Posted: 3 Min ReadExpert Perspectives

Multi-Vector DOS Attacks Turning into the New Normal

Attackers hammer the front door, while sneaking more surreptitious denial-of-service attacks through the mail slot

The attacks often start with an oldie but goodie: A flood of SYN packets requesting access to a particular server.

Magnified by bouncing traffic from intermediate systems—in what is known as an amplification attack—the flood of data's bandwidth climbs, quickly exceeding 10Mbps in about 10 percent of cases. Such an obvious threat gets the attention of the incident response team, who scrambles to shut down the attack and filter out the bad packets.

Yet, in all the noise, a few packets sneak by the defenses: Requests to the web server are often used. These application-layer attacks are aimed at hitting the web servers, causing them to crash.

Welcome to the current state of denial-of-service attacks: The use of multiple techniques of DDoS attacks to get around current defenses. These sorts of multi-vector attacks have become a common strategy among attackers.

The attacks end as they begin: Quickly. Within a few minutes, for the average attack, the flood slows, and then stops. The operations team reboots the server, causing minutes of downtime, if not longer. Soon after, another attack will target the system, repeating the cycle.

The overall strategy is to keep incident responders off balance. Companies that protect the edge of their network with a DDoS mitigation service will find application-layer attacks sneaking in to crash certain servers. Companies that focus on filtering out malicious packets will find themselves overwhelmed by amplification attacks.

Attackers are often changing methods mid-step, using several different types of packets simultaneously. So even if you do adapt, that expends more labor as an organization’s incident response time takes more time.

A common combination of attacks is using some mix of amplification and more traditional attacks. The single, large, one-off attack is quickly becoming extinct with companies suffering multiple network-layer attacks and, increasingly, more than one application-layer attack. Meanwhile, the challenge becomes that much more fraught as victims also have to deal with legitimate answers from legitimate services, which causes even more confusion.

The Mirai botnet is fueled by a program that has more than 10 different types of denial-of-service attacks, which attackers can chain together to confuse defenders. With the source code in the public domain, anyone with the wherewithal can quickly compromise thousand or tens of thousands of Internet-of-Things devices and send a custom flood of data at their target, said Eric Chien, technical director with Symantec.

Gamers, a big source of denial-of-service attacks, are combining attacks using off-the-Internet software or services to take down their online rivals. While the attacks are fairly simple, combining them is more effective.

"These attacks are not necessarily tailored in the sense of reverse engineering the game protocol," Chien said. "They are tailored in the sense that they are hitting a particular, known game server."

There are a variety of common mixes of attacks, according to Nexusguard.

Creating a blended UDP flood and using amplification by sending requests to Network Time Protocol (NTP) servers, results in large bandwidth responses sent to the targeted IP address.

Other attacks may use internet-of-things devices to send large bandwidth floods at specific targets and then use a subtler attack to accomplish the primary goal—whether interrupting service or some other form of attack.

"Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected," according to the Symantec advisory following last year's massive Mirai attacks. It noted that, "attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords."

Defending against multi-vector attacks will require a multi-threaded approach that can handle both application-layer and network-layer attacks. In addition, companies will need to have a well-trained DDoS incident response team, or such a team on call. Increasingly, this is becoming the new normal.


If you found this information useful, you may also enjoy:

Mirai: What You Need to Know

Combat Advanced Malware With Security and Threat Protection Designed for the Cloud Generation


About the Author

Robert Lemos


Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for two decades. He has covered cybercrime and security technology for almost two dozen publications.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.