“When it comes to DDoS attacks tied to politics and geopolitical conflicts, there has always been a link, historically speaking. But it wasn’t until recently that things changed in a major way. Hacktivists have always existed, but nowhere near the scale we’re dealing with today,” observes Richard Hummel, senior threat intelligence lead at NETSCOUT.
Over the years, groups such as Armada Collective, Operation Ababil and Lizard Squad have launched DDoS attacks targeting specific events and industries. For instance, Operation Ababil targeted financial services, while Lizard Squad targeted major sporting events including the Rio Summer Games.
However, a marked change really took place when Russia invaded Ukraine. Although the invasion was not the catalyst for the worldwide increase in attacks, it did signal a shift as it gave threat actors a common interest and led to a concentrated agenda of attacks against countries based on which side they supported, according to the data NETSCOUT observed. This led to a significant spike in DDoS attacks against public resources.
Namely, media websites, financial services and service providers were attacked. These DDoS attacks were effective in some instances because these organisations were not prepared to handle the threat of a DDoS attack. The success experienced by the attackers proved that their scare tactic of launching DDoS attacks against public resources was effective.
During this period, other attacks were still being launched, but they were invisible to the end user. However, what was visible to the audience was the impact of the DDoS attacks. They appeared to be very powerful and widespread, capable of causing mayhem. From this, there was a domino effect of hundreds to thousands of individuals operating under this umbrella of what was then Killnet. The group has now started to splinter into other hacktivist cells such as Anonymous Sudan, NoName057(016) and Cyber Team Russia.
Listen to the podcast: The Future of DDoS Defense: Strategies for Resilience with Richard Hummel, Threat Intelligence Lead for NETSCOUT
Can AI tools help stop DDoS attacks?
AI can be very effective in helping to defend against DDoS attacks. When NETSCOUT studies the threat landscape, it looks at the telemetry (data collection and analysis) from all of the data we have collected over time, as well as the data from the global honeypots we operate and manage. We also have a global scanner, which identifies devices an adversary can abuse.
However, to prevent an attack, we can’t just scan for and block hundreds of millions of IP addresses in attempts to disable those used by bad actors. In fact, no device on the planet could upload and block all those IP addresses, and there is no need to block them all considering that, most of the time, these are legitimate devices like home computers and routers. The idea is to only block the malicious activity that could emanate from these devices.
Once identified, we use the telemetry we have built up over decades to check which are active connections and devices, and which ones adversaries are using to launch those DDoS attacks. Therefore, the first part of analysing a threat is reactive, since the team must observe an adversary using a given device to know it is being used maliciously. But the second part is predictive since, once an adversary finds infrastructure they can utilise to launch an attack, they do not just use it once and move on. In reality, they often use the same infrastructure over and over again.
Observing this infrastructure being used even once allows us to predict it will be used again. NETSCOUT has found that the infrastructure deployed to launch DDoS attacks is used repeatedly for up to a month and a half before it stops being used by attackers.
In fact, the vast majority of DDoS attacks are not sophisticated in any way. They are using the same methods that all attackers use repeatedly. The infrastructure remains the same, the tools remain the same, and the attack types remain the same. It is also incredibly accessible and easy to launch DDoS attacks now. Hackers only need to know the IP address of their target, put it in a tool, push a button, and the attack is launched.
Nonetheless, the global visibility NETSCOUT has from all of these different locations such as enterprises, service provider networks, application service providers (ASPs) and mobile and satellite, provides a truly comprehensive picture of the global threat landscape. Regardless of where the infrastructure is or who the target is, this information allows us to understand and know when attacks happen, enabling us to create this predictive intelligence.
How can organisations defend themselves against DDoS attacks?
The main thing for any organisation or business is to ensure they have proper protection in place. Across the board, there is rarely anything new in these attacks. Even the hacktivists, or at least a large portion of them, will use common DDoS attack factors that have been around for decades. They may have a lot of resources, but historically, very few adversaries do anything completely novel. And if businesses are the target of something completely new, there are ways to handle those attacks as well. But the vast majority of all DDoS attacks out there are known.
From NETSCOUT’s perspective, preparation is the single biggest factor and will solve 80 to 90 percent of all DDoS space problems. Be prepared; enterprises that understand that everyone will be the target of one of these attacks at some point, will have overcome most of the battle. That’s the biggest piece of advice NETSCOUT would give any enterprise or service provider regarding DDoS attacks.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
