It's all quiet on the DDoS front, but don't get complacent: The lull is expected, said Kaskersky, and new attack vectors could spell a coming resurgence.
Kaspersky's quarterly DDoS attack report is one that its writers describe as "relatively calm," but don't let that statement fool you: There's still a lot of dangerous DDoS threats and new actors waiting for their time to strike. Not only that, but the second quarter lull is expected.
"There was a slight decrease in the total number of attacks compared to the previous quarter, which is typical for this period and is observed annually," said Kaspersky DDoS protection team business development manager Alexey Kiselev.
SEE: Security incident response policy (TechRepublic Premium)
The expected calm doesn't mean there's time to take a break: Cybercriminals definitely aren't, with Kaspersky reporting two new potential DDoS attack vectors and a rise in DDoS attacks as a ransomware tool.
The first of the new attack vectors uses the Session Traversal Utilities for Network Address Translation (NAT), or STUN, protocol. Traditionally used to map internal IP addresses and ports from behind a NAT to external ones, attacks early in 2021 started exploiting it to amplify traffic volume and use them as reflectors. Kaspersky warned that more than 75,000 STUN servers across the globe are vulnerable to this type of DDoS attack and recommends any organization using STUN to take steps to protect themselves before they're hit.
The second vector Kaspersky mentioned is a DNS bug called TsuNAME. It functions by exploiting errors in authoritative DNS server configuration that cause certain domains to point at each other, resulting in an endless request loop that floods the server and renders it useless.
While no attackers have exploited the TsuNAME vector yet, it could give a boost to DDoS attacks targeting DNS servers, like the one that took Microsoft services offline in April. Kaspersky provided remediation steps for TsuNAME as well: It said that authoritative DNS server owners should "regularly identify and fix such configuration errors in their domain zone, and owners of DNS resolvers to ensure detection and caching of looped requests."
DDoS attacks as a part of the ransomware arsenal have been gaining momentum as well, Kaspersky said. A cybercriminal group calling itself Fancy Lazarus (they are not believed to be a state-sponsored APT) launched multiple attacks against U.S.-based targets using DDoS attacks, and operators of the Avaddon ransomware used the threat of DDoS attacks along with file encryption to extort ransoms against Australian company Schepisi Communications.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
DDoS attacks decreased by 38.8% compared to Q2 2020, and 6.5% compared to Q1 2021 but, as mentioned above, those numbers are expected. Kiselev said that a key factor in predicting the third quarter and beyond is cryptocurrency prices, which he said have remained consistently high. With that in mind, Kiselev said, "in the third quarter of 2021, we also do not see any prerequisites for a sharp rise or fall in the DDoS attack market."
Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Sign up todayAlso see
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Security threats on the horizon: What IT pro's need to know (free PDF) (TechRepublic)
- Checklist: Securing digital information (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)