Anatomy of a DDoS attack: Extortion and mitigation
By: Ali Sleiman, Technical Director MEA at Infoblox
Distributed denial-of-service (DDoS) is a cyber-attack that causes mass disruption of services. From 1996 (when first reports about DDoS attacks emerged) to 2010, threat actors used DDoS mainly to promote themselves or political agendas and to encourage social change; in recent years, the financial motive has been more prevalent and more DDoS activities have made extortion a major part of their strategy. In addition, prior to 2020, DDoS actors usually sent empty threats and did not follow up with attacks; since the second half of 2020, however, actors have made good on their threats and have followed up with attacks more frequently.
Although threat actors have monetized DDoS threats and attacks in the past, we believe that popularization of cryptocurrency, willingness of some organizations to meet extortion demands (as was seen in the ransomware attack on Colonial Pipeline), and affordability of DDoS as a service (DDoSaaS) have encouraged threat actors to pursue these kinds of activities.
Attack Chains
DDoS extortion campaigns typically follow one of two kinds of attack chains:
- The actors start with a DDoS demonstration: a show of force and an attempt to convince the attacked organization that the threat is real. The actors target a specific resource that belongs to the attacked organization’s web service or network infrastructure. The demonstration is large enough to slow down the organization’s services but not large enough to knock them offline.
- After or during the demonstration, the actors send an extortion email, where they threaten to launch a larger DDoS attack if the organization does not make a specified bitcoin payment to the actors’ cryptocurrency wallet. If the organization does not make the payment by the deadline, the actors follow up with the main DDoS attack and increase the extortion amount every day after the due date, until they receive the full payment.
- The actors send the extortion email before the attack. The email contains the extortion demand, bitcoin wallet address, deadline, the attack’s capacity, and other details. The group might also use the email to boast about their ability to send several terabytes’ worth of traffic packets per second. In most cases, these threats are not bluffs and are followed by full-scale attacks.
Mitigation
When planning for DDoS mitigation, organizations should consider not only their business obligation to keep services running but also the amount of service disruption they and their customers can tolerate. The Australian Cyber Security Centre provides some basic guidance that organizations can take to reduce the likelihood and potential impact of a DDoS attack:
- Determine which functionality is truly critical to the operations of an organization. Create all backups necessary to keep it running despite the attack, and allocate enough resources (if necessary, by moving them from non-critical functionality) to maintain it during the attack and, ultimately, to restore it once the attack has been managed.
- With service providers, discuss the details of DDoS prevention and mitigation strategies, namely:
- the capacity to withstand DDoS attacks
- any costs likely to be incurred by customers
- thresholds for notifying customers or for turning off their online services during DDoS attacks
- pre-approved actions that can be taken during DDoS attacks
- arrangements made with upstream (for example, Tier 2) service providers to block malicious traffic as far upstream as possible
- Protect an organization’s domain names by using registrar locking and by confirming that the domain registration details are correct.
- Ensure that customers maintain details of their service providers’ 24×7 contacts and that service providers maintain details of their customers’ 24×7 contacts.
- Establish additional out-of-band contact details—for example, mobile phone numbers and non-organizational email addresses—that service providers would use if normal communication channels were to fail.
- To detect DDoS attacks and measure their impact, implement availability monitoring with real-time alerting.
- Prepare a static version of the company’s website. Ensure that it not only facilitates continuity of service during a DDoS attack but also requires minimal processing and bandwidth.
- Use cloud-based hosting from a major cloud service provider—preferably from several major cloud service providers, to ensure redundancy—with high-bandwidth content delivery networks that cache non-dynamic websites. If using a content-delivery network, avoid disclosing the IP address of the web server that is under the organization’s control (referred to as the origin web server), and use a firewall to ensure that only the content-delivery network can access this web server.
- Use a DDoS mitigation service because it offers a variety of in-depth defense approaches that can be implemented in the infrastructure and application layers.
- An effective DDoS mitigation posture will take into account all requirements and constraints of a business, and it will implement controls focused on cloud infrastructure, on-premise systems, or a hybrid of thereof. As a general rule, the more complex the mitigation system, the more likely it is to fail due to misconfigurations or failed integration points. Organizations that are considering DDoS protection for the first time should start with simple systems that can be monitored and refined. DDoS attacks, just as with other cyber security threats, are constantly evolving in complexity and effectiveness; therefore, cyber defenders must never stop improving their TTPs and defenses. This approach applies to DDoS mitigations, which require careful planning to ensure adequate maintenance and cutting-edge protection.