A couple of years ago, research agencies and information security service providers began to report on the number of DDoS attacks. But by Q1 2019, the same researchers reported their stunning by 84%. And then everything went on increasing. Even the pandemic did not contribute to the atmosphere of the world - on the contrary, cybercriminals and spammers considered it an excellent signal to attack, and the volume of DDoS increased .
We believe that the time for simple and easy to detect DDoS attacks (and simple tools that can prevent them) is over. Cybercriminals have learned to better hide these attacks and carry them out with increasing sophistication. The dark industry has moved from brute force to application layer attacks. She receives serious orders for the destruction of business processes, including quite offline ones.
Breaking into reality
In 2017, a series of DDoS attacks targeting Swedish transport services resulted in lengthy . In 2019, the Danish national railway operator sales systems are down. As a result, ticket machines and automatic gates did not work at the stations, and more than 15 passengers could not leave anywhere. In the same 2019, a powerful cyber attack caused a power outage in .
The consequences of DDoS attacks are now experienced not only by online users, but also by people, as they say, IRL (in real life). While attackers have historically only targeted online services, they are now often tasked with disrupting any business operation. According to our estimates, today more than 60% of attacks have such a goal - for extortion or unscrupulous competition. Transactions and logistics are especially vulnerable.
smarter and more expensive
DDoS continues to be considered one of the most widespread and fastest growing types of cybercrime. According to experts, from 2020 their number will only grow. This is associated with various reasons - and with an even greater transition of business online due to the pandemic, and with the development of the shadow cybercrime industry itself, and even with .
DDoS attacks became “popular” at one time due to the ease of deployment and low cost: a couple of years ago they could be initiated for $50 per day. Today, both targets and attack methods have changed, leading to an increase in their complexity and, as a result, cost. No, prices from $5 per hour are still in the price lists (yes, cybercriminals have price lists and tariff scales), but for a site with protection they already demand from $400 per day, and the cost of “individual” orders for large companies reaches several thousand dollars.
There are currently two main types of DDoS attacks. The first goal is to make an online resource unavailable for a certain period of time. Attackers take payment for them during the attack itself. In this case, the DDoS operator does not care about any particular result, and the client actually makes an upfront payment for launching the attack. Such methods are quite cheap.
The second type is attacks, which are paid only when a certain result is achieved. It's more interesting with them. They are much more difficult to execute and therefore much more expensive, since attackers have to choose the most effective methods to achieve their goals. In Variti, we sometimes play whole chess games with cybercriminals, in which they instantly change tactics and tools and try to break into several vulnerabilities at once on several levels. These are clearly command attacks in which the hackers know perfectly well how to react and counteract the actions of the defenders. Fighting them is not only difficult, but also very costly for companies. For example, one of our clients, a large chain retailer, kept a team of 30 people for almost three years, whose task was to fight DDoS attacks.
According to Variti, simple DDoS attacks done purely out of boredom, trolling, or dissatisfaction with a particular company currently account for less than 10% of all DDoS attacks (of course, insecure resources may have different statistics, we look at our customers' data). ). Everything else is the work of professional teams. At the same time, three-quarters of all “bad” bots are complex bots that are difficult to detect using most modern market solutions. They mimic the behavior of real users or browsers and introduce patterns that make it difficult to distinguish between “good” and “bad” queries. This makes attacks less visible and therefore more effective.
Data from GlobalDots
New DDoS targets
Photos from analysts at GlobalDots says that bots now generate 50% of all web traffic, and 17,5% of them are malicious bots.
Bots know how to spoil the life of companies in different ways: in addition to the fact that they “put down” sites, they are now also engaged in the fact that they increase advertising costs, click through ads, parse prices to make them a penny less and lure buyers, and steal content for various bad purposes (for example, we recently sites with stolen content that force users to solve other people's captchas). Bots greatly distort various business statistics, and as a result, decisions are made based on incorrect data. A DDoS attack is often a smokescreen for even more serious crimes such as hacking and data theft. And now we see that a whole new class of cyber threats has been added - this is a violation of the work of certain business processes of the company, often offline (since nothing can be completely “offline” nowadays). Especially often we see that logistic processes and communications with customers break down.
"Not delivered"
Logistics business processes are key for most companies, so they are often attacked. Here are some attack scenarios that can be in this case.
Not available
If you work in the field of online commerce, then you are probably already familiar with the problem of fake orders. In the event of attacks, bots overload logistics resources and make goods unavailable to other buyers. To do this, they place a huge number of fake orders, equal to the maximum number of products in stock. These goods are then not paid for and after a while they return to the site. But the deed has already been done: they were marked as "out of stock", and some of the buyers have already gone to competitors. This tactic is well known in the airline industry, where sometimes bots instantly “sell out” all tickets almost immediately after they appear. For example, one of our clients, a major airline, suffered from such an attack organized by Chinese competitors. In just two hours, their bots booked 100% of tickets for certain destinations.
Sneakers boots
The next popular scenario is that bots instantly buy the entire product line, and their owners sell them later at an inflated price (an average markup of 200%). These bots are called sneakers bots, because this problem is well known in the fashion sneaker industry, especially limited editions. Bots bought up new lines that had just appeared in almost minutes, while blocking the resource so that real users could not break through there. This is a rare case when bots were written about in fashion glossy magazines. Although, in general, resellers of tickets for cool events like football matches use the same scenario.
Other scenarios
But that's not all. There is an even more complex version of attacks on logistics, which threatens with serious losses. This can be done if the service has the option “Payment upon receipt of goods”. Bots leave fake orders for such goods, indicating fake or even real addresses of unsuspecting people. And companies incur huge costs for delivery, storage, figuring out the details. At this time, the goods are not available to other customers, and even take up space in the warehouse.
What else? Bots leave massive fake bad reviews about products, clog the “chargeback” function, blocking transactions, steal customer data, spam real buyers – there are many options. A good example is the recent attack on DHL, Hermes, AldiTalk, Freenet, Snipes.com. hackers that they are “testing DDoS protection systems”, and in the end they put the company’s business client portal and all APIs. As a result, there were big interruptions in the delivery of goods to customers.
call tomorrow
Last year, the Federal Trade Commission (FTC) reported a doubling of complaints from businesses and users about spammy and scam phone bot calls. According to some estimates, they are all calls.
As with DDoS, the goals of TDoS—massive bot attacks on phones—range from “pranks” to unscrupulous competition. Bots are able to overload contact centers and not miss real customers. This method is effective not only for call centers with live agents, but also where AVR systems are used. Bots can also massively attack other channels of communication with customers (chats, emails), disrupt CRM systems, and even negatively affect personnel management to some extent, because operators are overwhelmed trying to cope with the crisis. The attacks can also be synchronized with a traditional DDoS attack on the victim's online resources.
Recently, a similar attack disrupted the work of the rescue service. in the USA, ordinary people in dire need of help simply could not get through. Around the same time, the Dublin Zoo suffered the same fate, with at least 5000 people receiving spam SMS text messages prompting them to urgently call the zoo's phone number and ask for a fictitious person.
Wi-Fi will not
Cybercriminals can also easily block the entire corporate network. IP blocking is often used as a defense against DDoS attacks. But this is not only inefficient, but also a very dangerous practice. An IP address is easy to find (for example, using resource monitoring) and easy to replace (or spoof). Our clients had cases prior to joining Variti where this resulted in blocking a particular IP simply turning off Wi-Fi in their own offices. There was a case when the client was “slipped off” the required IP, and he blocked access to his resource to users from the whole region, and did not notice this for a long time, because otherwise the entire resource functioned perfectly.
What's new?
New threats require new security solutions. However, this new market niche is just beginning to take shape. There are many solutions for effectively repelling simple bot attacks, but complex ones are not so simple. Many solutions still practice IP blocking techniques. Others need time to collect the initial data to get started, and those 10-15 minutes can become a vulnerability. There are solutions based on machine learning that allow you to determine the bot by its behavior. And at the same time, teams from the "other" side are boasting that they already have bots that can imitate real, indistinguishable from human patterns. Who is who is unclear.
What if you have to deal with professional teams of bot growers and complex, multi-stage attacks on several levels at once?
Our experience shows that you need to focus on filtering illegitimate requests without blocking IP addresses. Complex DDoS attacks require filtering at several levels at once, including the transport layer, application layer, and APIs. Thanks to this, even low-frequency attacks, which are usually invisible and therefore often missed further, can be repelled. Finally, it is necessary to skip all real users even while the active phase of the attack is underway.
Secondly, companies need the ability to create their own multi-stage protection systems, where, in addition to tools for preventing DDoS attacks, systems will be built in against fraud, data theft, content protection, and so on.
Thirdly, they must work in real time from the very first request - the ability to instantly respond to security incidents greatly increases the chances of preventing an attack or reducing their destructive power.
Near Future: Reputation Management and Big Data Collection with Bots
The history of DDoS has evolved from the simple to the complex. At first, the goal of the attackers was to stop the site from working. They now find it more efficient to target core business processes.
The complexity of attacks will continue to grow, this is inevitable. In addition to what bad bots are doing now - data theft and falsification, extortion, spam - bots will collect data from a large number of sources (Big Data) and create "reliable" fake accounts for influence management, reputation or mass phishing.
Currently, only large companies can afford to invest in DDoS and bot protection, and even they cannot always fully track and filter bot-generated traffic. The only positive that bot attacks are becoming more difficult is that it encourages the market to create smarter and better security solutions.
What do you think — how will the bot protection industry develop and what solutions are needed on the market right now?
Source: habr.com