Blog · 23 Nov 2020

Don’t fall foul of evolving DDoS attacks

Since the Coronavirus pandemic, there’s been steep rise in brute force attacks, email scams and distributed denial of service attacks.

Tim Haines, senior manager, intelligence production unit

The latest distributed denial of service (DDoS) threat

Because of the economic environment we’re in, organisations are hyper-dependant on digital communications; to work, do business and stay connected to the supply chain they rely on. The very nature of DDoS attacks which target websites and online services and try to bring them down by flooding them with mass volumes of traffic could, depending on where they hit, significantly impact your ability to do one or more of those things.

Companies in the retail and finance space are at a higher risk of experiencing these types of attacks and need to make sure they have the right security and mitigation solutions in place for such attacks.

Over the last three months, we’ve seen a big surge in the number of DDoS attacks. On occasions these DDoS attacks have been preceded with ransom / extortion demands at the start of the attacks themselves.  This has put DDoS firmly back in the spotlight for those affected and those at risk of being affected.

But even more disturbingly, in the last few days, we’ve seen an evolution in the kind of DDoS attack aimed at finance organisations across the globe.

These new DDoS attacks have taken the form of known amplification / reflection techniques:

  • Domain Name Server (DNS) amplification – this kind of attack relies on the use of publicly accessible open DNS servers to overwhelm a victim system with DNS response traffic
  • Network Time Protocol (NTP) amplification – this kind of attack is where publicly-accessible NTP servers are exploited by the attacker to overwhelm the target with User Datagram Protocol (UDP) traffic
  • Connectionless Lightweight Directory Access Protocol (CLDAP) amplification – this kind of attack is where an CLDAP request is sent to a LDAP server with a spoofed sender IP address (the target’s IP). The server responds with a bulked-up response to the target’s IP causing the reflection attack and the victim’s machine can’t handle the huge amount of CLDAP data at the same time.

The standout features of these new attacks, which differ from what we’ve seen before, include:

  • the simultaneous targeting of multiple known IP addresses of the target organisations
  • the size of the attack – with some of the attacks reaching over 150 Gbp/s with payloads of over 1 million packets per second
  • the length of the attack – with attacks lasting much longer than usual.

The must dos of DDoS protection and mitigation

At BT, we have an unparalleled view of global security threats. This is because we not only get to see threats aimed at our own organisation, but also those aimed at our customers – who are based in every region and represent every sector. We also work collaboratively to share intelligence with agencies such as Interpol, Europol, the NCSC, etc. This gives us a real bird’s eye view of what is going on in the cyber threat world.

DDoS attacks are one of the most established threats from cybercriminals, but the fact that they’re getting more sophisticated whilst being cheaper to do is making them more attractive than ever. Especially when the Coronavirus pandemic has forced masses of employees to work remotely and most organisations weren’t prepared for this challenge.

Our recommendations include:

  • review your DDoS protection – be clear whether it’s always-on or activated on demand.
  • keep your software and hardware updated via a robust patch management process.
  • review your internal network so you have complete visibility and know what’s exposed to the internet.
  • frequently review and make sure your security appliances are configured properly.
  • separate your assets to prevent widespread downtime or amount of affected services.

How we can help

We have a long-standing, tried and tested heritage in security. With over 70 years’ experience to share, we currently protect our networks from over 6,500 cyberattacks a day. Our data gathering and analysis means we see everything and learn from it. And our sophisticated pattern and behaviour recognition allows us to see what nobody else can.

How we protect our own organisation has benefited our many security customers and helped shape the portfolio of services we provide. And our relationships and partnerships give us unparalleled access to security intelligence and solutions. Our team of 3,000 security experts in 16 global centres use unique tools and insight to stay one step ahead of criminal entrepreneurs.

We have operations in more than 180 countries and have extensive experience in protecting critical national infrastructures as well as dealing with major incidents. We protect government agencies, nation states and large global corporations, including ourselves. That gives a unique perspective on cybercrime.

We’re constantly watching, learning, predicting, and responding to the latest threats to provide the best possible protection for our customers, their organisations and what matters most to them. Sign up to our free daily security threat intelligence headlines to help stay one step ahead.

We’re experts at managing an ever-changing threat environment, so if you need help with your security – whether it’s practical help, brainstorming or reassurance - please let us know. We’re here to help.