Report: Cybercriminals Use Cloud for DDoS Attacks

This syndicated post originally appeared at Zeus Kerravala, Author at eWEEK.

DDoS attacks continue to increase in frequency and size, creating risk for businesses and cloud providers.

Over the past couple of years there has been a significant focus on phishing, ransomware and other threats that attack online users. While this focus is certainly prudent given the rise in those types of activities, it’s important to not take your eye off more “traditional” type attacks, such as distributed denial of service (DDoS).

DDoS attacks have created havoc for security professionals for decades and show no sign of abating. In fact, the number of DDoS attacks and the size of them continue to rise.

In an effort to help quantify the threat, service provider Lumen recently published its most recent DDoS report. The quarterly study focused on the security landscape in the 2nd quarter of 2022, specifically distributed denial of service (DDoS) attacks, where cybercriminals attempt to disrupt users from accessing the internet.

Given the cloud first, mobile and hybrid work environment most businesses find themselves in, losing access to the Internet can cost companies millions, if not billions, of dollars.

Top targets: tech, telco and gaming

The data is collected from Lumen’s DDoS team and Black Lotus Labs threat research team and analyzed for key findings. In Q2 2022, Lumen mitigated 4,572 attacks. On average, the multinational tech company was mitigating 50 attacks daily, with April 8 and April 13 experiencing the highest number of attacks—111 and 108, respectively.

Attacks most frequently occurred on Tuesdays and Thursdays, and least frequently on Sundays. The top three targeted verticals in the 500 largest attacks included telecom, software and technology, and gaming.

During the quarter, Lumen mitigated one of its largest ever bandwidth attacks at 1.06 terabits per second (Tbps). The attack was part of a larger campaign targeting a gaming service hosted by a telco, which is a Lumen DDoS Mitigation Service customer. According to Lumen, the gaming service experienced no downtime, despite the attack’s size and complexity.

Hit and run attacks can fly under the radar

All activity occurred a week prior to 1 Tbps attack, which means the threat actor was testing various methods to determine the gaming service’s network defenses. These techniques are called out in the report as emerging “hit-and-run” attacks.

With this technique, victims are targeted with a series of consecutive or concurrent attacks that are small in both size and duration. Threat actors use the results of these early attacks to assess a company’s defenses and determine the attack method that will most likely lead to success.

Cloud services are now used to launch large scale attacks

Another interesting trend Lumen uncovered is an increase in attacks exploiting the cloud. Threat actors are using cloud-based services in a fraudulent way, either through compromised hosts or anonymizing services. Cloud providers’ resources are then leveraged to launch volumetric attacks against intended victims.

This creates an interesting scenario as it creates risk for both the cloud provider and the victim. While business need to be diligent in protecting against DDoS attacks, cloud providers must also ensure their services are not being abused.

In the report, Lumen offers tips to organizations that want to avoid cloud-related attacks, such as ensuring that accounts are protected by multifactor authentication. Services that are hosted in the cloud should also be kept up to date. If suspicious activity is detected, organizations should take steps to mitigate a potential attack, such as changing credentials and quarantining impacted hosts.

VoIP providers in the DDoS crosshairs

One trend that has continued from last year is a rise in attacks targeting VoIP providers. Lumen observed a 315 percent increase in session initiation protocol (SIP) attacks over Q1 2022, and a 475% increase over Q3 2021. SIP attacks affect VoIP infrastructure by overwhelming them with high traffic volume.

Overall, however, SIP attacks remain low compared to proven methods used to disrupt VoIP services like TCP-SYN flooding and UDP-based amplification.

Most organizations today use cloud applications to interact with customers and employees. Lumen recommends that organizations have DDoS mitigation in place to prevent threat actors from launching large-scale attacks. For example, monitoring network traffic not only helps detect an attack, but it can also show if the organization is being used as a proxy in an attack against someone else. Attack tactics are becoming more invasive and discreet; therefore, holistic protection is a must to ensure that business functions continue uninterrupted.

Beyond Corporate Infrastructure

DDoS attacks are not new, but they are changing. It’s not just the internal network that businesses must protect. The Lumen report highlights how threat actors are now moving beyond corporate infrastructure and extending their reach into cloud services, which businesses trust as being secure.

While cloud providers do an excellent job of thwarting attacks, they aren’t perfect and businesses need to have their own mechanisms to protect against this growing attack vector.

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.