StormWall records the evolution of botnets

In late 2021 and early 2022, we faced very strong DDoS attacks, the strength of which reached 1.2 Tbit/s at times. These attacks suddenly stopped on January 11, 2022, shortly after the Internet in Kazakhstan was shut down by local authorities in connection with mass protests in the republic. However, after the Internet started working again in Kazakhstan, the attacks resumed.

Although the strength of the attacks has decreased at the same time, their effectiveness has generally increased, as the strength of filtering points available to most anti-DDoS providers in certain regions is clearly insufficient to defend against serious, targeted attacks carried out using today's botnets.

We have analyzed the characteristics of the attacks observed at the end of last year and in the first half of this year and have come to the following conclusions.

1. Botnets are being grouped in clusters

As mentioned earlier, attacks during New Year's holidays were carried out using a new botnet that appears to consist of many powerful heterogeneous botnets grouped into a cluster. These botnets covered a wide range of devices - from user PCs, servers and routers running different versions of operating systems to various devices of the domestic and industrial Internet of Things: Webcams, smart TVs, etc. Most likely, the botnets were created by different teams of hackers who used different methods and tools to gain control over the devices - infection, penetration and other techniques could be used. Later, the attackers were able to create a single management system on top of these botnets, which allowed them to launch targeted DDoS attacks of colossal strength.

2. DDoS attacks based on botnets move closer to their intended targets

However, the attackers did not limit themselves to increasing the attack strength, but also began to change the methods of attack execution. In particular, the hackers redistributed the concentration of attack power in different regions. Previously, most of the attacks were carried out from devices in Asia, but recently we notice that more and more attacks are carried out through botnets that include devices in Europe. It is likely that attackers have realized the low effectiveness of attacks from Asia (as illicit traffic is easily cut off at local filtering points) and are currently trying to attack from devices closer to their targets - and these are now mainly located in Europe and Russia. Accordingly, the load on European filtering nodes is noticeably increasing.

This leads to the conclusion: in order to successfully protect their customers from current DDoS attacks, anti-DDoS providers must not only maintain a distributed filtering network, but also ensure high performance of each of their nodes, sufficient to defend against attacks with a capacity of 1 Tbit/s or more.

3. Filtering networks with a small number of powerful nodes are most effective at stopping attacks from powerful botnets.

DDoS protection service providers typically take one of two approaches to building their filtering networks. The first approach shares many similarities with CDN network architectures: Dozens and hundreds of points of presence are created, each with a small capacity. In particular, such an architecture is built by one well-known cloud security vendor. The advantage of this approach is that it minimizes traffic delays during periods when there are no attacks or when they are weak - for some customers, this factor is one of the most important when choosing an anti-DDoS provider. However, it can be very difficult to defend against a serious, narrowly targeted attack that aims to take out nodes or sites in a particular region using low-powered filters: Some users will almost inevitably face the unavailability of the Internet resource protected in this way if their traffic to it passes through filtering points that devote all their productivity to defending against the attack.

The second architectural approach is to set up a small number of filter points around the world, but at the same time concentrate very high performance on these points. This architecture makes it easy to defend against a DDoS attack of almost any strength, even if its entire force falls on one of the nodes. However, during periods when there are no attacks, the delay of traffic is somewhat larger than with the first type architecture. However, this problem can be easily solved by placing a special DDoS sensor at the customer's site: It analyzes traffic for signs of an attack and, if detected, immediately forwards it to filtering nodes.

This is the scheme of the StormWall filtering network architecture, in which there are only five nodes: in Frankfurt am Main, Washington, Hong Kong, Moscow and Almaty. We believe that concentrating computational and network resources at multiple points of traffic processing is much more effective in stopping strong DDoS attacks than a highly distributed network of filtering nodes, each of which has rather low performance.

Given that we can expect a rapid increase in the strength of DDoS attacks in the foreseeable future (due in part to botnet coverage of an increasing number of Internet of Things devices and the use of 5G channels and technologies), such an architectural solution seems most promising to us. Low delays in data traffic are far less critical than the problems associated with the unavailability of Internet resources, the protection of which has proven ineffective.

Why stress tests and other DDoS protection checks are so important

When an attacker knows your infrastructure better than you do, or the most trivial mistakes in connecting DDoS protection