Carpet bombing DDoS attacks spiralled in 2021

Neustar Security Services has released a report which details the ongoing rise in cyberattacks in 2021, with an unprecedented number of carpet bombing distributed denial of service (DDoS) attacks.

Carpet bombing, in which a DDoS attack targets multiple IP addresses of an organization within a very short time, accounted for 44% of total attacks last year, but the disparity between the first and second half of 2021 was stark. While carpet bombing represented 34% of total attacks mitigated in both Q1 and Q2, these attacks saw a big jump in the second half – representing 60% of all attacks in Q3, and 56% in Q4.

While the vast majority of attacks fell into the 25 gigabits per second (Gbps) and under size category, and the average attack was just 4.9 Gbps last year, 2021 saw many large-scale attacks as well. The largest measured 1.3 terabits per second (Tbps) and the most intense was 369 million packets per second (Mpps).

The longest-lasting attack clocked in at 9 days, 22 hours and 42 minutes although the majority of attacks were over in minutes. Nearly 40% of the unique attacks seen by the SOC in 2021 took place in the first three months of the year. The number dropped significantly in the second and third quarters before rebounding in the fourth quarter.

A mix of new vectors and old favorites

Attacks varied more widely in complexity than what has been observed in the past few years. Single vector attacks represented 54% of attacks in 2021 compared to 5% in 2020, showing an economy of effort from many attackers. At the same time, the number of highly complex attacks using four or more vectors increased, reaching a record 4% of total attacks, so when an attacker gets serious, they can make it much more difficult on defenders.

Botnets continued to play a key role in DDoS attacks in 2021, with security professionals uncovering new botnets and command and control (C2) servers every day. One of the year’s highest-profile new botnets was Meris, which uses HTTP pipelining to overwhelm web applications by bombarding websites and applications with massive numbers of requests per second. The SOC also saw a high level of reflection/amplification DDoS attacks, using both familiar vectors such as DNS and Remote Desktop Protocol (RDP) and a variety of new ones as well.

The report also details how web applications are under assault on a number of different fronts. Attacks against web services have risen in tandem with increased adoption of web applications, and web apps are by far the top hacking vector in breaches.

Ubiquitous DNS attacks

The domain name system (DNS) has long been a popular target for DDoS attacks, both as an amplification vector and as a direct target, as well as for other types of exploits. Common threats to DNS include attacks that deliver a bad answer to DNS queries (DNS hijacking, for example), attacks that prevent the DNS from answering queries (flood attacks or reflection/amplification attacks) and attacks that use DNS as a transport mechanism to convey information through firewalls (DNS tunneling). These attacks can be difficult to defend against without the appropriate technology and expertise, and rectifying problems can be time-consuming and costly.

According to a September 2021 Neustar International Security Council report, 72% of organizations surveyed had experienced at least one DNS attack in the previous 12 months, and the impact was significant in 58% of cases. The most common types of DNS attacks were DNS hijacking (experienced by 47% of organizations in the past 12 months), followed closely by DNS flood, reflection/amplification or other type of DDoS attack (46%), DNS tunneling (35%) and cache poisoning (33%).

Recommended deterrents

What can enterprises do to protect themselves in this continually evolving security environment? Four key measures are recommended, as Carlos Morales, SVP, Solutions at Neustar Security Services explains: “First, ensure that your DDoS defense is capable of managing the scale and complexity of the attack landscape and the protection includes your DNS infrastructure.

“Second, engage a vendor-neutral managed DNS service that can provide the deep expertise needed to ensure high performance and security. Third, with new vulnerabilities being discovered daily and limited resources to patch them all, you should consider virtual patching via your web application firewall (WAF), to prevent the exploitation of known vulnerabilities. Finally, consider a cloud-based WAF to augment your defenses against attacks on web apps, which remain the primary access point for data breaches.”