Neustar DDoS SOC Report

The latest cyberthreats and trends report commissioned by Neustar identifies significant shifts in distributed denial-of-service (DDoS) attack patterns in the first half of 2020. Neustar’s Security Operations Centre (SOC) saw a 151% increase in the number of DDoS attacks compared to the same period in 2019.

These included the largest and longest attacks that Neustar has ever mitigated at 1.17 Terabits-per-second (Tbps) and 5 days and 18 hours respectively. The company stated that these figures are representative of the growing number, volume and intensity of network-type cyberattacks. It’s the result of organizations shifting to remote operations and the fact that workers’ reliance on the Internet has increased.

Neustar’s role in providing navigation for internet requests (via its global UltraDNS network) and in detecting and mitigating threats (through its UltraDDoS Protect service) has given the company a front-row seat from which to observe macro cyberattack trends.

DDoS Attacks: Increasingly Intense and Sophisticated

Large DDoS attacks are bigger, more intense, and happening in greater numbers than ever before. There has been a noticeable spike in large attacks across the industry, most notably the 2.3 Tbit/s attack targeting an Amazon Web Services (AWS) client in February this year – the largest volumetric DDoS attack on record.

Neustar saw the total number of attacks increase by over two and a half times during January through June of 2020 compared to the same period in 2019. The increase was felt across all size categories, with the biggest growth happening at opposite ends of the scale. The number of DDoS attacks sized 100 Gbps and above grew a whopping 275%. The number of very small attacks, sized 5 Gbps and below, increased by more than 200%. Overall, small attacks sized 5 Gbps and below represented 70% of all attacks mitigated by Neustar between January and June of 2020.

“While large volumetric attacks capture attention and headlines, bad actors increasingly recognize the value of striking at low enough volume to bypass the traffic thresholds that would trigger mitigation to degrade performance or precision target vulnerable infrastructure like a VPN,” said Michael Kaczmarek, Neustar Vice President of Security Products. “These shifts put every organization with an internet presence at risk of a DDoS attack – a threat that is particularly critical with global workforces reliant on VPNs for remote login. VPN servers are often left vulnerable, making it simple for cybercriminals to take an entire workforce offline with a targeted DDoS attack.”

Rise in Smaller DDoS Attacks

The rise in smaller DDoS attacks has been matched by increases in attack sophistication and intensity. 52% of threats mitigated by Neustar leveraged three vectors or more, with the number of attacks featuring a single vector essentially nonexistent. Neustar also tracked new amplification methods and attacks of higher intensity targeted at critical pieces of web infrastructure. The previous high-water mark of 500 millions-of-packets-per-second (Mpps) was topped this year, with an attack of over 800 Mpps recorded.

“The dependency and growth in online communications since COVID-19 has fundamentally changed what organizations must do to succeed,” said Brian McCann, President, Neustar Security Solutions. “There is no one-size-fits-all solution for cybersecurity, but having a reliable cloud service that ensures availability and security for all services and users has proven to be a critical difference between barely surviving and thriving in this rapidly changing environment.”

Impact of COVID-19 on Cyberthreats

The precipitous rise in DDoS attacks mirrors the growth in Internet traffic seen during the pandemic, stated Neustar. Internet use is up between 50% and 70% and streaming media rose more than 12% in the first quarter of 2020. This has meant that attackers of all types, whether serious cybercriminals or bored teenagers stuck at home, have had more screen time to be disruptive.

In a study of one of the largest cybercrime sites by Cambridge University’s Cybercrime Centre, they found that the number of attacks enacted by the website went up sharply at the start of the pandemic and associated lockdown. They also found that instead of existing cybercriminals staging more attacks, it was new attackers driving the increase in DDoS attacks.

The corresponding attacks, like Internet traffic, have not been evenly spread across all websites. It’s well known that ecommerce and gaming websites have received a lot of negative attention from hackers, but there are other industries that have been hit hard by cybercriminals over the last six months.

Healthcare organizations contain sensitive patient information and a growing number of IoT devices that are easily exploited. Combined with the additional pressure of the pandemic, hospitals have become some of the most desirable targets for cybercriminals.

Michael Kaczmarek
“VPN servers are often left vulnerable, making it simple for cybercriminals to take an entire workforce offline with a targeted DDoS attack,” said Michael Kaczmarek, Vice President of Security Products, Neustar.

Industries that have seen a lot of growth during the pandemic, like online gambling, have also been ripe for cyberthreats. Most notably, online video has seen an incredible rise in both usage and DDoS attacks. Omdia has reported an additional 200 billion hours of Netflix viewing or Zoom video calls over initial 2020 forecasts. Where traffic rises, so too do DDoS attacks. Neustar attack mitigations for this vertical increased by 461% over the last six months.

“While 2020 has brought radical changes in behavior to consumers and criminals alike, it is naïve to assume that actions of either audience will revert completely to pre-pandemic norms after this crisis passes,” added Michael Kaczmarek. “Mitigating these increasingly sophisticated DDoS attacks will continue to be a necessary part of doing business online. At a time when many organizations could do with less worry, fully managed services can take the pressure off and ensure critical digital assets are safe and secure.”

The report commissioned by Neustar highlights several emerging attacker tactics seen across the industry. This includes an increase in burst and pulse DDoS attacks and a broadening abuse of built-in network protocols such as ARMS, WS-DD, CoAP and Jenkins to launch DDoS amplification attacks. These can be carried out with limited resources and cause significant disruptions. With NXNS attacks targeting DNS servers and RangeAmp attacks targeting Content Delivery Networks (CDNs). Ad also a resurgence of Marai-like malware capable of building large botnets through the exploitation of poorly secured IoT devices.

A complimentary copy of Neustar’s CyberThreats and Trends Report 1H 2020 is available here.