Digital transformation has been on the rise for quite some time, hitting an all time high during the COVID-19 pandemic. Companies and businesses have been forced to adjust at a short notice, digitizing services and moving to remote work. In addition to the myriad of obstacles and challenges organizations faced during this transformation, one less-talked about issue has been cyber security – or more specifically, cybercrime.
One type of cyberattacks that has increased in particular is the distributed denial-of-service (DDoS). These attacks broke records in 2020, with most launched in a single month (929K) and most DDoS attacks in a year (10+ million), according to the NetScout Threat Intelligence Report.
DDoS work by bringing down important systems and causing as much disruption as possible, targeting various industries such as manufacturing, financial, travel, education, and others. An often used tactic is the reflection/amplification attack, a combination of the two methods. The reflection attack targets any UDP- or TCP-based service and uses it to send a request for information while imitating the target’s IP address. The server then sends a response to the target’s IP address, instead of the attacker, hereby “reflecting”. Then, “amplification” is used to overwhelm the target website, sending a large volume of small requests which trigger a large reply to each. This type of DDoS attack lets attackers generate a large amount of harmful activity and unleash it on the target. Any ordinary DNS, NTP, SNMP, SSDP, UDP/TCP-based services, when exposed, can become the frequent mediums for these attacks.
These attacks are relatively simple, uneasy to spot, and can cause a lot of damage with minimal effort.
One way to prevent reflection/amplification attacks is to block the spoofed source trigger packets. However, it is often difficult to determine which activity is legitimate and which is spoofed. When an attack is happening and service is disrupted, legitimate activity may increase attempts to receive a response, which can then mislead identification and be falsely deemed as the attack. Mitigations such as rate limiting, port blocking, and traffic signature filters, all have their benefits and drawbacks because of their impact on legitimate traffic. Threat Intelligence services are the best bet for most businesses looking to pre-emptively identify vulnerabilities and counter-act proactively.