Corero's DDoS report exposes attacker behaviour during pandemic

Corero Network Security has published the latest edition of its annual DDoS Threat Intelligence Report that compiles the trends, observations, predictions, and recommendations based on DDoS attacks against Corero customers during 2021.

The report, now in its 7th year, highlights that DDoS threats continue to grow in sophistication, size, and frequency. Yet 2021 also reveals changes in attacker behaviour since the start of the pandemic including an increase of 297% in the use of OpenVPN reflections as a means of DDoS attack.

As the report co-author and Corero CTO, Ashley Stephenson explains, “OpenVPN as a reflection DDoS vector isn’t just bad news for the victim being attacked, it is also a risk for the organisation whose OpenVPN infrastructure is being used to launch the attack as their own users will become collateral damage, suffering from a degraded or unusable service that impacts business continuity.”

The report also finds 97% of DDoS attacks were under 10Gbps, as low packet rate attacks continued to grow during 2021. It suggests this may be the result of attackers sending packets to a victim at lower rates to avoid easy detection. Stephenson adds, “Combined with the 82% share of short duration DDoS attacks, the intention is that these stealthier transient attacks will appear as legitimate traffic, bypassing simple security measures and succeeding in choking access to important downstream services or connections.” Frequency of repeat attacks also grew with a 29% increase in organisations who experienced a second attack within a week.

The report also provides constructive recommendations regarding DDoS protection. “With the 82% increase in shorter duration DDoS attacks there is a growing requirement to detect-and-block in real time, rather than relying on time-consuming and expensive traffic redirection to cloud solutions,” says Stephenson, “The advantage here is that that most of these attacks can be addressed by on-premises solutions, avoiding the disruption, risk and cost of re-routing customer traffic across the Internet to third party scrubbing centres.”

Looking towards 2022, Stephenson believes that the data from the report confirms that DDoS attackers continue to innovate, devising new threats and altering attack strategies , “Our SOC (Security Operations Centre) reports a net increase in the number of unique DDoS attack vectors seen in the wild and in the level of year-over-year DDoS activity,” he says, adding “Significant new DDoS threat alerts resulting from the TP240PhoneHome test feature and Hikvision SADP demonstrate that continuous development of new attack vectors is inevitable. Our data shows that 2021 attacks consisted of multiple new attack vectors layered on top of many known vectors that have been operating for some time – including those highlighted in the FBI “4-pack” alert from July 2020. Clearly DDoS prevention is an impractical strategy; you have to be using a combination of DDoS detection and mitigation to put up an effective defence.”

As the trend towards shorter duration, attacks utilising multiple vectors continues, Stephenson advises that “…as organisations plan their strategy for effective DDoS protection, they need to consider the relationship between time-to-mitigation and potential downtime.  The typical time to swing traffic to cloud DDoS protection means the shorter attack is over and the damage may already be done. Corero real-time DDoS solutions are key to providing the necessary fast, accurate and automatic mitigation.”

Stephenson summed up the report’s findings, “Although the report highlights the alarming and continued threat from DDOS attacks, Corero’s unique understanding of the nature of these attacks means we can help our customers to remain a step ahead of the DDoS threat and ensure their businesses can thrive in this dangerous environment.”