Today, malware-infected bots are used for everything from stealing passwords to launching some of the most disruptive network-based attacks in history. Case in point are the direct-path attacks from DDoS-capable botnets such as Mirai, which are frequently leveraged by groups like Killnet. Unfortunately, as threat remediation technology has improved over time, threat actors have as well, scaling botnets in terms of both size and capability. Killnet has carried out attacks in numerous sectors over the past year, including European governments, airports and the health sector, with more than a dozen DDoS attacks hitting U.S. hospital networks such as Cedars-Sinai and Duke University Hospital. The bottom line is that no sector or governmental entity is immune from an attack, so what can be done to remediate the damage before it occurs?
This article will explore how to mitigate direct-path attacks in light of DDoS threat actors changing their attack methods over the past weeks and months. The piece will also explore recent data points on DDoS-capable botnets and how to take down this emerging threat effectively and swiftly on a global scale.
Although botnets have been around since the 1990s, they’ve grown staggeringly fast, especially over the past year. In 2022 alone, more than 1.35 million bots were observed from malware families like Mirai, Meris and Dvinis that targeted approximately 93 countries per day — effectively half of the world.
Just as major software providers continue to innovate by delivering solutions that are faster, more sophisticated and easier to use, innovation is also driving botnet security threats. For example, new DDoS-for-hire services make it easier than ever for anyone to launch coordinated and complex attacks on target companies, organizations or industries. The goal of these activities is often to distract security teams with DDoS attacks while bad actors actively work to exfiltrate data and also use ransomware to lock it up and make it inaccessible.
Unfortunately, threats of botnets will continue to increase and evolve over time, as well as the motivations of bad actors. Generally, attacks can be motivated by financial considerations, revenge, geopolitical goals, ransom opportunities or just malicious intent. Everyone from gamers to financial corporations to geopolitically vulnerable nations is at greater risk from increasingly sophisticated botnet attacks. As a result, all types of organizations must be more proactive in defending themselves against these types of attacks or risk possible disruptions to their business, services, reputations and their bottom lines.
When examining recent statistical data on network bandwidth, throughput and attack frequency, there is the disturbingly prevalent theme of increased direct-path, botnet-sourced attacks. Attacks of this nature continue to be a top concern for IT organizations worldwide. In fact, these types of attacks increased by 18% over the past three years, while traditional reflection/amplification attacks decreased by nearly the same, highlighting the need for a hybrid defense approach to weather the fluctuating attack methodology.
With direct-path attacks, threat actors target individual organizations rather than indiscriminately targeting customers of internet service providers (ISPs) and wireless carriers. Increases in these kinds of attacks using mechanisms such as SYN, ACK, RST, and GRE floods result in significant disruptions that are increasingly challenging to mitigate.
The increase in direct-path DDoS attacks is directly tied to two factors: Anti-spoofing, or source-address validation (SAV), and server-class botnets. To put it simply, in a traditional reflection/amplification DDoS attack, a spoofed IP address is required. But SAV makes it impossible for spoofed attack traffic to traverse intelligently engineered networks. That is not an issue for a successful TCP-based direct-path DDoS attack, as they do not have to be spoofed to cause serious damage. Additionally, server-class botnets, such as Mirai, can launch multiple direct-path DDoS attacks simultaneously, while retaining the ability to direct high amounts of attack traffic toward targets on demand.
As attackers’ methodologies continue to evolve and evade traditional defenses, an adaptive, hybrid approach to DDoS defense is even more critical than ever before. In a modern DDoS defense strategy, organizations should combine purpose-built, adaptive and intelligent on-premises, detection and mitigation systems with on-demand cloud-based mitigation capabilities at the edge. When taking this hybrid approach, organizations can more clearly and automatically identify and stop all types of DDoS attacks before bad actors impact business-critical services — in this case, by employing direct-path attacks from DDoS-capable botnets.
Ultimately, attackers will persist in finding new ways to carry out attacks and will continue to become harder to detect. Therefore, the onus is on organizations to employ a more comprehensive, hybrid defense strategy to secure their network edges. Taking this approach will stop direct-path DDoS attacks and will also improve an organization’s overall security posture to prevent new attacks and DDoS-capable botnets from causing serious damage to networks now and in the future.