Sporting events are irresistible targets for DDoS attacks
Global sporting events have always been a world stage, showcasing not only athletic brilliance but also the vision and appeal of the host country. Just putting on a modern, successful global sporting event now costs hundreds of billions in investment – and with that high cost and notoriety inevitably comes unwanted attention from cybercriminals.
For nearly two decades, threat actors have increasingly used Distributed Denial-of-Service (DDoS) attacks to target events such as the FIFA World Cup games that will be hosted in Qatar later this year. Although not a new phenomenon, DDoS attacks can cause major disruption to fans, athletes and companies invested in their results by attacking the digital infrastructure necessary to reach global viewing audiences, from telecommunications to digital scoring and video streaming.
London’s 2012 Summer Games saw repeated DDoS attacks, including a 40-minute attack on the central venue’s power systems likely meant to disrupt the opening ceremony. Football’s biggest global event in 2014 was attacked by the notorious hacker group Anonymous, and the 2016 Summer Games in Rio de Janeiro were targeted by a large-scale attack by a DDoS-for-hire service known as LizardStresser, which started just before the opening of the games and escalated significantly after the games started. Finally, the last Summer Games in Tokyo in 2020 were heavily targeted with reports of more than 450 million attacks.
Geopolitical unrest plays a major role in bad actor activity, and the Cyber Threat Alliance (CTA) notes that nation-state actors pose the greatest threat to international sporting events. From the host country to the Games Committee, sponsors and even individual competing nations and athletes, it is important to have a strong position for cyber security. Information sharing and collaboration with commercial providers, such as telecommunications companies and internet providers, is particularly important, because these organizations are often on the front lines of experiencing and stopping cyber attacks, which are increasing in frequency and severity.
The current state of DDoS attacks
Just as the emergence of COVID-19 led to changes in how threat actors launched attacks, the return to work and school that began in the second half of 2021 resulted in more changes on the part of malicious actors.
Threat actors launched two direct-path packet flood attacks of more than 2.5 terabits per second using server-based botnets in the second half of 2021. These are the first terabit-class, direct-path DDoS attacks that have been identified, and they signal that changes are underway in the attacker’s strategy.
At one time, attackers were limited in their ability to carry out attacks with limited bandwidth and the tools they used. But that is far from the case today. In fact, attackers can use DDoS-for-hire services to completely bypass the technical knowledge needed to launch a massive DDoS attack. Moreover, they continue to use established direct-path DDoS attack mechanisms, such as SYN, ACK, RST, and GRE floods, using high-powered servers with high-speed network connections.
In terms of flood attacks, SYN flood was the most popular DDoS attack vector from 1996 to 2018, when it was overtaken by DNS reflection/amplification. This changed again in 2021 when direct DDoS attacks became the leader. We can see this through the sharp increase in ACK flood attacks against online credit card processors and other financial services organizations as reported in the first half of the 2021 NETSCOUT Threat Intelligence Report. Similarly, the 2H 2021 Threat Intelligence Report shows that SYN floods and ACK floods are the top two vectors for the second half of 2021. Although these attacks often target servers and applications, they can often reach their target by overwhelming stateful devices such as firewalls and load balancers.
One of the most important and far-reaching trends in the security landscape over the past decade has been the industry-wide push to implement strong encryption for websites, web applications, communications services, and just about anything else used online.
This wholesale move towards encryption for anything and everything has also been noted by attackers. The additional overhead required to process encrypted communications at scale often means that launching successful DDoS attacks against encrypted applications and services requires relatively fewer resources on the part of the attackers. Conversely, DDoS defense for encrypted applications and services also requires more resources from the defenders.
High-volume attacks on application layers launched over HTTP/S were prominent in this period. Attacks launched via Meris and Dvinis router-based botnets were reported, either originating directly from the bots themselves or being relayed through them using the SOCKS5 proxy functionality of the bots. Attacks of up to 17.2 million requests per second (Mrps) were reported, representing a significant new metric for application layer HTTP/S encrypted DDoS attacks.
Looking at a two-year snapshot of bandwidth and throughput in attacks targeting applications and services on TCP Port 443, we see significant trends toward more potent attacks.
Many organizations are affected when these attacks occur because they don’t just target a single victim. Certainly, Internet Service Providers (ISPs) need to prepare, but others, including sponsors, partners, transaction processors and more, could also be targeted.
Although traditional cloud-based DDoS protection solutions, including those offered by ISPs or CDNs, are designed to stop large volumetric DDoS attacks, they struggle to eliminate other types of DDoS attacks designed to evade their efforts. But in addition, due to the dynamic, multi-vector nature of the average modern DDoS attack, security teams must use both on-premises and a cloud solution with an intelligent and automated integration that offers the most comprehensive protection. Cloud-based mitigation therefore serves as an extension of local protection, which has capabilities intended to identify and mitigate attacks designed to bypass cloud-based solutions.
Industry analysts now understand that due to today’s increasing frequency and complexity of DDoS attacks, the need for a multi-layered hybrid defense strategy has become a requirement. New techniques such as adaptive DDoS that change vectors based on the defenses presented reinforce the need for local protection with its inherent agility and effectiveness for attack management.
Gary Sockrider, Director, Security Solutions, NETSCOUT