The DDoS Ring of Fire maps vertical markets based on the likelihood that these organizations will experience DDoS attacks. As sectors move closer to the center, organizations within these sectors are more likely to experience DoS attacks, DDoSattacks and other cyber-attacks.
This resource is designed to keep industries in lockstep with cyber-attack risk level. Organizations in verticals marked with a red arrow are wise to take swift action – adjusting DDoS mitigation strategies and DDoS protection solutions to reflect the increased threat. In 2015, new risk levels applied to different industries: both Education and Hosting moved from "Medium" to "High" while ISPs, gaming companies and government remain squarely in hacker's crosshairs.
Currently five verticals – ISP, Hosting, Gaming, Government, and Education – face high likelihood of attack.
ISP: Following last year's trends, DDoS attacks have hit an increasing number of Internet Service Providers (ISPs) as both primary and secondary targets. When an ISP is a secondary target, it is attacked solely because it provides services to the attackers' primary target. Some DDoS attacks and DDoS threats are financially motivated with groups such as The Armada Collective blackmailing large ISPs with threats of DDoS attacks unless ransom is paid via Bitcoin. For ISP targets, attack vectors are mostly amplified UDP NTP/SSDP reflected floods and UDP fragmented floods.
Hosting: This year brought an increase in DDoS threats and DDoS attacks against large hosting companies, some targeting end customers (website owners) and some targeting the hosting companies themselves. Motivations for these DDoS attacks vary. As with ISPs, some companies are threatened with a DDoS attack unless a ransom is paid through Bitcoin; in other cases, the attackers' objective is simply to cause damage to services that impact more than the company itself. For example, a DNS services attack on DNS hosting company. Attack vectors for these targets include HTTP/HTTPS floods, UDP fragmented floods, ICMP floods and various TCP floods, such as SYNACK, PUSH-ACK and TCP-RST.
Gaming: Gaming services continue to experience repeated DDoS attacks and DDoS threats by hacktivist groups launching organized campaigns. In some cases, gaming companies are among a diverse group of targets; in others, campaigns are dedicated to specific gaming entities. Part of the appeal of targeting gaming services is that mandatory constant connectivity and availability of a centralized gaming platform creates a single point of failure. That makes for "efficient" DDoS attacks - with attackers able to cause more damage using fewer resources.
Attack vectors for these targets are usually SYN floods to specific ports that provide gaming services. However, attackers also used Tsunami SYN floods (SYN packet with data) several times, along with ICMP and UDP fragmented floods.
Government: Government services were targeted and threatened through various campaigns of both hacktivists and terror groups responding to political climate. DDoS threats and attacks on government sites are not always politically motivated; many DDoS attacks are launched so that attackers gain notoriety and/or publically shame government sites for lacking "adequate security." Attack vectors include UDP/TCP floods launched from tools distributed online, as well as brute-force attempts on special servers and websites.
Education: DDoS attacks on school and other educational websites increased, as those who execute attacks on educational sites can gain notoriety and fame. Common DDoS threats and DDoS attacks include hitting the mail server and targeting sites and services for submitting work and managing the admission process.
A growing number of "Help me DDoS my school" requests are popping up in dark corners of the Internet, making it easy for non-hackers to attack and inflict damage on school resources. In some cases, DDoS threats and DDoS attacks targeting educational facilities represent student retaliation against the school and its policies. Attack vectors for these targets include UDP amplified reflected floods, DNS Query flood, Web-Crawlers.
Four verticals have medium likelihood for DDoS attacks: financial services, healthcare, retail, and mobile.
Financial: As symbols of wealth and capitalism, financial institutions are frequently the target of hacktivist campaigns. Typically, these groups demand Bitcoin or other forms of crypto-currency to stop the attack. 2015 brought an increase in both the average ransom amount and the number of hacktivist groups attacking financial targets.
Financial services are also targeted to gain access to sensitive data to be leveraged for extortion. In December 2015, hackers leaked customer data after a United Arab Emirates Bank failed to pay the $3 million ransom. The stolen information is often sold in black markets, leaving the banks with the task of managing the crisis of customer data retrieval and fraudulent transactions. Attack vectors for these targets include very high-bandwidth
UDP/TCP floods and connection floods, usually with several botnets exhausting link and service resources.
Mobile: New smart-phone features create new vulnerabilities - giving individual hackers and hacktivists new ways to exploit mobile devices. This increases risk of DDoS threats and DDoS attacks for both mobile users and mobile networks. In addition, hacktivists targeted media companies because of objections to policies and nation state-funded groups targeted media companies because of objections to content. Common attack vectors for this vertical includes connection floods, SYN/empty connection floods and HTTP/S floods.
Health: In 2014, Boston Children's Hospital became the first healthcare organization targeted by a hacktivist group. Following this, other hospitals and healthcare centers were targets with extortion schemes, data stealing and HTTP floods to assaulting a healthcare organization's email servers. A Bitglass study discovered that sensitive
information stolen from healthcare providers was up to fifty times more valuable than credit card data - yielding another motivation for intrusion attacks, sometimes masked with DDoS attacks.
Health insurance companies are another target in this segment, as they store large volumes of client information, even more than banks. Attack vectors observed included mostly UDP fragmented/NTP-Monlist floods, intrusion attempts and HTTP floods.
Retail: Retail businesses were the target of cyber-attacks all over the world in 2015. The result: huge financial damage associated with the losses that even a small service outage can create. Some of these attacks were launched with high bandwidth; reaching 40 Gbps. Cyber-attacks against retailers are often used as a smokescreen for more sinister acts, such as ransom notices or large-scale data breaches.
For retailers, one of the vulnerabilities is the use of CDNs, which are used to launch a large-scale attack that masks its origin with the CDN's identity. Attack vectors for these targets include HTTP/HTTPS/Triple-Headers floods, TCP floods, SYN floods and connection floods.
Only energy and utilities companies have low likelihood of attack.
Energy and Utility: For energy and utility companies, the DDoS threat landscape remains stable due to segregation of these companies' networks. Even so, the industry remains a valid target for DDoS attacks, particularly because of the damage a successful attack can cause.
In recent years, the industry has faced advanced state sponsored campaigns, including BlackEnergy, Energetic Bear, Mirage and Night Dragon, as well as numerous ongoing campaigns by China's PLA Unit 61398, Russia, and Ukraine. For example, in early 2016 the Federal Bureau of Investigation (FBI) warned the United States to be on the alert for a sophisticated Iranian hacking operation whose targets include energy firms. The operation is the same as the one flagged in December 2015 as targeting critical infrastructure organizations worldwide.
Click here to download a copy of the Cyber-Attack Ring of Fire.