cfo-as logo
Story image

Global DDoS attacks: What they are, how they work, and how to defend against them

03 Sep 2020

As many organisations around the world are being plagued by distributed denial of service (DDoS) attacks, some security firms and analysts are doing their best to untangle the attack web to find out who is behind the attacks.

In a bulletin that went out overnight from security firm Radware, those behind the attacks appear to be posing as well-known advanced persistent threat (APT) groups such as Fancy Bear, the Armada Collective, and the Lazarus Group. 

This backs up initial research from Akamai, which states that Fancy Bear and the Armada Collective may be behind the campaign. However, it is not totally clear if the groups are responsible for the attacks and it may be another threat group imitating well-known threat groups in order to make their attacks seem more threatening.

The global DDoS campaign is targeting thousands of organisations including internet service providers, finance companies, travel agencies, and companies in ecommerce. 

The attackers target organisations by sending emails that contain sensitive information about specific IP addresses or autonomous system numbers (ASN)s they will hit if the victims don’t cooperate.

The attackers then demand a ransom fee of 10 Bitcoin (NZ$16,792), however, some ransom demands have reached up to 20 Bitcoin (NZ$335,839).

If targeted organisations do not make the payment, attackers threaten to conduct DDoS attacks of up to 2 terabits per second (2Tbps), through most attacks so far have ranged between 50Gbps to 200Gbps. The ransom demand also increased by 10 Bitcoin as each deadline passes without a ransom payment.

Radware says that it has seen evidence that the attackers will follow up on their initial ransom demand. They often cite examples of other attacks so that targets can search for other recent disruptions. The attackers then ask, "You don't want to be like them, do you?"

If targets refuse to pay the ransom demand, the attackers will often launch DDoS attacks using a variety of methods including UDP and UDP-Frag floods, WS-Discovery amplification, and TCP SYN, TCP out-of-state, and ICMP Floods.

Akamai notes that the campaign is similar to one conducted in 2019 by a threat group appearing to imitate the APT Group called Cozy Bear.

Radware states that it is important that any organisation that receives a ransom demand should take the matter seriously, as attackers will more than likely follow through with DDoS attacks.

However, organisations should not pay the ransom demand and the DDoS attacks can be mitigated if the right protection is in place.

“These attacks are not at a level of complexity/amplitude that prevent mitigation if the right protection is in place. Radware has seen faster and better mitigation by leveraging hybrid always-on protection compared to asymmetric routed cloud protections,” the company states.

Akamai also urges targeted firms not to pay the ransom.

“We still believe that the actors conducting these extortion attacks are looking for a quick payout, with as little effort as possible on their part,” Akamai states.

Organisations should ensure they have:

  • Hybrid DDoS protection for on-premise and cloud environments. This protection must be able to defend against high volume attacks and pipe saturation
  • Behavioural-based detection. This blocks anomalies and lets genuine traffic through
  • Real-time signature creation to protect from known and unknown threats, including zero-day attacks
  • A security emergency response plan. This helps to deal with security incidents
  • An intelligence feed that details threats. This data can help to protect against active and known attackers.
Story image
Fiverr launches platform to bring freelancers closer to business
Fiverr says it wanted to create an integration that could fit into an organisation’s workflow and become ‘part of the digital onboarding experience’ for employees, meaning freelancers can access email, Slack, Dropbox, and the Fiverr Business team account.More
Story image
Gartner: Security leaders must balance risk, trust and opportunity
Security and risk leaders must focus on balancing risk, trust and opportunity to help maintain the ability of their organisations to function.More
Story image
Blue Prism extends human-to-digital worker collaboration with new Interact capability
Blue Prism Interact is a human-to-digital worker collaboration capability that enables employees to team up with digital workers to initiate, instruct, verify, receive, and authorise a variety of business processes through the digital workforce.More
Story image
CT Global Solutions signs on as SAS Managed Analytics Services partner
“Our new partner likes to say ‘SAS turns data into intelligence and CT Global turns that intelligence into profitability’ – and we look forward to working with them delivering on that promise at the local level.”More
Download image
Network functions virtualisation: What is is, how to use it, and why it matters
Network functions virtualisation (NFV) is fast becoming the go-to method of simplifying corporate networks from planning, through deployment and management.More
Story image
Gartner names Adobe leader in digital commerce
"Being named a Leader speaks to the strengths of our platform to enable brands to deliver the best commerce experiences in todays digital world."More