An ‘Alarming Escalation’ of Sophistication in DDoS Attacks, Cloudflare Says

Distributed denial-of-service (DDoS) attacks are becoming increasingly sophisticated and complex, making what is already an expanding threat landscape even more challenging for organizations to address, according to content delivery network provider Cloudflare.

From the growth in highly randomized HTTP attacks to the increasing number of botnets that comprise virtual machines rather than internet-of-things (IoT) devices, threat groups are targeting enterprises with DDoS campaigns that are more difficult to detect and mitigate, Cloudflare said in a report released this week about the DDoS environment in the second quarter.

AWS Builder Community Hub

“This level of sophistication has previously been associated with state-level and state-sponsored threat actors, and it seems these capabilities are now at the disposal of cyber criminals,” Omer Yoachimik, product manager at Cloudflare, and Jorge Pacheco, data analyst, wrote about recent HTTP attacks. “Their operations have already targeted prominent businesses such as a large VoIP [voice-over-IP] provider, a leading semiconductor company, and a major payment & credit card provider to name a few.”

Yoachimik and Pacheco also pointed to other trends they saw during the three months ending in June, including attacks by pro-Russian hacktivist groups like REvil, Killnet and Anonymous Sudan against Western companies, more targeted DNS DDoS attacks, a 532% jump in attacks exploiting a zero-day flaw in Mitel’s MiCollab business phone system, and a 600% increase in attacks on cryptocurrency companies.

“In recent months, there’s been an alarming escalation in the sophistication of DDoS attacks,” they wrote. “And even the largest and most sophisticated attacks that we’ve seen may only last a few minutes or even seconds — which doesn’t give a human sufficient time to respond. … Recovering from a DDoS attack can last much longer than the attack itself — just as a boxer might need a while to recover from a punch to the face that only lasts a fraction of a second.”

DDoS attacks are designed to overwhelm websites or networks with a flood of internet traffic, disrupting operations and, at times, demanding ransoms from the victims in hopes of avoid a similar attack in the future.

A More Complex Foe

That rising level of sophistication can be seen in a number of areas, including a jump in the number of highly randomized HTTP DDoS attacks, which use a large number of IP addresses and target random URLs by using random referrers and user agents.

Cybercriminals behind these attacks are engineering them to get by mitigation tools “by adeptly imitating browser behavior very accurately, in some cases by introducing a high degree of randomization on various properties such as user agents and JA3 fingerprints,” the researchers wrote. The bad actors also seem to keep their attacks’ rates-per-second fairly low to high among legitimate traffic and avoid detection.

There also is an increasing number of DNS laundering attacks. Overall, the DNS servers were the most common attack vector in Q2, representing a third of all DDoS attacks. DNS laundering attacks represent a threat, particularly to companies running their own DNS servers.

Such attacks are designed to make bad traffic look legitimate by “laundering” it through recursive DNS resolvers. The crime group queries subdomains of a domain managed by the victim’s DNS server and the random nature of the attack means that the server will have to forward the query to the target’s authoritative DNS server, which gets so many queries it can address legitimate queries or just crashes.

Cloudflare also warned about the rise of VM-based botnets and their “hyper-volumetric” attacks.

“These botnets are comprised of virtual machines (VMs, or virtual private servers, VPS) rather than internet-of-things (IoT) devices which makes them so much more powerful, up to 5,000 times stronger,” Yoachimik and Pacheco. “Because of the computational and bandwidth resources that are at the disposal of these VM-based botnets, they’re able to generate hyper-volumetric attacks with a much smaller fleet size compared to IoT-based botnets.”

That included a massive DDoS attack of 71 million requests per second in February, which the company at the time said was the largest HTTP-based attack on record.

The Politics of DDoS

Pointing to recent work by hacktivists, the Cloudflare researchers noted that Killnet, REvil and Anonymous Sudan – the group behind last month’s attack on Microsoft’s Outlook, OneDrive and cloud platforms – said they were joining forces create a coalition known as “Darknet Parliament” to attack financial systems in the US, Europe, and elsewhere in response to the SWIFT international banking system that cut off Russian banks last year following its illegal invasion of Ukraine.

While a DDoS attack on SWIFT could have global ramifications, “we haven’t observed any novel DDoS attacks or disruptions targeting our customers,” the researchers wrote, though in recent weeks, they’ve mitigated some 10,000 Darknet Parliament on websites Cloudflare protects.

More recently, Anonymous Sudan claimed successful attacks on PayPal and fan fiction website AO3 (Archive of Our Own).

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 12 posts and counting.See all posts by jeffrey-burt