Study: YoY Increase of 400% in OpenVPN Reflections as an Attack Vector

DDoS threats are growing in sophistication, size, and frequency, according to Corero Network Security’s latest annual DDoS research. Yet 2020, also reveals changes in attacker behavior during the pandemic including a year-over-year increase of nearly 400% in the use of OpenVPN reflections as an attack vector.

“OpenVPN as a reflection DDoS vector is bad news for the victim being attacked but, also for the organization whose OpenVPN infrastructure is being used to launch the attack,” said report co-author Ashley Stephenson, Chief Technology Officer (CTO) at Corero. “For as their remote workers will suffer from a degraded, or possibly unusable, service, impacting productivity and, potentially, business continuity.”

The report also finds a 70% growth in DDoS attacks over 10Gbps as high packet rate attacks grew overall during 2020, compared to slight declines in 2019. The report suggests it is due to the increasing shift to 100Gbps Internet connectivity and is accompanied by a trend indicating more everyday DDoS larger than for 10G. Frequency of repeat attacks also grew with a 68% increase of organizations experiencing a second attack within a week.

FBI Alert: Built-in Network Protocols DDoS attacks

The report does have some constructive recommendations regarding DDoS protection. “With a 2020 estimate that 99% of observed attacks are coming in below link saturation there is a real opportunity to detect and block many DDoS attacks in real time without requiring expensive and time-consuming traffic redirection to cloud solutions,” said Ashley Stephenson. “This means that most DDoS attacks can be addressed by on-premises solutions without the disruption, risk or cost of re-routing customer traffic across the Internet to third party scrubbing centers.”

Looking towards 2021 and Mr. Ashley believes that the data from the report shows that DDoS attacks and threats are not going away anytime soon.

Photo Ashley Stephenson, CTO at Corero
“OpenVPN as a reflection DDoS vector is bad news for the victim being attacked but, also for the organization whose OpenVPN infrastructure is being used to launch the attack,” said report co-author Ashley Stephenson, CTO at Corero.

“Once again we are reporting a net increase in the number of unique DDoS attack vectors seen in the wild and in the level of year-over-year DDoS activity,” added Mr. Stephenson “The specific example of the mid-year FBI alert regarding the malicious use of built-in network protocols for DDoS attacks demonstrates that development of new vectors is inevitable. Yet our data shows that these exploits were already being used in attacks before the FBI alert and their use continues to grow to this day. Prevention is an impractical strategy, detection and mitigation continue to be the only defense.”

As the trend towards short duration, high intensity attacks using multiple vectors continues, Mr. Ashley advises that “…as organizations plan their strategy for effective DDoS protection, the relationship between time-to-mitigation and potential downtime is a vital consideration.  Organizations must consider that the typical time to swing traffic to cloud DDoS protection means the attack is often already over and the damage may be done.”

Automatic DDoS Protection Solutions

Corero Network Security is a global provider of real-time, high-performance, automatic DDoS protection solutions. Both service and hosting providers, alongside digital enterprises across the globe rely on Corero’s cybersecurity technology to eliminate the threat of Distributed Denial of Service (DDoS) attacks. Corero provides automatic attack detection and mitigation, coupled with network visibility, analytics and reporting.

Headquartered in Amersham, UK, the company’s key operational centers are located in Marlborough, Massachusetts, USA and Edinburgh, UK. Corero is also listed on the London Stock Exchange’s AIM market under the ticker CNS.

Inxy Hosting CDN Marketplace