Cybersecurity experts found cybercriminals leveraging DDoS booters to exploit misconfigured or outdated Datagram Transport Layer Security (D/TLS) servers to launch Distributed Denial of Service (DDoS) attacks. A D/TLS is a communications protocol that provides security to datagram-based applications and prevents eavesdropping, tampering, and message forgery in apps and services.
What is a DDoS Booter?
A DDoS booter is a DDoS-for-hire service platform that provides threat actors the ability to attack any targeted resource online anonymously. Most threat actors build their DDoS infrastructure by using DDoS booter services to cause various levels of disruption attacks.
In a DDoS attack, threat actors try to make a targeted system or service unavailable to its users by flooding with unwanted incoming traffic from different sources.
Risk of Amplification Attacks
According to a report from NETSCOUT Systems, misconfigured D/TLS servers don’t execute the “HelloClientVerify” anti-spoofing mechanism that can be exploited to launch amplification attacks (DDoS) with an amplification ratio of 37.34:1. In an amplification attack, the attacker uses the amplification factor to multiply the intensity of the attack. Typically, amplification attacks use low-level resources that eventually cause significantly higher-level damage to targeted resources.
The report identified over 4,283 abusable D/TLS servers so far. “The collateral impact of D/TLS reflection/amplification attacks is potentially quite high for organizations with D/TLS servers and/or load-balancers that are as reflectors/amplifiers. Failure to upgrade or safely reconfigure abusable D/TLS servers so that they can no longer be leveraged by attackers may result in blockage of legitimate production services running on abusable D/TLS servers by network operators utilizing layer-3 or -4 mitigation techniques to defend themselves and/or their customers from D/TLS reflection/amplification DDoS attacks,” the report stated.
Uprise in DDoS Attacks Concern Organizations
The latest analysis from the German DDoS protection vendor Link11 revealed that DDoS attacks attained a record high, leveraging the rapid digital transformation during the pandemic.
- The number of DDoS attacks nearly doubled from February to September 2020. It Is estimated that there were 50 million DDoS attacks worldwide in a year.
- Businesses with inadequate cybersecurity measures suffered from high-volume attacks of over 50Gbps.
- Nearly, 59% of incidents used so-called multi-vector attacks, which are harder to prevent and defend against DDoS attacks.
- Numerous new DDoS vectors were detected; in particular, DVR DHCPDiscovery, Plex Media Server, and Citrix Netscaler.
- The longest DDoS attack was 5,698 minutes equating to four full days of continuous bombardment.
“We’ve seen a large increase in vulnerabilities that can be exploited by DDoS attacks. Attackers are constantly scanning the internet for new ports and protocols that can be used to overload companies’ IT infrastructures. Not all companies have adapted to this threat, and there have been many headline-grabbing outages as a result,” said Marc Wilczek, Managing Director of Link11.