cases, organizations reported that the threats were bluffs and that follow-up attacks never occurred

Mitigation
When planning for DDoS mitigation, organizations should understand not only the details of their business obligations to keep services up and available, but also the amount of temporary service disruption they and their customers can tolerate. The Australian Cyber Security Centre provides some basic guidance that organizations can take to reduce the likelihood and potential impact of a DDoS attack:

  • Determine which functionality is truly critical to the operations of an organization. Create all backups necessary to keep it running despite the attack, and allocate enough resources (if necessary, by moving them from non-critical functionality) to maintain it during the attack and, ultimately, to restore it once the attack has been managed.
  • With service providers, discuss the details of DDoS prevention and mitigation strategies, namely:
    • the capacity to withstand DDoS attacks
    • any costs likely to be incurred by customers
    • thresholds for notifying customers or for turning off their online services during DDoS attacks
    • pre-approved actions that can be taken during DDoS attacks
    • arrangements made with upstream (for example, Tier 2) service providers to block malicious traffic as far upstream as possible
  • Protect organization’s domain names by using registrar locking and by confirming that the domain registration details are correct.
  • Ensure that customers maintain details of their service providers’ 24×7 contacts and that service providers maintain details of their customers’ 24×7 contacts.
  • Establish additional out-of-band contact details—for example, mobile phone numbers and non-organizational email addresses—that service providers would use when normal communication channels fail.
  • Implement availability monitoring with real-time alerting, to detect DDoS attacks and measure their impact.
  • Prepare a static version of a website that requires minimal processing and bandwidth to facilitate continuity of service during DDoS attacks.
  • Use cloud-based hosting from a major cloud service provider—preferably from several major cloud service providers, to ensure redundancy—with high-bandwidth content-delivery networks that cache non-dynamic websites. If using a content-delivery network, avoid disclosing the IP address of the web server that is under the organization’s control (referred to as the origin web server), and use a firewall to ensure that only the content-delivery network can access this web server.
  • Use a DDoS mitigation service, because it offers a variety of in-depth defense approaches that can be implemented in the infrastructure and application layers.
Comments (0)
Add Comment