If someone wants to disrupt a website or online service—or take it down altogether—a popular method is to wallop it with a massive flood of junk traffic or bogus requests. These so-called distributed denial of service attacks have for years been a fact of life on the internet. But a recent spate of major campaigns has raised the specter of DDoS mercenaries increasingly targeting attacks at the behest of the highest bidder.
On Wednesday, the cybersecurity firm Trend Micro is releasing findings about escalating global turf wars between attacker groups vying to seize control of vulnerable routers and other devices. Their aim: to power botnets that can direct a firehose of malign traffic or requests for DDoS attacks. Such territory disputes are a hallmark of botnets, but attackers seem increasingly motivated grow their zombie armies not for their own purposes, but in service of more professionalized—and profitable—"DDoS for hire" schemes.
"Four or five years ago attackers were just compromising as many routers as they could," says Robert McArdle, director of forward-looking threat research at Trend Micro. "If they could get 1,000 they were happy, if they could get 10,000 they were happier. Now when you start thinking of it as a business those are growth numbers. They're thinking more corporate. It's a key change."
One challenge of DDoS research is getting insight into specific numbers of IoT devices infected with botnet malware. Unlike, says, Windows computers, most consumer-grade IoT devices like routers don't run any type of monitoring software that provide visibility. Even more kitted out enterprise networks don't always extend their protections to every IoT device, leaving some exposed to attack.
In general, though, DDoS activity appears to have been steady the first months of 2020. From November 11, 2019 to March 11 of this year, network performance company Netscout observed an average of about 735,000 DDoS attacks per month. But from March 11 to April 11th of 2020, the group observed more than 864,000 attacks, the largest number Netscout has ever seen in a 31-day period by 17 percent.
Those attacks are noteworthy not only for their frequency but their size, measured in terabits-per-second or packets-per-second. Amazon Web Services said in a recent report that it successfully thwarted an impressive three-day attack in mid-February against one of its customers that peaked at 2.3 terabits-per-second—44 percent larger than any similar DDoS attack previously detected on AWS's infrastructure. The internet infrastructure firms Akamai and Cloudflare both fended off attacks between June 18 and June 21 that peaked at 754 million packets-per-second for Cloudflare and a record 809 million packets-per-second for Akamai.
Though the motivation for these two attacks is unknown, both firms say that they didn't see evidence that the assaults were extortion attempts—a monetization strategy DDoSers sometimes tried during the 2010s. This could mean that the attacks were ideologically motivated, and even that they came from DDoS-for-hire services. Regardless of their origin, the TrendMicro researchers say that DDoS-for-hire more broadly is escalating, and that attackers are going to greater and greater lengths to break into consumer routers for more DDoS firepower.
"It's not so much that attackers have upgraded the botnet source code that's out there, it's that now they’ve figured out the way to monetize these attacks," says David Sancho, a senior threat researcher at Trend Micro. "And the price of entry is so, so low that it's driving more and more attacks."
In addition to happening within days of each other, both the Akamai and Cloudflare attack focused on overwhelming applications and networking hardware with a deluge of network communication data packets. This type of DDoS attack doesn't involve sending a huge amount of junk data; Cloudflare said the attack it dealt with hit 250 gigabits-per-second, far from a noteworthy attack in that respect. But the unusually high packet rate common across both attacks can be just as devastating—what Cloudflare calls "a swarm of millions of mosquitoes that you need to zap one by one."
"Over 50 percent of that 809 million packets-per-second was coming from enterprise-level DVRs," says Roger Barranco, Akamai's vice president of global security operations. "What’s new is the concept of campaigns. We go back a couple of years and 'attack' was the right word to use. There were many attacks every single day, but they weren’t in my opinion campaign-oriented. Some of our more recent ones are campaign-oriented where the attacker is working in a coordinated way over an extended period of time."
Enterprise DVRs, which are typically used to record security camera footage, are the type of device that could easily be ignored by corporate IT defenses more focused on critical components like high-end routers and firewalls. And the Trend Micro researchers say that while they are particularly focused on raising awareness about the long tail of dealing with unprotected consumer routers, DDoS groups that are more organized and professional than ever will capitalize on whatever vulnerable devices they can find.
"Right now they’re going for the very, very easy targets," Trend Micro's Sancho says. "What I think is most likely is that they’re going to develop more and better business plans to make money off of those infected routers and monetize those. Then we’ll see even more people trying to attack, which will exacerbate the whole problem."
As DDoS-for-hire becomes more and more profitable, particularly because of a surge of customers in the online gaming world, attackers will continue to feud over the finite number of vulnerable devices they can pull into their botnets. The key for potential targets is to prepare for any type of DDoS attack that comes along, and to avoid being lulled into complacency by the unrelenting patter.
"If you think about email spam it’s still out there, but we’re really not troubled by it as much, because it all goes into the spam folder," says John Graham-Cumming, Cloudflare's chief technology officer. "The same is true of DDoS. If you have a DDoS defense service, ours and others, we’ll filter out DDoSes that are happening all the time. Handling them, particularly attacks that are large in packets-per-second, is interesting from our perspective, but it's just another attack. There's never a lull."