In the past few weeks, DRDoS and RDoS attacks on German companies and government agencies have become more and more frequent. Cybercriminals are using the power of volumetric reflection attacks to extort large ransoms.
Technically speaking, a Distributed Reflected Denial of Service (DRDoS) attack is a special form of DDoS. In this case, malicious requests do not originate from the attacker themselves or from a botnet set up for this, but from normal Internet services. Cybercriminals weaponize them by exploiting a variety of Internet protocols. For example, attackers can use IP spoofing (the sending of IP packets with falsified IP sender addresses) to manipulate Internet services into redirecting traffic to a specific destination. Using this method, attackers are able to conceal the actual origin of the DDoS attack while at the same time massively increasing the bandwidth being fired off.
DRDoS attacks are usually carried out via highly amplified reflectors such as DNS services, which respond to the attackers’ short queries with large packets of data. As a result, reflection attacks increase the power of the attacks many times over. Other common types of reflectors include the NTP, TFTP, and Memcached protocols – the latter can be used to amplify the bandwidth of attacks to a factor of up to 51,000.
Mitigation on Multiple Layers Required
In most cases, however, cybercriminals are not limited to one attack vector, continuing the DDoS trend towards multi-vector attacks. An offensive carried out concurrently on different network layers reveals the vulnerabilities in the web infrastructure of companies all the more clearly. Attacks on the network and transport layer are typically TCP SYN floods or UDP-based reflection attacks. These are characterized either by very high bandwidth or enormous packet rates. Meanwhile, attacks on layer 7 are often carried out via HTTP GET flood or low and slow attacks. Successful defense requires an appropriately comprehensive protection concept from companies that addresses all relevant attack vectors. Expensive failures may otherwise occur.
Blackmail as a Business Model: Ransom Denial of Service
In cybersecurity, once a DDoS attack has been linked to a demand for ransom, it is referred to as a Ransom Denial of Service (RDoS) attack. The impacted companies first receive a blackmail letter demanding payment of a ransom in the cryptocurrency Bitcoin. At the same time, an initial DDoS attack is launched to show that the cyber extortionists should be taken seriously. If the affected company fails to pay the ransom within the specified time, the actual attack occurs. In the blackmail letters sent by email, attackers often pretend to be members of well-known hacker groups such as Fancy Bear, Armada Collective, and Lazarus Group in order to make their demands more forceful. The extent to which there are actually connections to these internationally operating groups is unknown.
In the recent RDoS campaigns on German companies, cybercriminals used reflection attacks of approx. 200 GBit/s in the first wave of attacks. When victims were unwilling to comply with the ransom demands, a second, much stronger attack followed at speeds of up to 2 TBit/s – while at the same time the amount of ransom being demanded rose continuously from an initial 100,000 euros in Bitcoin to up to 400,000 euros. The attacks continued until the affected company had transferred the requested amount.
Successfully Fending Off DDoS Extortionists
The modus operandi of the attacks described here are by no means new. In the past few years, Myra Security has repeatedly encountered similar attacks and successfully mitigated them. Nevertheless, even today many companies are still not adequately prepared for an emergency. Unprotected systems will inevitably collapse under the load of a volumetric DRDoS attack.
Fortunately, the attack scenario gives affected companies enough time to act. As a result, companies under threat have the opportunity to retrofit the necessary protection systems at short notice if necessary. As a cloud-based solution, Myra DDoS Protection can be deployed quickly in the event of an attack with no additional software or hardware required.
Protective Solutions with a Deterrent Effect
Once adequately protected, companies’ digital processes can even endure volumetric attacks with no significant downtime. In such situations, cybercriminals often lose interest in the target following the initial attack. The risk is too high that the underlying attack construct of botnets and corrupted servers could be compromised by a failed attack. Tech companies and investigating authorities are constantly on the lookout for cybercriminals and their digital attack tools.
Competent DDoS Protection from Germany
Myra DDoS Website Protection protects web applications on layer 7 fully automatically. With full traffic visibility, Myra enables intelligent load balancing and site failover with high reliability and minimal response times.
Myra DDoS BGP Protection automatically protects against volumetric attacks on layers 3 and 4. The protective solution is easy to implement and requires no additional hardware or software. Detailed traffic analyses (NetFlow and sFlow) are provided by automatic flow monitoring. The failover of affected networks in case of attack is also fully automated.