According to the latest figures from Cloudflare, extortion denial-of-service activity, also known as RDDoS (ransom distributed denial-of-service) attacks, has decreased in the first quarter of this year. During RDDoS attacks, threat actors strike a target firm with massive volumes of data to disrupt service. The perpetrator then wants payment to end the incident.
Threat actors realized that triggering an outage might be a powerful incentive for many enterprises to pay a high price to go back up, especially those facing severe financial consequences. RDDoS attacks are carried out by threat actors different from ransomware gangs, who employ DDoS to put further pressure on the target in addition to file encryption and the threat of publishing stolen data.
According to Cloudflare, ransom DDoS attacks have decreased dramatically in 2022, with just 17% of its DDoS-targeted clients reporting extortion in January, 6% in February, and 3% in March. That’s a 28% drop year over year and a 52% drop compared to the fourth quarter of 2021, when ransom DDoS attacks peaked at 28% in the previous month. The cause of the decline is unknown at this moment.
Cloudflare predicts a 164% YoY increase in application-layer DDoS attacks based on emerging patterns in Q1 2022 data. The most notable trends in this category include a 5,086% QoQ rise in application-layer DDoS attacks on the consumer electronics industry and a 2,131% QoQ increase in attacks against online media companies.
Another disturbing new trend is the reflection-amplification approach, which we recently described as having gone beyond theory and is being actively used. Reflection attacks begin with a tiny packet bouncing around inside a closed network, increasing in size with each bounce. When the feasible top limit is reached, the vast volume of traffic is routed to the destination.
The Lantronix Discovery Protocol, which is employed in many IoT devices, is an intriguing in-the-wild exploitation instance highlighted in Cloudflare’s report. Attackers send 4-byte queries to Lantronix devices that are publicly accessible, receiving a 30-byte response, resulting in a 7.5x amplification ratio. While this isn’t the most spectacular ratio we’ve seen recently, it still has the potential to be quite effective if massive swarms of devices are used in these attacks.
Hackers can route many produced answers to a target by faking the victim’s originating IP, suddenly overwhelming them with an indirect attack. Finally, Cloudflare reported a tremendous increase in volumetric DDoS attacks, with attacks above 100 Gbps increasing by 645% QoQ and attacks over 10 Mpps rising by over 300% QoQ.
DDoS attacks aren’t starting to disappear; instead, they’re changing their forms, techniques, and traffic mixing gimmicks and returning to knock on the doors of vulnerable, poorly defended, and weak servers, as they have for many years.