In its quarterly report on Distributed Denial of Service (DDoS) attacks, Lumen Technologies (NYSE: LUMN) revealed the company mitigated one of its largest ever – a 1.06 terabits per second (Tbps) attack that was part of a larger campaign targeting a single victim. Despite the size and complexity of the attempted attack, the target experienced no downtime.
Size was not the only notable element of the failed attack; it was also part of a larger campaign in which the threat actor attempted to leverage multiple techniques. These techniques are called out in the report as emerging trends in the second quarter.
Trend #1: Leveraging the cloud
Attackers leverage cloud-based services in a fraudulent way to significantly boost their attack capability.
To be successful at this type of attack, cybercriminals mask their acquisition and control of cloud-based services through compromised hosts or anonymizing services. The attacker then abuses the cloud providers' resources to launch volumetric attacks against their intended victims.
To learn how to avoid being a victim of compromised cloud services, read the full Q2 DDoS report.
"Using cloud and hosting providers to launch large DDoS attacks creates a unique challenge because it puts both the victim and the provider at risk," said Mark Dehus, director of threat intelligence for Black Lotus Labs, the threat research team at Lumen. "Cloud providers must be vigilant to ensure their services are not being abused. They should also have mitigation methodologies to limit the impact if a threat actor gains unauthorized or fraudulent access to resources."
Trend #2: Hit-and-run
Analysis from Black Lotus Labs revealed the 1.06 Tbps attack was part of a larger campaign that lasted 12 minutes. It began when the threat actor attempted to deploy a series of "hit-and-run" attacks. With this technique, victims are typically targeted with a series of consecutive or concurrent attacks that are relatively small in size and duration. Threat actors deploy these attacks to assess a potential victim's defenses and determine which attack methods – if any – will be successful.
The longest campaign Lumen mitigated in Q2 lasted 21 days, 8 hours.
Learn how to protect against hit-and-run attacks with Lumen DDoS Mitigation services.
Trend #3: VoIP targeting continues
Late last year, several researchers (including Lumen) began reporting on a rise in attacks targeting VoIP providers. In Q2 2022, one attack vector – Session Initiation Protocol (SIP) – stood out in the data. Although the number of SIP attacks that Lumen mitigated was relatively small – just 1.84% of all mitigations – they represented a 315% increase over Q1 2022, and a 475% increase over Q3 2021.
While the number of SIP attacks is low compared to tried-and-true methods, attacking SIP is considered a more surgical approach to disrupting VoIP services compared to DDoS brute-force methods like TCP-SYN flooding and UDP-based amplification. For more information about Lumen's previous research into VoIP attacks, read our Q4 2021 DDoS report.
"Organisations of all types can be victimized by DDoS attacks," said Dehus. "Using the intelligence and visibility from the Lumen Platform, Black Lotus Labs can protect Lumen DDoS customers with better insights from the ever-growing list of threats to business-critical systems and data."