cherezoff - stock.adobe.com

Attackers enlist cloud providers in large HTTPS DDoS hit

A recent large-scale DDoS incident shows how cyber criminals are switching up their tactics to conduct more sophisticated attacks

A massive HTTPS distributed denial of service (DDoS) attack against an undisclosed organisation has highlighted a new trend among attackers of exploiting large-scale cloud computing services to build their botnets, rather than compromising consumer endpoints and devices.

The attack against an unnamed Cloudflare customer, a cryptocurrency launchpad operator specialising in surfacing decentralised finance projects to potential investors, was thwarted earlier in April 2022, and although it lasted less than 15 seconds, made approximately 15.3 million requests-per-second (rps), making it one of the largest HTTPS DDoS attacks ever seen.

HTTPS DDoS attacks differ from application-layer DDoS attacks because they require significantly more computational resources to establish a secure transport layer security (TLS) encrypted connection.

Cloudflare’s Omer Yoachimik and Julien Desgats said it was noteworthy that the attack originated mostly from within datacentres, and that they were increasingly seeing a “big move” from residential network internet service providers (ISPs) to cloud compute ISPs.

In this instance, the top originating networks were those of Germany’s Hetzner Online, Colombia’s Azteca Comunicaciones and France’s OVH. The botnet comprised about 6,000 unique bots located in 112 countries, with 15% of the traffic originating from Indonesia, followed by Russia, Brazil, India, Colombia and the US.

Nasser Fattah, who chairs risk management firm Shared Assessments’ North American steering committee, said: “What makes this attack concerning is that the traffic is coming from datacentres, which are equipped with very large network bandwidth pipes, unlike residential homes.

“This enables DDoS attacks to scale to very large sizes, and the larger the attack the more difficult it is to protect against, which is good to know if these datacentres are looking at network consumption that is considerably spiking and deviating from the normal baseline.”

Read more about DDoS attacks

  • A coordinated DDoS attack hit two government ministries in Finland at the same time as Ukrainian president Volodymyr Zelensky delivered a virtual address to the Finnish parliament.
  • A series of DDoS attacks on Ukrainian defence and banking organisations last week is now being firmly attributed to Russian action.

Rajiv Pimplasker, CEO of Dispersive Holdings, a multipath virtual private network (VPN) specialist, added: “The shift of the DDoS attack vector from ISPs to the datacentre and CSP environment is noteworthy, and indicative of the growing sophistication and organisation of such bad actors. While this mitigation approach can be effective, a more elegant strategy can be employed that shifts the protection to avoidance, which is far superior; a secure virtualised network fabric can deliver smart services from behind private firewalls and essentially be non-routable. This fundamentally avoids such attacks in the first place.”

While such an approach still leaves publicly routable transport nodes vulnerable to some types of DDoS, said Pimplasker, these resources can be obfuscated using managed attribution, with traffic dynamically rolled away from impacted resources. He said this would also make the target environment effectively self-healing even without active management or monitoring and avoidance – not just for HTTPS DDoS attacks but for other types, too.

Though correctly regarded as a relatively primitive tool in the cyber criminal arsenal, DDoS attacks continue to prove highly popular, likely because they are simple to carry out and require little expertise – indeed, DDoS botnets-for-rent can be obtained for very small sums of money.

A recent report from Kaspersky found that DDoS attacks hit an all-time high during the first three months of 2022, up 46% on the previous peak in the past three months of 2021. The use of advanced, targeted attacks also showed a notable growth, as did the duration of DDoS sessions – the average attack now lasts 80 times longer.

“The upward trend was largely affected by the geopolitical situation [but] what is quite unusual is the long duration of the DDoS attacks, which are usually executed for immediate profit,” said Kaspersky security expert Alexander Gutnikov. “Some of the attacks we observed lasted for days and even weeks, suggesting they might have been conducted by ideologically motivated cyber activists.

“We’ve also seen that many organisations were not prepared to combat such threats. All these factors have caused us to be more aware of how extensive and dangerous DDoS attacks can be. They also remind us that organisations need to be prepared against such attacks.”

Read more on Data breach incident management and recovery