DDoS attacks in the time of pandemic-induced traffic surges

Expecting a letup in cybercriminal activity in the midst of a pandemic is wishful thinking. This is what the current COVID-19 pandemic proves. Attacks against government websites, businesses, and even individuals continue. Distributed Denial of Service (also known as “DDoS”) incidents, in particular, are increasing, and they even target hospitals and institutions involved in the fight against the coronavirus outbreak.

DDoS has been a problem for many years now. There was a decline of these attacks in 2018, but the downtrend was reversed in early 2019. Now that a pandemic is battering the world, perpetrators of DDoS attacks appear to be upping the ante to hit more victims as people and businesses become more reliant on the internet for their many needs.

Traffic surges and DDoS

According to cloud provider Fastly, COVID-19 has significantly reduced internet performance in most parts of the world. In Italy, web traffic shot up by 109.3%, causing a 35.4% degradation in download speed. In the United Kingdom, web traffic increased by 78.6% and download speed fell by 30.3%. France, Spain, Japan, and the United States similarly experienced traffic increases in the 30-40% range with reductions in download speed varying from 8% to 16%. Similar trends can be observed in other parts of the world.

The bulk of web traffic increases focus on social media, video streaming, and news websites. As expected, most people access the internet for entertainment while they are in quarantine. There may also be considerable increases in bandwidth use for remote work arrangements, but they don’t appear significant enough to affect overall internet health.

Fastly says that the overall health of the internet is still good. It has not yet come to a point when ISPs have to impose limits. Some websites may take more time to load and quality of experience when streaming videos may degrade a little, but things are still working normally.

This state of relative normalcy, however, can rapidly drop into dysfunction with DDoS in the picture.

Common attack targets

Cyber crooks are exploiting the delicate situation many companies are in, as they deal with traffic surges and the need to avoid downtimes.

In the later part of March, a DDoS attack hit the servers of German food delivery startup Liefrando with the attackers demanding a ransom of 2 BTC (~$11,000) for them to stop. A similar attack was launched against popular Dutch food delivery service Thuisbezorgd, causing delays or failures in processing orders.
Gaming giant Blizzard also experienced a DDoS attack on April 13, with players complaining that they were unable to log in. The company managed to address the problem promptly, so the company’s operations went on unscathed. EA wasn’t as lucky, though, as its serves were taken down a day after the Blizzard incident. The attack resulted in issues in the games’ online functionality.

Hospitals and healthcare-related institutions have also become common high-profile targets. In early March, Brno University Hospital, a major medical facility that conducts COVID-19 tests in the Czech Republic, was surprised by a mysterious cyberattack. It was a serious incident that forced the hospital to shut its IT network down.

In Paris, a DDoS attack sought to disrupt hospital services by targeting the website of AP-HP, the Paris hospital authority. The attack was foiled, though, according to the French cybersecurity agency.

The United States also had its share of major DDoS incidents with the US Health and Human Services Department’s website targeted for what authorities call as a “campaign of interruption and disinformation.”

Several other healthcare facilities and institutions had to contend with attacks that aim to overwhelm their servers. The Champaign-Urbana Public Health District in Illinois, Hammersmith Medicines Research, as well as the World Health Organization encountered multiple denial of service attempts last March.

There’s an emerging trend in recent DDoS attacks which suggests that malicious players have been targeting establishments or organizations involved in the fight against the coronavirus pandemic. Hospitals, government, food delivery service, as well as entertainment sites that have seen considerable traffic increases are now common targets. It appears that attackers are seeking more suffering for those who are already struggling to deal with the global health crisis.

Growing small attacks

Aside from headline-making DDoS attacks, small attacks have also become commonplace recently. Many cybercriminals seem to be switching from large to small targets. Based on data from a Neustar research report, there was a notably high 150% increase in DDoS attacks under 5Gbps in the last quarter of 2019. These small attacks comprise 80% of all DDoS incidents.

Small attacks are mostly driven by DDoS-for-hire services, and the COVID-19 outbreak is seen to be responsible for accelerating the rise of these attacks. Attackers see more potential victims as more people entertain and work from home.

In gaming, bad actors (unscrupulous gamers) pay for DDoS-for-hire services to disadvantage their opponents during important matches. On the other hand, the increased number of remote work arrangements is expected to fuel increases in small attacks. Security experts say that DDoS attacks against VPNs will potentially increase during the pandemic.

Companies and governments that adopt telecommuting or remote work setups are expected to use VPNs to secure their networks. Attackers will have to break through the VPN architecture to achieve the disruption they seek. As such, many VPNs could be taken down in the process.

The rise of small attacks is seen as one of the reasons why mobile and IoT device malware infection is also surging. Security researchers say that attackers need these devices as part of their attack amplification schemes. Compromised smartphones, smartwatches, home assistants, and other web-enabled devices serve as intermediate services used to generate overwhelming traffic on servers.

The Takeaway

The coronavirus-induced traffic surges, so far, have not created debilitating effects on the internet. However, DDoS perpetrators and other cyber attackers see the increased online activity as opportunities to find more prey. Never expect cybercriminals to sympathize with the many who are suffering from the lockdowns and community quarantines brought about by COVID-19. They will remain an existential threat to online services for as long as the internet exists. Hopefully, the coronavirus pandemic will just be the same kind of threat to humanity: unceasing but unlikely to end or permanently impair society.