According to the 2021 DDoS Threat Landscape Report, Ransom DDoS (RDoS) threats are on the rise. Imperva researchers have been monitoring threats against several of our customers where extortionists have demanded payment in BitCoin to prevent DDoS attacks. The attack patterns this year are very similar to those seen in 2020.
As security teams prepare cyber-attack mitigation strategies for 2022, data collected by Imperva strongly suggests that evaluating and improving RDoS detection and response capabilities should be a priority. In this post, we’ll explain what an RDoS attack is, how it plays out, and what you need to do to prevent it.
RDoS attacks are DDoS attacks – malicious attempts to make an online service unavailable to users, usually by temporarily interrupting or suspending the services of its hosting server – with an extortion component. Today, they are remarkably easy to carry out. The technical skills required to carry out an RDoS attack are extremely low, and the tools for reconnaissance on your organization’s networks are publicly available. DDoS “stressors”, a.k.a. “DDoSers” or “Booters” which are ostensibly intended to enable you to research and pressure test your network, actually help cybercriminals plan an attack against your network. Search engines make it simple for hackers to collect information about all of your network ranges and networking services, information that you use to keep your IT systems working and accessible, but which makes your systems easier to attack.
RDoS attackers start by making contact via emails, chats with sales reps, and social media messages. They threaten a brief demonstration attack that indicates familiarity with your network infrastructure. They present an ultimatum with a grace period, so you have time to get BitCoin, but not enough time to mount a defense. Finally, they warn you that the fine for non-payment increases for each day the ransom isn’t paid.
The cautionary tale: New Zealand Stock Exchange
In August 2020, trading at the New Zealand Stock Exchange (NZX) stopped for four days, providing users with just a small fraction of the availability necessary to conduct business. The attackers first overwhelmed the NSX with a flood of offshore digital traffic, and when the exchange moved its servers to cloud-based servers, the attackers began targeting the exchange’s individually listed companies. The cause was a DDoS attack, accompanied by a ransom note. The negative impact on their customers and their reputation was enormous, and the incident is used by attackers as an example of what to expect from an RDoS attack.
Dispel the RDoS management folklore
Myths abound when it comes to managing an RDoS attack. You could pay the ransom. But there is no guarantee the attacker will go away, and more often than not, others will return with expectations of an easy payday. You could rely on your ISP, but bear in mind they must consider their other customers’ reliance on the service and may stop traffic to your site until the attack has been thwarted. Cloud service providers (CSPs) may be able to scale up and handle the load, but are only effective against the smallest attacks, and you may pay overage fees for the excessive traffic. Also, CSPs won’t prevent future attacks. Your on-prem solutions are limited by the capacity of your ISP, require manual management and upgrades, and often fail against sophisticated attacks. If you think the attackers don’t know your infrastructure, think again. This information is publicly available and must remain this way to function.
What you can really do
Before you search for a solution, you must truly evaluate the risks and understand your organization’s exposure due to downtime related to an RDoS attack. Take the time to learn the different mitigation strategies and choose a partner with whom you can build a response plan that ensures your organization’s resilience while taking your priorities into account.
The length of time it takes to mitigate an attack can have a critical impact on your business. Also, your solution must be accurate or it won’t be effective. Too frequently, RDoS mitigation stops or limits legitimate traffic along with the attack which can have the same negative impacts on your business. You need visibility so when an attack occurs, your response team is aware of it and can adjust the defense strategy as needed. Finally, cybercriminals don’t wait to execute an attack during your business hours so your solution must be always on.
Imperva detects and mitigates RDoS attacks in real-time and seamlessly manages responses to all DDoS attack types, across your entire organization’s infrastructure, all in the same security console. The Imperva solution delivers precise DDoS protection for domain name servers using a combination of reputation and rate-based heuristics to inspect incoming queries and filter out malicious packets without impacting legitimate visitors. The solution improves DNS performance by caching legitimate queries for a set period of time while at the same time directly resolving all subsequent queries from the nearest location on the Imperva network. This approach accelerates performance and reduces the load on your own DNS server. DNS protection works in sync with website DDoS and network services protection. Together they shield your organization from RDoS and other DDoS attacks. Imperva is ready to help any new or existing customer finding themselves under a threat or attack.
For RDoS attackers, the risks are so low and the rewards so high that we expect them to continue to grow in frequency and complexity. Ensure you can stop it before it impacts your organization.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.