Distributed Denial of Service (DDoS) attacks can be a significant threat to any organization. Most organizations have become increasingly reliant upon the Internet as part of their customer service and engagement strategy.
An organization’s website has become a one stop shop for the company’s goods and services, provides frequently asked questions for issues that can be resolved without the help of a support agent, and contact information or live chat functionality for those that can’t.
A DDoS attack is designed to make these services inaccessible to legitimate users by overwhelming the system with bogus requests from a variety of attacking machines. With the growth of cloud computing and the Internet of Things (IoT), these attacks have become easier and cheaper to perform as attackers can affordably rent the necessary processing power and network connections or hack into and use poorly secured IoT devices for the purpose.
As a result, implementing a strong DDoS protection solution is an important priority for any organization that can be damaged by a DDoS attack. A recent attack against the Telegram messaging application demonstrated further-reaching implications of a DDoS attack.
While many DDoS attacks are designed to hurt a particular company and its users, the Telegram attack was intended to implement censorship and help to achieve political goals.
The Telegram DDoS Attack
On June 12, 2019, the government of Hong Kong was voting on a controversial legislation. The proposed bill would have set up an extradition relationship with mainland China, allowing suspected criminals to be sent to China for trial.
This bill was unpopular, and groups began organizing protests for that day outside the Hong Kong Legislative Council Complex, where the bill was being voted upon. These protests were organized on Telegram, an encrypted messaging app that allows users to have groups of up to 20,000 members or channels that broadcast messages from the owner to an unlimited number of recipients. Due to the security and privacy of the Telegram app, it’s a common choice for organizing protests.
The day of the protests, Telegram suffered a massive DDoS attack. The malicious traffic loads experienced by the platform exceeded 200 gigabytes per second. As a result, legitimate users of the platform (including the protest organizers and members) would have a difficult time accessing the platform and information about the protest.
The Telegram team announced that the majority of the attack traffic originated from Chinese IP addresses, meaning that it was likely an attempt to stop the protests against the legislation.
This isn’t the first time that Telegram has experienced “state-level” DDoS attacks (200-400 Gbps). When discussing the attack, the Telegram CEO, Pavel Durov, said that massive DDoS attacks commonly coincide with protests in Hong Kong.
A Distributed Denial of Service attack can be a simple yet effective way for an organization or hacker with sufficient resources to deny access to resources that they would prefer to be unavailable to users.
The Evolving DDoS Attack Landscape
Distributed Denial of Service (DDoS) attacks are nothing new. Hackers with access to large botnets have used them in the past to attack organizations or pursue political goals. However, as technology changes and evolves, so does the DDoS threat landscape.
One of the biggest changes in the DDoS threat landscape is the increase in size of DDoS attacks. One indicator of this is the amount of traffic that attackers can throw at their target. In 2016, a record DDoS attack was 665 Gbps; in 2018, it was 1.3 Tbps. As DDoS attacks grow, the need for DDoS protection with massive scrubbing capabilities becomes more and more important.
However, the number of bytes per second sent to a target isn’t even what makes it difficult to protect against. In many cases, massive attacks are performed using amplification. In an amplified DDoS attack, an attacker uses some protocol where the request size is much smaller than that of a response. By sending a spoofed request from the target to the service, the attacker ensures that they can send a small amount of data, but the target is hit with a much larger amount.
However, these attacks commonly must use the same ports for all attack traffic (the one of the service used as an amplifier), making them easier to detect and block. Recent data has shown that attackers are increasingly focusing on attacks with a massive number of smaller packets rather than a small number of larger ones.
This type of DDoS attack is much more difficult to detect and protect against since it allows attackers to use a wide variety of IP addresses and ports. DDoS protection systems that focus on packet size or knowledge of amplification ports as an indicator of an attack may be incapable of detecting and blocking this type of attack traffic.
Protecting Yourself from DDoS
Despite its size, the Telegram Distributed Denial of Service (DDoS) attack is nothing special. Attackers with the resources necessary to launch large-scale DDoS attacks exist and are often willing to rent out their services for extremely low rates (less than $20/hr). As a result, massive DDoS attacks have become a feasible attack vector against any organization.
The threat of DDoS makes deployment of an effective DDoS protection system a vital component of any organization’s cyber defense strategy. With the evolving DDoS threat landscape, it’s also important to choose a provider capable of defending against modern attacks that rely on more than just volume to get the job done.
