Rewterz Threat Update – Hyper-Volumetric HTTP DDoS Attacks Surge, Cloudflare Reports

Severity

High

Analysis Summary

According to Cloudflare, a new chapter in the threat landscape has been written because the number of hyper-volumetric HTTP DDoS (distributed denial of service) attacks reported in the third quarter of 2023 surpassed all preceding years.

DDoS attacks are a sort of cyberattack in which the targeted servers hosting applications, websites, and online services are subjected to massive amounts of trash traffic or fake requests in an attempt to overwhelm and render them inaccessible to genuine users.

According to a researchers, hundreds of hyper volumetric HTTP DDoS attacks were neutralized by the internet business in Q3 2023.

The greatest attack, which peaked at 201 million requests per second (rps), three times more than the previous record set in February 2023, was one of the over 89 that went beyond 100 million rps.

By utilizing cloud computing platforms and taking advantage of HTTP/2, the botnets utilized to initiate the attacks were able to produce up to x5,000 more force per botnet node. A tiny botnet with between 5-20 thousand nodes may execute hyper-volumetric DDoS attacks because to this amplification factor.

The research states that the primary target of the attacks was Cloudflare infrastructure after an investigation of the two-month-long DDoS campaign. The websites and infrastructure of Cloudflare were the target of 19% of all attacks, followed by gaming organizations (18%) and well-known VoIP services (10%).

The U.S., China, Brazil, Germany, and Indonesia are the main countries from which attacks originate.

The primary targets of HTTP DDoS attacks are Singapore, China, Vietnam, the United States, and Canada.

The gaming and gambling business and the cryptocurrency industry are the two most often targeted industries by HTTP attacks using DDoS.

In addition to the prevalent attack vectors, we observed notable surges in less recognized attack vectors. These tend to be quite dynamic, as threat actors attempt to “reduce, reuse, and recycle” older attack methods. Specifically, these vectors often involve UDP-based protocols that can be leveraged for initiating amplification and reflection DDoS attacks.

Remediation

• Implement rate limiting for incoming requests to limit the number of requests from a single source within a specified time frame. This can help mitigate the impact of rapid request and reset attacks.
• Implement thorough request validation to filter out malicious or unnecessary requests. This can help reduce the volume of requests that need to be processed and minimize the impact of the attack.
• Deploy IDPS solutions to detect and block abnormal traffic patterns associated with DDoS attacks. These systems can identify and respond to suspicious behavior in real-time.
• A WAF can filter and monitor incoming traffic to an application and block or allow traffic based on a defined set of security rules. Configure your WAF to detect and block suspicious HTTP/2 Rapid Reset attack patterns.
• Keep all software, including web servers and application frameworks, up to date with the latest security patches. 
• Continuously monitor network traffic and establish baselines for normal activity.
• Use load balancers to distribute incoming traffic across multiple servers. Load balancers can help prevent a single server from being overwhelmed by an attack.
• Implement multi-factor authentication (MFA) for administrative access to critical systems and infrastructure to prevent unauthorized access during attacks.
• Implement robust monitoring and logging solutions to capture detailed data on network and application activity. This information can be invaluable for post-attack analysis and forensics.
• Thoroughly analyze your external and partner network’s external connections. This assessment will help identify Internet-facing systems that may be vulnerable. Implement necessary mitigations promptly.
• Evaluate your existing security measures and capabilities designed to protect, detect, and respond to attacks. Ensure that these defenses are up to date and address any identified issues in your network promptly.
• Place your DDoS protection measures outside your data center. This strategic placement is essential because, once malicious traffic reaches your data center, mitigating a DDoS attack becomes more challenging.
• Employ comprehensive DDoS protection strategies, including protection at the application (Layer 7) level. Implement Web Application Firewalls (WAFs) to safeguard against application-specific attacks. 
• Regularly update and maintain the security of your web servers and operating systems, especially those facing the Internet. Additionally, ensure that all automation processes, such as Terraform builds and image deployments, are fully patched to prevent the accidental use of outdated and vulnerable versions.
• Consider Protocol Downgrades: As a last resort, consider temporarily disabling HTTP/2 and HTTP/3 protocols. This is a drastic step because it may significantly impact performance. Use this measure if all other defenses prove insufficient.