Expert Blog: Attackers Use Cloud for DDoS

Lumen - Mark DeHus
Author: Mark Dehus, Director of Threat Intelligence at Black Lotus Labs (Lumen)

Lumen Technologies has repelled one of its largest-ever distributed denial of service (DDoS) attacks, a 1.06 terabits per second (Tbps) attack that was a part of a wider campaign targeting a single victim. The target didn’t go offline despite the extent and sophistication of the planned DDoS attack.

The unsuccessful assault was not just huge; it was also a part of a wider campaign in which the threat actor tried to use a variety of approaches. The study highlights these DDoS strategies as second-quarter emerging trends. In this article, I will describe some of the trends that were also noted in our recently published Q2 2022 DDoS Report.

Trend #1: Leveraging the Cloud

  • Attackers fraudulently use cloud-based services to greatly increase their attack capacity.
  • Cybercriminals use compromised hosts or anonymizing services to conceal their acquisition and control of cloud-based services in order to carry out this sort of assault successfully. The attacker then takes use of the capacity of the cloud providers to perform volumetric assaults against their target victims.

Trend #2: Hit-and-Run

  • Black Lotus Labs analysis showed that the 1.06 Tbps assault was a component of a broader, 12-minute-long operation. The threat actor tried to use many ‘hit-and-run’ assaults as the starting point for the incident. Using this method, victims are frequently the targets of a series of brief attacks that may be carried out concurrently or consecutively. These assaults are used by threat actors to evaluate a potential victim’s defenses and ascertain which attack strategies, if any, will be effective.
  • In Q2, Lumen mitigated one campaign for a total of 21 days and 8 hours.

Trend #3: VoIP Targeting Continues

  • Many researchers, including Lumen, started releasing information about an increase in assaults on VoIP companies around the end of last year. Session Initiation Protocol (SIP) was one attack vector that stood out in the statistics for Q2 2022. 1.84 percent of all mitigations were SIP assaults, which although being a tiny percentage, constituted a 315 percent rise over Q1 2022 and a 475 percent increase over Q3 2021.
  • SIP assaults are less frequent than tried-and-true techniques, but they are said to be more precise than DDoS brute-force techniques like TCP-SYN flooding and UDP-based amplification in their ability to interrupt VoIP services.

Large DDoS attacks launched through the usage of cloud and hosting providers provide a special difficulty since it puts both the provider and the victim at risk. To prevent misuse of their services, cloud providers must exercise caution. Additionally, they have to feature mitigation techniques to lessen the effects in the event that a danger actor acquires unapproved or dishonest access to resources.

Lumen Technologies booth