In the first quarter of 2023, hyper-volumetric DDoS (distributed denial of service) attacks have switched from employing exploited IoT devices to using compromised Virtual Private Servers (VPS). Internet security firm Cloudflare claims that the more recent botnet generation has steadily moved away from the strategy of assembling massive swarms of weakly configured IoT devices and is now turning to exploit unprotected and incorrectly configured VPS servers.
“The new generation of botnets uses a fraction of the amount of devices, but each device is substantially stronger,” clarifies Cloudflare in the report. “Cloud computing providers offer virtual private servers to allow start ups and businesses to create performant applications. The downside is that it also allows attackers to create high-performance botnets that can be as much as 5,000x stronger.”
This strategy makes it simpler and frequently faster for threat actors to create high-performance botnets, which may be up to 5,000 times more powerful than IoT-based botnets. In an effort to combat these new VPS-based threats, Cloudflare has been collaborating with significant cloud computing providers and partners. It claims to have successfully brought down sizable chunks of these cutting-edge botnets.
Regarding overall DDoS activity, Cloudflare reports stable DDoS activity in the 1st quarter of the year, with a noticeable 60% YoY rise in ransom DDoS assaults, which account for 16% of all recorded/reported DDoS attacks. By flooding the target with junk traffic, these extortion-based DDoS assaults disrupt service and last forever until the victim complies with the attacker’s demands.
Israel was the nation that received the most DDoS assaults in Q1 of 23 overall, followed by the US, Canada, and Turkey. The most targeted industries were internet services, marketing, software, and gaming/gambling. The largest attack that Cloudflare has encountered this quarter reached more than 71 million requests per second. Another noteworthy event was a DDoS assault with a throughput of 1.3 terabits per second directed at a South American telecom company. Most assaults (86.6%) lasted under 10 minutes, and 91% did not surpass 500 Mbps in magnitude and duration.
The frequency of bigger attacks is still increasing, though; attacks that exceeded 100 Gbps saw an increase of around 6.5% over the previous quarter. DDoS attacks may take many different forms. When defenses advance to counter them, attackers may develop new strategies or revert to old ones that current protection systems would no longer favor. Cloudflare observed the following trends during the current quarter:
- 1,565% QoQ increase in SPSS (statistical product and service solutions) based DDoS attacks. This is made possible using two vulnerabilities (CVE-2021-22731 and CVE-2021-38153) in the Sentinel RMS License Manager service, which are exploited to conduct reflection DDoS assaults.
- 958% QoQ rise in DNS amplification DDoS attacks, where the attackers create a lot of traffic by abusing DNS infrastructure weaknesses.
- 835% QoQ increase in GRE (generic routing encapsulation) based DDoS attacks, where attackers abuse the GRE protocol to saturate the victim’s network with erroneous queries.
DDoS attacks in Q1 2023 have a pattern of getting bigger and lasting longer while attacking a variety of sectors. As a result, automated detection and mitigation techniques are necessary for effective defensive methods.