itb-au logo
Story image

Global DDoS attacks: What they are, how they work, and how to defend against them

03 Sep 2020

As many organisations around the world are being plagued by distributed denial of service (DDoS) attacks, some security firms and analysts are doing their best to untangle the attack web to find out who is behind the attacks.

In a bulletin that went out overnight from security firm Radware, those behind the attacks appear to be posing as well-known advanced persistent threat (APT) groups such as Fancy Bear, the Armada Collective, and the Lazarus Group. 

This backs up initial research from Akamai, which states that Fancy Bear and the Armada Collective may be behind the campaign. However, it is not totally clear if the groups are responsible for the attacks and it may be another threat group imitating well-known threat groups in order to make their attacks seem more threatening.

The global DDoS campaign is targeting thousands of organisations including internet service providers, finance companies, travel agencies, and companies in ecommerce. 

The attackers target organisations by sending emails that contain sensitive information about specific IP addresses or autonomous system numbers (ASN)s they will hit if the victims don’t cooperate.

The attackers then demand a ransom fee of 10 Bitcoin (NZ$16,792), however, some ransom demands have reached up to 20 Bitcoin (NZ$335,839).

If targeted organisations do not make the payment, attackers threaten to conduct DDoS attacks of up to 2 terabits per second (2Tbps), through most attacks so far have ranged between 50Gbps to 200Gbps. The ransom demand also increased by 10 Bitcoin as each deadline passes without a ransom payment.

Radware says that it has seen evidence that the attackers will follow up on their initial ransom demand. They often cite examples of other attacks so that targets can search for other recent disruptions. The attackers then ask, "You don't want to be like them, do you?"

If targets refuse to pay the ransom demand, the attackers will often launch DDoS attacks using a variety of methods including UDP and UDP-Frag floods, WS-Discovery amplification, and TCP SYN, TCP out-of-state, and ICMP Floods.

Akamai notes that the campaign is similar to one conducted in 2019 by a threat group appearing to imitate the APT Group called Cozy Bear.

Radware states that it is important that any organisation that receives a ransom demand should take the matter seriously, as attackers will more than likely follow through with DDoS attacks.

However, organisations should not pay the ransom demand and the DDoS attacks can be mitigated if the right protection is in place.

“These attacks are not at a level of complexity/amplitude that prevent mitigation if the right protection is in place. Radware has seen faster and better mitigation by leveraging hybrid always-on protection compared to asymmetric routed cloud protections,” the company states.

Akamai also urges targeted firms not to pay the ransom.

“We still believe that the actors conducting these extortion attacks are looking for a quick payout, with as little effort as possible on their part,” Akamai states.

Organisations should ensure they have:

  • Hybrid DDoS protection for on-premise and cloud environments. This protection must be able to defend against high volume attacks and pipe saturation
  • Behavioural-based detection. This blocks anomalies and lets genuine traffic through
  • Real-time signature creation to protect from known and unknown threats, including zero-day attacks
  • A security emergency response plan. This helps to deal with security incidents
  • An intelligence feed that details threats. This data can help to protect against active and known attackers.
Story image
The State of Data Virtualisation: Enterprises see data virtualisation as strong alternative to data warehouse solutions
"The rapid growth of data virtualisation is exposing major cracks in the business foundation that supports the technology."More
Story image
Apple and Xiaomi only vendors to see smartphone growth in 2020 — Gartner
Apple’s growth was largely due to the success of the iPhone 12, which helped the company surpass Samsung to regain the status of number one global smartphone vendor for Q4 2020.More
Link image
Forrester names WSO2 Identity Server a 'strong performer'
WSO2 received the highest ratings possible in the Customer Identity and Access Management category.More
Story image
Frost & Sullivan breaks down biggest changes in the world of UIs
“UI technologies will be an important component in the shift from the office to a virtual workplace that is mobile and more flexible, while interactive interfaces have expanded the scope of businesses to engage with their customers and build deep relationships."More
Story image
BlackRock and Snowflake enter partnership, look to serve investment management market
BlackRock and Snowflake have entered into a strategic partnership with the shared intention of delivering a next-generation solution for the investment management industry.More
Story image
Kaseya acquires RocketCyber to bring SOC solutions to more businesses
"With this acquisition, we've doubled down on our security investments to provide our customers with access to experts who can continuously monitoring their IT environments without the cost and complexity of disparate tools.”More