Four years ago, we published a blog on the ways a Distributed Denial of Service (DDoS) attack could disrupt the U.S. Presidential election. Unfortunately, the same risk persists in 2020. In fact, given the historic influx of mail-in ballot voting for the November 3 election, a targeted DDoS attack could disrupt the supply chain in ways you likely cannot imagine, and lead to unprecedented delays.
While headlines focus on Nation State activities pertaining to stolen voter data, targeted misinformation campaigns or intrusions to election networks, it would be remiss to underestimate the potential for chaos triggered by an overwhelming flood of traffic, or volumetric attack. The sheer quantity of seemingly legitimate traffic generated by this type of attack consumes an excessive amount of bandwidth that can block legitimate access to a website, service, server or network, rendering it nonfunctional.
Here are a few hypothetical scenarios to be mindful of as election day nears:
A DDoS could limit access to information
A September 30 public service announcement from the FBI and CISA confirmed that, although a DDoS attack would not physically prevent anyone from voting, it “could hinder access to voting information.”
Access to information is critical for the population of swing voters making their decision in the days leading up to, and on, election day. Citizens will be searching the internet to understand the numerous down ballot candidates, where the nearest polling place is located, what protocols to expect in 2020, and what hours they can vote. A DDoS attack could limit access to these resources, or even tamper with the information. In both scenarios, an attack would disrupt voters’ research and might even prevent someone from casting their ballot.
In states where voters need information about a ballot proposition, many will seek outside information across the internet to help inform their opinion. A motivated attacker group could target proposition resources against their interests as a way to tamper with information, spread misinformation and bias a citizen’s vote.
A DDoS could disrupt the tabulation of votes
In the United States, voting is orchestrated at the state and, in many cases, county level. It results in a patchwork supply chain where voting operations are controlled by counties and municipalities that historically lack security funding and resources. As many local towns’ voting operations are conducted over internet connections, we could see a Level 3 or Level 4 DDoS attack that could cause a delay in or slow down vote tabulation.
In counties that rely on internet-connected voting machines, don’t discount the possibility of a Layer 7 (application) attack. Attackers could exploit the business logic of the application, or attack a vulnerability within the code of the application. The result could be machines that freeze or stop working, triggering backup processes untested for such scenarios.
If a DDoS attack disrupts voters and causes delays, the situation could be seized by a political candidate to create fear, uncertainty and doubt over the legitimacy of the outcome.
How big is the threat?
Over the past 10 months, Imperva Research Labs has noticed the number of DDoS attacks against our customers increasing significantly — both in volume and level of intensity.
In fact, the frequency and strength of global DDoS attacks has eclipsed the levels of November 2019, a peak holiday shopping period. One sophisticated attack, thwarted by Imperva, peaked at nearly 1Tbps. This initial burst was so powerful that it peaked at 674Gbps and 148Mpps in under five seconds, emphasising how important it is to start mitigation within seconds. This type of attack would be impossible to mitigate with an on-premise or hybrid DDoS approach where the upstream connectivity would be overwhelmed.
If a DDoS attack is launched on, or leading up to, November 3, it might delay the process and incite chaos. However, it’s important to remember that this type of cyber attack cannot cause a ballot to be physically lost, or to generate fake votes.
While these scenarios are bleak, they aren’t unprecedented. The most notable example of a DDoS attack wreaking havoc on a democratic vote was the 2011 South Korean by-election. The attacks were launched in the morning, as citizens — particularly young voters — were trying to cast a ballot before going to work. It’s believed the attacks were conducted as a way to suppress voter turnout.
Defending against a DDoS attack
The best defense is a good offense, and it’s no different for mitigating the threat of a DDoS attack.
For starters, conduct security assessments at all layers — internal, external, edge — to gain a better understanding of what prevention systems are already in place and where gaps may be located.
Next, select and implement a DDoS protection solution that enables four critical needs:
- Efficiency: Offering fast end-to-end mitigation time and a large capacity to absorb escalating attack volume
- Accuracy: Delivering no false positives and ensuring zero-day attack prevention
- Performance: Providing optimal latency without being intrusive for end users
- Coverage: Preventing volumetric and applicative attacks across all infrastructure asset types
In the unfortunate situation where your website is the target of a DDoS attack, mitigation should happen quickly in four steps:
- Detect: Identify traffic flow deviations that may signal the buildup of a DDoS assault. Your effectiveness will be measured by the ability to recognize the attack as early as possible. Instantaneous detection is the ultimate goal.
- Divert: Traffic should be rerouted away from the attack target via DNS (Domain Name System) or BGP (Border Gateway Protocol) routing, and a decision should be made whether to filter it or discard it altogether. DNS routing is always-on, so it can respond to attacks quickly, and is effective against both application-layer and network-layer attacks. BGP routing is either always-on or on-demand.
- Filter: DDoS traffic is weeded out, usually by identifying patterns that instantly distinguish between legitimate traffic (i.e., humans, API calls and search engine bots) and malicious visitors. Responsiveness is a function of being able to block an attack without interfering with legitimate users’ experience. The solution should be completely transparent to site visitors.
- Analyze: System logs and analytics can help gather information about the attack, both to identify the offender(s) and to improve future resilience. Logging is a legacy approach, which can provide insights, but is not in real-time, and can require detailed manual analysis. Advanced security analytics techniques can offer granular visibility into the attack traffic and instant understanding of attack details.