(Photo credit to Unsplash)

By Andrew Cockburn, Principal Consulting Engineer, NETSCOUT, and Rich Compton, DDoS Special Interest Group Chair, M3AAWG; Principal Network Security Engineer III, Charter Communications

This is the first installment of M3AAWG’s “State of the Union” series, where members provide updates on prominent, evolving issues and events in the industry. 

Distributed Denial of Service (DDoS) attacks are used by cybercriminals to shut down networks and websites, and targets can range from a single website to major services. Today, we’re seeing an increase in the sheer amount of DDoS attacks, part of a continuous upward trajectory over the past 30+ years.  Further, tactics are rapidly evolving, yet range in sophistication. In turn, experts are constantly working to pinpoint new techniques and mitigate attacks. Generally, once professionals notice or identify a new type of channel or vector, it's a race to patch, resolve, and add mitigations for the new attack vector before its usage becomes widespread. 

Some of the newest DDoS attack techniques we’re seeing today include: 

• UDP Reflection Attacks Using Apple Remote Desktop: Apple Remote Desktop (ARD) is used to manage Apple computers, allowing users to screen share, log-in remotely, and perform mass updates. If Apple’s Remote Management Service (ARMS) is enabled when using ARD and the UDP port 3283 is exposed to the public Internet, some Apple computers could be utilized by attackers to launch DDoS attacks to any IP on the Internet. 
• Carpet Bombing: Rather than attacking a particular target, carpet bombing attacks are designed to hit multiple destinations within a victim’s network, causing upstream network outages and making it more difficult for administrators to first identify, detect, and mitigate the attack. 

Not only are professionals combatting these new tactics, we’ve also seen a recent uptick in DDoS attacks due to the COVID-19 crisis. As small businesses and international corporations transition to working from home, employees are accessing resources on the company’s network from their work laptops using a virtual private network (VPN). And cybercriminals are noticing, implementing attacks that target VPN gateways, instead of public facing web services.

However, as quickly as these new vectors arise, experts are also developing technology and tactics to thwart attacks, such as how internet service providers (ISPs) and hosting companies are working to prevent IP spoofing. IP spoofing allows cybercriminals to hide their source IP address when launching a DDoS attack, and preventing it makes it harder for attackers to execute amplification. 

At M3AAWG, our coalition of member companies and experts have developed the DDoS Info Sharing Project, which collects information about DDoS attacks from various service providers, records the source IP addresses and types of attacks, and inputs this information into a central database. This database acts as a hub for anti-abuse groups and cybersecurity professionals to use to identify frequent attacks and host, streamlining mitigation processes across internet service providers, enterprises and more. 

Interested in learning more about the current state of DDoS and digging deeper into the techniques professionals can use to mitigate these attacks? Join our DDoS virtual session during M3AAWG’s 49th General Meeting Tuesday, June 9 at 12:30-1:30 pm ET. Sign up here.