Cloudflare Sees Surge in Hyper-volumetric HTTP DDoS Attacks

Cyber Security Threat Summary:
Cloudflare says the number of hyper-volumetric HTTP DDoS (distributed denial of service) attacks recorded in the third quarter of 2023 surpasses every previous year, indicating that the threat landscape has entered a new chapter” (Bleeping Computer, 2023). DDoS attacks are a type of cyber attack that sends large amounts of traffic towards hosting apps, websites, and online services in an attempt to overwhelm and make them unavailable to legitimate visitors. In the third quarter of 2023, Cloudflare says it has mitigated thousands of hyper volumetric HTTP DDoS attacks. These are DDoS attacks that exceed 100 million request per second (rps), the largest of which was three times larger than their previous record.

These attacks are made possible by exploiting a new technique named 'HTTP/2 Rapid Reset,' which threat actors have leveraged as a zero-day since August 2023. The company says HTTP/2 Rapid Reset attacks have been employing VM-based botnets sized between 5-20 thousand nodes instead of millions of weak IoTs, able to deliver a much more significant punch per node. Overall, Cloudflare reports a 65% rise in the aggregated volume of HTTP DDoS attack traffic in the last quarter and an increase of 14% in L3/L4 DDoS attacks.

Security Officer Comments:
While gaming and gambling entities were the most targeted by HTTP DDoS attacks, IT and internet services, cryptocurrency, software, and telecommunications were also heavily impacted. DDoS attacks have also been used by hacktivist groups and ransomware operators. While Cloudflare did not point to attacks against critical infrastructure, hacktivists known to leverage DDoS and web defacement attacks, could begin using the new HTTP/2 Rapid Reset technique to carry out more impactful attacks against global adversaries. This is a concern as the U.S. navigates hacktivist activity coming from Russia, Palestine, and other adversaries.

Suggested Correction(s):
DDoS attacks constantly evolve as threat actors adapt and explore new techniques to circumvent modern defenses. Furthermore, hacktivist groups have increasingly used DDoS attacks to target political entities or a country's organizations that they are protesting.

The most effective defense strategy encompasses a comprehensive, multi-layered approach to enhance DDoS resilience. However, as new techniques emerge, companies and security companies will need to evolve their defense strategies.

DDoS attacks pose a significant challenge for defense because it's challenging to differentiate between legitimate and malicious packets. Typically, DDoS attacks exploit either bandwidth or application vulnerabilities.

There are several methods to counter DDoS attacks:

Sinkholing: In this strategy, all incoming traffic is redirected to a "sinkhole" where it's discarded. However, this approach has a drawback as it eliminates both legitimate and malicious traffic, resulting in a loss of actual customers for the business.

Routers and Firewalls: Routers can help by filtering out nonessential protocols and invalid IP addresses, but they become less effective when a botnet employs spoofed IP addresses. Firewalls face similar challenges when dealing with IP address spoofing.

Intrusion-Detection Systems (IDS): These solutions employ machine learning to identify patterns and automatically block traffic through a firewall. While powerful, they may require manual adjustments to avoid false positives.

DDoS Mitigation Appliances: Various vendors offer devices designed to sanitize traffic through techniques like load balancing and firewall blocking. However, their effectiveness varies, as they may block legitimate traffic and allow some malicious traffic to pass through.

Over-provisioning: Some organizations opt for extra bandwidth to manage sudden traffic spikes during DDoS attacks. Often, this additional bandwidth is outsourced to a service provider who can scale up during an attack. However, as attacks grow in scale, this mitigation approach may become less cost-effective.

These methods represent different strategies organizations employ to defend against DDoS attacks, each with its advantages and limitations.