Distributed denial of service (DDOS) attacks - when an attacker attempts to make it impossible for a service to be deliverable - are increasing in size, frequency and duration. Kaspersky Lab reported a doubling of DDoS attacks in the first quarter of 2020 compared with the fourth quarter of 2019, plus an 80% jump compared with the same quarter last year. To learn more about how these attacks have evolved over the years, we talk to Roy Horev, Co-Founder and CTO at Vulcan Cyber, a vulnerability remediation orchestration provider.

Security: What is your background and current role? (keep it vendor neutral please)

Horev: I’ve been working in the cybersecurity field since 2007. I started off doing mostly implementation and support for “of-the-shelf” products – focusing on firewalls, NAC systems and endpoint security.

A couple of years later, I found a gap in the market which I set my mind to fill. This gap was around backup and automation for the security devices. I started a company doing exactly that, taking the product manager role, and shifted slowly but surely into R&D. Towards the end of that “era” I was managing the entire tech side, including R&D, QA, professional services, as well at the product and sales engineering.

For the past 3 years, I’ve been a co-founder and the CTO of Vulcan Cyber – a vulnerability remediation platform.

Security: What is a DDoS attack? What are the different types of DDoS attacks?

Horev: To understand DDoS attack, we must cover background on a Denial-of-Service (DoS) attack first.

A DoS attacks’ goal is to prevent some kind of service from providing its intent. i.e. – If I were to stand all day in front of the ATM in my block, it would cause the ATM to not provide service to any of the customers. The additional “D” in DDoS, stands for distributed – meaning utilizing many sources to help with the DoS attack. Revisiting the example before – I can twit that the ATM at my block spits money out if 8888 code is typed, and instead of blocking the machine myself, I’d be generating a line of endless people trying the code – and blocking the ATM.

Diving in technically a bit more, the DDoS attacker most of the times would use attacking hosts that have been hacked and are not even aware that they are part of the attack. Usually, the attacks are separated into Volume Based Attacks which exhaust the bandwidth of the service, Application Level Attacks  (L7) – which exhaust the request handling abilities of the service, and Protocol Attacks (L3,4) – which usually focus on the infrastructure around the service (load balancers, routers, web application firewalls, etc.).

Security: How have DDoS attacks evolved over the years?

Horev: Since many of the attacks rely on an “army of bots” – which are basically hacked machines, we see an increase of possible “recruitment verticals”. SMART appliances are flooding the markets and prove to be good candidates in hacking scenarios. Many vendors that are not security focused are producing internet connected appliances - from vacuum robots, through smart fridges, security cameras and even vehicles. These devices are joining the botnets and really power-up the ability to produce DDoS attacks.

Security: Have the number of attacks increased since the pandemic? What are some of the current trends around DDoS?

Horev: Q1 2020 showed 2.5 times increase to Q1 of the previous year, and an almost 4.5 times increase compared to Q4 2019 (Nexus Guard). As a part of a more general “covid raises cybercrime volume” – DDoS attacks were no different. Specifically, UDP flooding is the latest hype in DDoS, which we see a rapid increase.  

Security: What are 3-5 essential tips on how enterprise security can protect against these attacks?

Horev:

• Preparation is your friend. Before taking any actual measures, create a plan – “what do we do when we are DDoS”. This will allow you to understand the weak points, the control mechanisms that you need, and you’ll be more at ease on your day to day. Sometimes softer coping mechanisms such as – “If we are under attack, can we block certain geographic locations without losing business”, can be low hanging fruits in mitigating DDoS attacks.
• “Outsource” DDoS protection – there are a lot of cloud providers such as Incapsula, or cloudfront that help protect against DDoS, worth adding that layer of protection.
• Kind of obvious – but always make sure you have proper monitoring and alerting for you services
• Make sure that you have the support numbers for your ISP handy, they might be very helpful and have countermeasures of their own which they can apply