After the COVID-19 pandemic forced organizations to send employees and workers into remote offices, cybercriminals and fraudsters began adjusting their tactics to take advantage of vulnerable devices and home networks. This included reviving distributed denial-of-service (DDoS) attacks as a simple but effective way to cripple infrastructures with junk traffic—and force potential victims to pay to stop attacks from getting any worse.

DDoS had become an afterthought over the last several years as security teams focused more on an increasing number of ransomware attacks or other types of sophisticated malware. However, the abrupt changes brought by COVID-19 helped DDoS attacks return with a vengeance in 2020.

In a recent report published by NetScout's Atlas Security Engineering and Response Team, the number of DDoS launched in 2020 surpassed 10 million, a significant increase from the 8.5 million DDoS attacks recorded in 2019. Starting in March 2020 (about the same time COVID-19 started the work-from-home shift), the number of DDoS attacks exceeded 800,000 incidents each month.

At the same time, these types of attacks became more powerful. The largest DDoS attack of 2020, 1.12 TB of data per second, struck an unnamed organization in the EMEA region, according to NetScout. In February, one of the largest DDoS attacks ever recorded hit Amazon Web Services, the company noted in an incident report. AWS reported that its infrastructure was hit with a 2.3 TB per second (or 20.6 million requests per second) assault.

Another DDoS attack that targeted the New Zealand Stock Exchange in August 2020 disrupted trading for several days. 

These types of threats became so pervasive throughout 2020 that the FBI issued an alert in July to call attention to increases in DDoS incidents, as well as a warning about the services used by cybercriminals to amplify these attacks.

“As the global workforce shifted to remote work, devices that previously sat behind enterprise firewalls and secure environments were used at home, behind typical consumer-grade routers and network devices,” the NetScout researchers note in the report. “Attacks quickly exploited this by more than doubling the number of IoT-specific malware samples circulating in the wild, further contributing to the increase in DDoS attacks for 2020.”

Mark Moses, director of client engagement at security firm nVisium, noted that the shift to work-from-home gave attackers fresh means to use DDoS as a way to target multiple networks. These attackers intended to either bring down the infrastructure or squeeze money from a victim to stop further attacks from happening.

“Unfortunately, bad actors have taken advantage of the new reliance on online work; targeting service providers to bring a target down for economic or political reasons,” Moses told Dice. “Criminals select a target hoping for economic gain by demanding ransom or a perceived political gain by targeting a provider that has offended their political sensibilities in some way.”

Changing DDoS Tactics

Over the years, DDoS tactics changed, which made these types of attacks much more disruptive and potentially damaging to both networks and the bottom lines of organizations targeted by cybercriminals.

DDoS attacks can be carried out by almost anyone with the money to rent a botnet from darknet or underground cybercriminals forums. The increasing use of connected and Internet of Things (IoT) devices also makes launching a DDoS attack that much more effective, suggests Roy Horev, co-founder and CTO at Vulcan Cyber.

“As technology advances, and IoT keeps evolving and leaking into more parts of our lives, we keep introducing more targets that later become attackers. Smart TVs, Smart Light Bulbs, security cameras, fridges, you name it—all come with their internet connectivity built-in, their default passwords and their IPv6 addresses exposed, waiting to be picked up and joined to a mindless attack force,” Horev told Dice.

While DDoS attacks are available to anyone with some know-how and money, sophisticated threat groups are also using these tactics and adding their own twist. The NetScout report notes that a gang called the Lazarus Bear Armada was threatening not only financial services, but healthcare facilities and pharmaceutical firms last year with increasingly destructive DDoS attacks if victims didn’t pay.

Austin Merritt, a cyber threat intelligence analyst at security firm Digital Shadows, noted that the rise of DDoS attacks over the last year could be traced to three developments. The first is the increase and availability of botnets that can develop the malicious networks of vulnerable devices needed to carry out a DDoS attack.

The second is the shift to remote work, which is exposing many more vulnerable devices and services to attacks.

Finally, Merritt notes that ransomware gangs began adopting DDoS as an added tactic to get victims to pay ransoms. One of the first of these incidents happened in September 2020.

“The incident began with the ransomware attack, and shortly after, the victim found their site offline. This tactic, also known as double extortion, puts further pressure on an organization to pay a ransom,” Merritt told Dice. “These DDoS services are readily available for threat actors to rent through botnets on criminal sites, making it a relatively simple tactic to adopt. Other ransomware groups have since followed in SunCrypt's footsteps, employing the DDoS double extortion tactic. The trend will likely continue as ransomware teams look for promising avenues for extorting vulnerable companies.”

Countermeasures

Experts said that there are steps that both IT and security teams can take to counter these types of DDoS attacks, which can range from retraining employees to security teams looking for ways to harden vulnerable home networks against such incidents.

Merrit notes that organizations should invest in security professionals and leaders who know how to build in-depth defense strategies that can serve as a countermeasure to DDoS attacks.

“Defenders should use an approach that makes them a hardened target since threat actors will compromise the softest targets first. Also, organizations need to develop a DDoS response plan to restore order quickly in an attack,” Merrit said. “Employees need to be aware that threat actors could target them through phishing emails as an initial access vector for a subsequent attack. Security awareness training for all employees can help provide a line of defense in the growing threat landscape.”

Moses thinks that organizations should begin to think about how employees, whether technical or not, protect their home networks, especially as remote work will continue for many for the foreseeable future.

“In many cases, it could be worthwhile to have a standard recommended or required configuration for home router and firewall configurations to harden the environment,” Moses said. “These efforts don't directly guard against a DDoS attack; rather, they are steps which help to harden the overall environment, protecting assets from being used by threat actors for an attack. Reducing the number of vulnerable systems available for exploitation is the best way for us to defend against DDoS and many other threats to the connected world.”

Mark Kedgley, CTO at New Net Technologies, notes that protecting against DDoS attacks is tricky since employees need access to apps and services, which means keeping devices and networks open to the internet where these types of attacks originate.

“The problem is that this is a classic security versus function paradox—there is an irreconcilable gap between providing protections against DDoS attack while offering an accessible service, open to the internet,” Kedgley told Dice. “The only real defense is using a reverse proxy, content-distributed web infrastructure that multiplies your web presence and distributes access geographically while a mitigation process takes place to filter out the attack traffic.”