The era of simple Denial-of-Service (DDoS) attacks is over.
Abstract
As information systems become more sophisticated, so do the methods used by the attackers. Criminal and nation state actors have long recognized the value of denial-of-service attacks which can cause serious business interruptions for any organization connected to the internet. Denial-of-Service attacks have increased in magnitude as more devices come online and organizations increase remote access for their staff. This paper covers the motivations behind Distributed Denial of Service (DDoS) attacks, provides several historical examples and details several strategic and tactical recommendations IT and information security professionals can implement in their organizations to limit impacts from these disruptive attacks.
Executive Summary
As information technology systems become more sophisticated, so do the tactics, techniques and procedures (TTPs) used by threat actors. While financially motivated DDoS attacks have been a tactic used since the late 1990’s, the use of ransom denial-of-service attacks has been largely adopted by cybercriminals since 2015. Ransom Denial-of-Service attacks, or RDoS, are usually initiated through extortion letters sent via email to recipients of varying positions within organizations. The letter conveys threats to bombard the victim’s network with unsolicited traffic within a certain number of days and advises of a relatively small attack to demonstrate capabilities for legitimacy. If victims do not pay the ransom, normally in the form of Bitcoin, the fee to stop the attack will increase with each day that passes without having received payment. In cases where the threat actor receives no communications from the victim, they will often execute follow-on RDoS attacks ranging weeks to months later from the initial attack.
Denial-of-Service attacks have increased in magnitude as more devices come online through Internet of Things (IoT) devices and organizations reinforce remote connectivity systems to supplement pre-existing infrastructure. Threat actors sought to capitalize on the current threat landscape in 2020 as telework increases in response to the novel coronavirus and efforts to encourage social distancing. Regardless of size, organizations often fail to exercise asset and inventory management best practices conducive to a thorough understanding of their attack surface. In addition, IoT devices often utilize default passwords and do not have sound security postures, making them vulnerable to compromise and exploitation. Infection of IoT devices often goes unnoticed by users, and an attacker could easily compromise hundreds of thousands of these devices to conduct a large-scale attack.
