Cloud Services, Used as Hosts for DDoS Attacks

DDoS (Distributed Denial of Service Attack) continues to wreak havoc in various companies, services, and systems worldwide. It becomes more intense as the botnet creation, maintenance becomes cheaper through the years, thanks to infected smart devices and Internet-of-Things. Link11’s Security Operation Center revealed that public cloud server-using botnets increased by 35% from July 2017 to June 2018.

Microsoft’s Azure has been the most used cloud service for use with DDoS attacks, 38.7% of all detected DDoS attacks originated from an Azure server. Amazon Web Services comes in second place with 32.7% of attacks. Alibaba cloud servers are in distant third at 17.9%, while Google cloud services were the least used with 10.7%.

“The people behind DDoS attacks are embracing the use of public cloud services for the same reasons as legitimate organizations: the services provide flexible, on-demand capacity and resources, and can be provisioned in just a few minutes. For threat actors, the benefits are even more compelling because they will often use stolen credit card details and false identities to pay for the services. This makes the perpetrators almost impossible to trace, even though providers such as Amazon are taking strong action against misuse, and asking users to report any suspected abuse of their services,” explained Aatish Pattni, Link11’s Regional UK & Ireland Director.

DoS attacks are a class of attacks initiated by an individual or group of individuals exploiting aspects of the Internet Protocol to deny other users from legitimate access to systems and information. In the past DoS attacks has been associated with SMURF attacks, which were targeted at routers. If an attacker can force a router to stop forwarding packets, then all hosts behind the router are effectively disconnected. Recently though more forms of attacks are crafted to attack web servers, mail servers and other services.

DDOS is a combination of DoS attacks staged or carried out in concert from various hosts to penalize the target host from further serving its function. DDoS is a term coined when the source of the attack is not coming from a single source but from multiple sources. DDoS cannot be eliminated by merely filtering the source IPs since it is often launched from multiple points installed with agents.

Network administrators must adapt to the new normal, the BYOD (Bring Your Own Devices) and IoT (Internet-of-Things) while maintaining the current systems. BYOD is pushed by the workers, as their personal devices are mostly the most convenient device to work with instead of company-issued machines. And with their BYOD device, they bypass the strict security policy implemented by the IT team, mostly through the use of Access Control List brought about by the Windows Active Directory or Linux Samba.

Monitoring network traffic is highly needed, as abnormal longterm high traffic means something is very active on the nodes. Companies need to acquire a credible and granular network monitoring equipment, use it for 24/7 coverage in order to detect unexpected spikes in the network. Abnormal high traffic for an extended period against a network is questionable, the first aid against DDoS is to take the service offline.