Cloudflare warns that cybercriminals are now launching sophisticated DDoS attacks that were previously thought to be exclusively in the wheelhouse of state-level or state-sponsored actors. The company’s observation is part of its DDoS threat report for 2023 Q2, which it published on Tuesday.
DDoS, or distributed denial of service, is a type of cyberattack that involves overwhelming websites and rendering them inaccessible. Attackers generally target government or private websites that provide services to the public.
They rely on botnets, a network of infected devices, to simultaneously spam sites with requests. As a consequence, the site freezes and becomes unavailable to everyone.
Cybercriminals Using Specialized Techniques to Avoid Detection
A key takeaway from Cloudflare’s report is the rise in highly-randomized and sophisticated HTTP DDoS attacks. Cybercriminals are deliberately engineering their attacks to overcome mitigation systems by accurately mimicking browser behavior.
These actors are relying on randomization techniques and even attempt to keep their attack rates per second on the lower side. This allows them to stay under the radar of detection systems.
“This level of sophistication has previously been associated with state-level and state-sponsored threat actors, and it seems these capabilities are now at the disposal of cyber criminals,” the report states.
“Their operations have already targeted prominent businesses such as a large VoIP provider, a leading semiconductor company, and a major payment & credit card provider to name a few.”
Cloudflare witnessed a 15% increase in HTTP DDoS in the last quarter, despite a 35% year-over-year decrease in such attacks.
DNS Laundering Attacks: A Serious Challenge for Organizations
Another worrying trend that Cloudflare points out is the worrying increase in DNS laundering attacks. Such attacks involve making bad traffic appear legitimate by laundering it through reputable DNS resolvers. This makes it very difficult for organizations to distinguish between legitimate queries and more sinister ones.
“From the protection point of view, the DNS administrators can’t block the attack source because the source includes reputable recursive DNS servers like Google’s 8.8.8.8 and Cloudflare’s 1.1.1.1.”
“The administrators also cannot block all queries to the attacked domain because it is a valid domain that they want to preserve access to legitimate queries.”
The company said a large Asian financial institution and a North American DNS provider recently fell victim to this type of attack.
‘Dark Parliament’ Targets Western Banks and SWIFT
Cloudflare stated that pro-Russian groups Killnet, REvil, and Anonymous Sudan have joined forces to attack several Western interest websites. Anonymous Sudan was behind the recent DDoS attack that temporarily shut down Archive of Our Own (AO3), a popular fanfiction platform.
In particular, the collective — called “Darknet Parliament” — aim to disrupt the SWIFT (Society for Worldwide Interbank Financial Telecommunication) banking system.
Much of the global financial system relies on the SWIFT protocol for financial transactions and settlements.
“Over the past weeks, as many as 10,000 of these DDoS attacks were launched by the Darknet Parliament against Cloudflare-protected websites.”
However, the banking and financial services industry was only the ninth most targeted sector in the last quarter. Cloudflare said the computer software, gambling and casinos, and gaming industries were the Darknet Parliament’s top three biggest targets.
Cryptocurrency, Management Consulting, and Non-Profits Heavily Targeted
Overall, the cryptocurrency industry faced the largest amount of HTTP DDoS traffic last quarter. While Cloudflare did not provide the exact number of attacks, it stated the malicious traffic increased 600% over the previous quarter. This accounts for 0.063% of total traffic that cryptocurrency websites behind Cloudflare received.
On the other hand, management consulting and non-profits had the highest amount of attack traffic relative to their total traffic.
“Overall, the amount of DDoS attacks on Non-profits increased by 46% bringing the percentage of attack traffic to 17.6%. However, despite this growth, the Management Consulting industry jumped to the first place with 18.4% of its traffic being DDoS attacks.”
Cloudflare Report Overview
Cloudflare’s large network, which serves 63 million HTTP requests per second and over 2 billion DNS queries every day, gives the company a large amount of data and insights on DDoS attacks. The company also defused the largest-ever DDoS attack on record in 2022.
“The second quarter of 2023 was characterized by thought-out, tailored and persistent waves of DDoS attack campaigns on various fronts,” Cloudflare stated.
“Despite general figures indicating an increase in overall attack durations, most of the attacks are short-lived and so was this one. This attack lasted only two minutes. However, more broadly, we’ve seen that attacks exceeding 3 hours have increased by 103% QoQ,” it added.
