Author: Ashley Stephenson, CTO, for Corero Network Security.
What business can now exist if they are offline? It might seem like an obvious point but the entire world now runs on connectivity. In the last few decades, the Internet has become the very lifeblood of the global economy.
Digital connection has become even more central to our daily lives over the course of the global pandemic. As offices have emptied, business has moved deeper online. They’ve moved further into the cloud and towards remote working while everyday users have leaned on connected services to pass the time, entertain themselves and stay connected to their dispersed social circles. McKinsey has even noted that technology adoption rates have sped up, advancing by years over the course of the pandemic.
Hackers have sensed an opportunity. Going offline can have crippling effects on a business. In 2019, one report showed, the cost of downtime for the average organisation was between $301,000 and $400,000 per hour. It’s this threat of downtime (and associated lost revenue) that makes ransomware an enduring success for hackers. It’s simply cheaper to pay a few bitcoin than it is to lose a few hours of productivity.
As a result, average ransomware payments have risen by 33% since the third quarter of 2019. In 2021, CNA Financial reportedly paid one of the largest ransoms ever, handing over $40 million to attackers. In fact, some have predicted that in 2021, there would be a ransomware attack every 11 seconds. Businesses are terrified of downtime and hackers are reaping profits from that fear.
It’s through this lens that we can understand much about the commonly overlooked threat of DDoS attacks.
DDoS attackers are increasingly choosing their targets based on that sensitivity to downtime. DDoS gangs are taking aim at Internet Service Providers (ISP), Telecom companies, online games, cloud hosts and Voice over Internet Protocol (VoIP) services. These kinds of industries not only rely on connectivity but also provide connectivity to their customers. Their ability to offer connectivity is linked to their primary sources of revenue and their very reason for being. A DDoS that can strike at that soft underbelly, denying service to them and their customers, is devastating.
Online gaming has always been rife with DDoS threats. Many of the top online games, including Apex Legends, Rainbow Six and Call of Duty Online, have all suffered from sustained DDoS attacks. Most recently the developers of online shooter Escape from Tarkov, and Blizzard, the makers of World of Warcraft, have both suffered sustained attacks resulting in service outages. Late last year, DDoS attacks rendered Titanfall 2, another popular online game, unplayable for many users.
The nature of online gaming makes latency a particularly pressing issue. Esports are becoming a billion dollar industry and games can be won and lost in a second, so slowing a rival’s connection speed can be a winning, if illicit move. This is more common, and easier, than many might think.
While mainstream game services do not reveal the IP address of individual players, many gamers use private servers which do. That can open up an opportunity for a malicious player to hobble a rival. Furthermore, many DDoS attackers take advantage of DDoS services that are designed to feed off this competitive rivalry and can be rented for only a few dollars.
The problem has gotten so widespread that gaming companies have banned thousands of players for employing this illicit tactic and even attempted to sue DDoS services for allowing the behaviour.
The scope of DDoS in gaming extends further than inter-player rivalry to the servers and game companies themselves.
DDoS attacks can be devastating for a gaming site operator. Given the fact that reliable network uptime is a core part of online gaming, operators that suffer from DDoS attacks and the latency they can introduce will likely result in lost customers and revenue.
Internet Service Providers, Cloud hosts and Telecoms
In early May 2021, chaos spread across Belgium. Government bodies, healthcare organisations, academic institutions and even the Belgian parliament suffered severe disruptions. The source of this disarray was traced back to a DDoS attack on BelNet, the national ISP which upheld much of the country’s online administrative infrastructure.
While the country’s emergency cyber-defence team were activated and service eventually returned to the myriad of organisations which had suffered at the hands of this single DDoS, this case shows just how disruptive a well aimed DDoS attack can be.
Amazon Web Services, one of the world’s leading cloud hosts, was hit with a 2.3 terabit DDoS attack in 2020, the largest ever recorded. While the hosting giant managed to mitigate the attack, it’s not hard to see why it was chosen as a target.
In April 2021, AWS reported that their business accounted for 32% of the global cloud market in the first quarter of the year. Their clients include NASA, Netflix and much of the international defence and intelligence community. Much like the institutions that depended on Belnet, millions of people depend on AWS to uphold the cloud infrastructures that drive global business. Had those attackers been successful, the consequences could have been much worse and spread much further than they did.
Voice-over-internet-Protocol (VoiP) services are yet another core component of modern business. They provide internet-based voice call services to businesses as well as to institutions and emergency services.
Attackers have not ignored that fact. The last quarter of 2021, saw a rash of DDoS attacks against VoIP operators. VoIP.ms, Voip Unlimited, Voipfone and US-based Bandwidth all suffered sustained DDoS attacks of between 100 and 450 gigabits per second. These attacks left many customers without the fundamental voice capability of their business. From that point of view, we can see the value of attacking a VoIP operator. They provide downstream communication services and an attack here can shut down voice services for potentially hundreds of thousands of clients.
These examples all have something in common. They sell reliable connections to keep hundreds, thousands or even millions of different customers online. If they get taken offline – then their customers would be paralysed. Downtime for the target means downtime for all of their customers – thus piling on the pressure to restore availability. It’s all about hitting with minimum effort and maximum impact.
Hemmed in on one side by attackers and on the other with unhappy customers, victims like these are in a particularly sensitive area. Increasingly, it’s at that moment when their attackers offer them a lifeline – a ransom.
The attacks can also take the form of a combined assault of both DDoS and Ransomware. Often ransomware gangs will bolster their attacks with the added threat of a DDoS attack. The Avaddon Ransomware gang have been notable users of this tactic. Once they’ve attacked a victim with ransomware, they’ll follow up their attacks with a DDoS attack as a coup de grȃce to force them to the negotiating table.
Ransom DDoS has returned with a vengeance in recent years. A cybercriminal will issue a warning, launch an attack against a target, cripple their operations, and then demand a payment – usually in bitcoin – to halt the attacks.
These tactics are seeing increasing use against the aforementioned industries. In late 2020, a 400gigabit DDoS attack was launched at Norwegian telecom company and ISP, Telenor. The attackers demanded a 20 bitcoin ransom (roughly €200,000) to stop the attack. Fortunately, Telenor managed to mitigate the attack without paying the ransom
In 2021, Ireland’s major ISPs were hit with a series of DDoS attacks and asked to pay bitcoin ransoms to stop them.
The providers of VoIP services that were paralysed with DDoS attacks late last year were also extorted with “colossal ransom demands”, according to one victim. Meanwhile, ransom DDoS has been used against gaming services for years.
These are just some of the few examples that have been publicly revealed, and there are certainly many more such cases that have not yet been reported.
Defending from Downtime
Downtime can crush an online business. Ransomware gangs know that, DDoSers know that, businesses know that and organisations that provide connectivity to customers need to take it seriously.
Given our ever increasing reliance on connectivity, pressure will likely mount to maintain that “essential” service. Service Licence Agreements (SLAs) will contain stricter guarantees, and for many critical services – such as telecoms – governments may legislate to reinforce those guarantees. One report by Omdia, entitled Connecting the Dots: Key Strategic Opportunities in a Post-COVID-19 World, predicts that “Governments will continue to reluctantly step in to further democratise spectrum and to guarantee access and minimum SLAs for citizens and businesses.”
These challenges can be met with a judicious consideration of available DDoS protection approaches. Some strategies offer cloud-based mitigation. This solution diverts the flood of traffic caused by a DDoS attack into a cloud resource, thus taking pressure off of the victim network and allowing them to maintain uptime. These are good for dealing with less frequent, larger attacks that seek to overwhelm the victim’s internet bandwidth.
On-premises mitigations offer a more bread-and-butter solution. These provide effective local protection for the kinds of DDoS attacks that an organisation is likely to experience from day to day and pose significant risks to individual parts of their network and customers.
A best of both worlds always-on solution that accommodates both cloud and on-premises protection is perhaps the ideal option for organisations that need to ensure real-time availability, connectivity and uptime to their customers.