Sporting events are irresistible targets for DDoS attacks

Global sporting events have always been a world stage, showcasing not only athletic brilliance, but also the vision and appeal of the host country. Only pulling off a modern, successful global sporting event now costs hundreds of billions in investment – and with that high cost and notoriety inevitably comes unwanted attention from cybercriminals.

For nearly two decades, threat actors have increasingly used Distributed Denial-of-Service (DDoS) attacks to target events like the FIFA World Cup games that will be hosted in Qatar later this year. While not a new phenomenon, DDoS attacks can cause major disruptions for fans, athletes, and companies invested in their outcome by assaulting the digital infrastructure necessary to reach global viewing audiences, ranging from telecommunications to digital scoring and video streaming.

London’s 2012 summer games sustained repeated DDoS attacks, including a 40-minute attack on the central venue's power systems likely intended to disrupt the opening ceremony. Soccer’s biggest global event in 2014 was attacked by the infamous hacking group Anonymous, and the 2016 summer games in Rio de Janeiro were targeted by a large-scale attack from a DDoS-for-hire service known as LizardStresser, which began just prior to the opening of the games and increased significantly after the games started. Finally, the most recent 2020 summer games in Tokyo were heavily targeted with reports of more than 450 million attacks.

Geopolitical unrest plays a major role in bad actor activity, and the Cyber Threat Alliance (CTA) notes that nation-state actors pose the highest threat to international sporting events. From the host country to the games committee, sponsors, and even individual competing nations and athletes, it’s vital to keep a strong cybersecurity posture. Information sharing and collaboration with commercial providers, such as telecommunications companies and internet service providers is particularly important, because these organizations often are on the front line when it comes to experiencing and stopping cyberattacks, which are increasing in frequency and severity.

Today’s state of DDoS attacks

Just as the emergence of COVID-19 led to changes in how threat actors launched attacks, the return to work and school that began in the second half of 2021 resulted in several changes on the part of malicious actors.

Threat actors launched two direct-path packet-flooding attacks of more than 2.5 terabits-per-second using server-based botnets in the second half of 2021. These are the first terabit-class, direct-path DDoS attacks that have been identified, and they signal that changes are afoot in attacker strategy.

At one time, attackers were limited in their ability to carry out attacks by limited bandwidth and the tools they used. But that’s far from the case today. In fact, attackers can use DDoS-for-hire services to completely bypass the technical knowledge needed to launch a massive DDoS attack. Moreover, they continue to make use of established direct-path DDoS attack mechanisms, such as SYN, ACK, RST, and GRE floods, using high-powered servers with high-speed network connections.

In terms of flooding attacks, SYN-flood was the most popular DDoS attack vector from 1996 to 2018, when it was overtaken by DNS reflection/amplification. This changed again in 2021 when direct-path DDoS attacks became the leader. We can see this through the sharp increase in ACK flood attacks against online credit card processors and other financial services organizations as reported in the first half of 2021 NETSCOUT Threat Intelligence Report. Likewise, the 2H 2021 Threat Intelligence Report shows that SYN floods and ACK floods are the top two vectors for the second half of 2021. While these attacks often target servers and applications, they can often achieve their goal by overwhelming stateful devices such as firewalls and load balancers.

One of the most important and wide-reaching trends in the security landscape over the past decade has been the industrywide push to implement strong encryption for websites, online applications, communications services, and just about everything else used online.

This wholesale move toward encryption for anything and everything also has been noted by attackers. The additional overhead required to process encrypted communications at large scale often means that launching successful DDoS attacks against encrypted applications and services requires comparatively fewer resources on the part of the attackers. Conversely, DDoS defense for encrypted applications and services also requires more resources on the part of defenders.

High-volume, application-layer attacks launched over HTTP/S were prominent during this period. Attacks launched via the Meris and Dvinis router-based botnets were reported, either originating directly from the bots themselves or being relayed through them by way of the SOCKS5 proxy functionality of the bots. Attacks of up to 17.2 million requests per second (Mrps) were reported, representing a significant new metric for HTTP/S-encrypted application-layer DDoS attacks.

Looking at a two-year snapshot for bandwidth and throughput in attacks targeting applications and services on TCP Port 443, we see significant trends toward more potent attacks.

Many organizations are affected when these attacks occur because they don’t just target a single victim. Certainly, internet service providers (ISPs) will need to prepare, but others including sponsors, partners, transaction processors, and more could also get targeted.

Although traditional cloud-based DDoS protection solutions, including those provided by ISPs or CDNs, are designed to stop large volumetric DDoS attacks, they struggle to eliminate other types of DDoS attacks designed to evade their efforts. But what’s more, because of the dynamic, multi-vector nature of the average modern-day DDoS attack, security teams need to employ both on-premises and a cloud solution with an intelligent and automated integration that offers the most comprehensive protection. Cloud-based mitigation therefore serves an augmentation of on-premises protection, which has capabilities intended to identify and mitigate attacks designed to circumvent cloud-based solutions.   

Industry analysts now understand that because of today’s growing frequency and complexity of DDoS attacks, the need for a multilayer hybrid defense strategy has become a requirement. New techniques such as adaptive DDoS which changes vectors based on the defense that’s presented, reinforce the need for on-premises protection with its inherent attack management agility and efficiency.

Gary Sockrider, director, security solutions, NETSCOUT