Distributed Denial of Service (DDoS) is rising, with figures showing a surge in attacks using the technique. DDoS initially sparked the recent Microsoft outage, and in August, tech mogul Elon Musk (wrongly) said the attack method impacted his Trump interview.
The latest figures show a steep rise in DDoS over the last couple of years. DDoS attacks rose 112% from 2022 to 2023, according to F5 Labs’ latest DDoS Attack Trends Report.
“Over the last six months, they’ve been using the framework Build Your Own Botnet to compromise webservers” Michael Smith
Another report, NETSCOUT’s DDoS Threat Intelligence Report, observed more than seven million DDoS attacks in the second half of 2023, a 15% increase from the first half of the year.
More recently, adversaries are moving away from large-scale HTTP attacks on the application layer towards network layer attacks. According to CloudFlare, there was a 117% increase in network-layer DDoS in Q4 2023, with a rise in attacks targeting retail, shipment and public relations websites around Black Friday and the holiday season.
DDoS attacks see an adversary flood a service with traffic from multiple sources to bring it to a standstill. The resulting loss of service can cause extensive damage to businesses, including prolonged downtime, loss of revenue and reputational harm.
Adding to the threat, DDoS is becoming increasingly sophisticated, making attacks challenging to mitigate. “Despite advancements in cybersecurity, current DDoS protections often struggle to keep up with the scale and complexity of these attacks,” says Kennet Harpsoe, lead security researcher at Logpoint.
So why are adversaries using DDoS, and what can businesses do to protect themselves against this prevailing threat?
DDoS has been around since the 1990s, and since then, elements of attacks have evolved, such as their size, speed, perpetrators, and target. Yet, at the same time, some trends have remained or reappeared over the last few years.
For example, some of the early DDoS attacks used “booter” software on a web server to control a handful of machines together and knock targets offline, says Vercara CTO Michael Smith.
Today, hacktivists are using a variant of that technique, he says. “Over the last six months, they’ve been using the framework Build Your Own Botnet to compromise webservers. They then install a more modern booter tool and connect it to the group’s command and control servers.”
Over the last few years, attacks have continued to grow in size. In late 2023, adversaries used a new technique known as ‘Rapid Reset’ that exploits the HTTP/2 request transfer system to hit Amazon, Google, and Cloudflare in what they say is the largest-ever application layer DDoS attack. The firms report mitigating attacks reaching 155 million requests per second (Amazon), 201 million rps (Cloudflare), and a record-breaking 398 million rps (Google).
Before that, the most significant DDoS was recorded in 2017, with the attack targeting Google services reaching 2.54 Terabits per second (tbps), according to Cloudflare.
In 2020, AWS withstood a similarly large DDoS attack, with traffic peaking at 2.3 tbps.
Another attack on GitHub in 2018 reached 1.35 tbps.
While the largest recorded attacks are growing, the majority are still relatively small, says Smith: 500 to 1,000 Megabits per second and five to 10 minutes in duration is typical for DDoS.
This is because adversaries launch small test attacks across many targets to check defences. If criminals find an easy victim, they will pile on additional attacks in an extended campaign.
“Modern DDoS attacks often use botnets comprising up to millions of compromised IoT devicesKennet Harpsoe
“This means monitoring, and response times matter a lot: You could have five minutes to detect and mitigate an attack,” Smith says.
However, on rare occasions, DDoS attacks can last longer than 12 hours. The longest persisted for over a week, according to Richard Hummel, threat intelligence lead at NETSCOUT.
DDoS attacks are often achieved using botnets of compromised internet of things (IoT) devices. Take, for example, the now infamous Mirai botnet used against DNS provider Dyn in 2016, which took down websites including Twitter, Netflix, Reddit and CNN.
The rise of botnets is significant in the evolution of DDoS. “Modern DDoS attacks often use botnets comprising up to millions of compromised IoT devices,” says Harpsoe.
At the same time, a new trend is seeing attackers use DDoS as a form of extortion, threatening companies with service disruptions unless a ransom is paid.
And in the future, things could get even more complex as artificial intelligence (AI) is used to super-charge DDoS attacks. For example, adversaries could deploy AI-based systems able to optimise attacks based on reconnaissance scans and real-time performance test results, says Hummel. “This would ensure attacks have the highest impact and can overcome defences as they react.”
DDoS is a prevailing threat, but preventing attacks isn’t always straightforward. Current DDoS protections are often limited when pitted against the sophistication and scale of recent attacks, says Professor Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University.
“Modern DDoS strategies involve multi-vector tactics that target various network layers simultaneously, making them difficult to detect and mitigate with traditional tools. The massive volume of traffic can surpass the handling capacity of many organisations’ infrastructures.”
Protections can also be costly and complex, requiring continual updates to combat evolving DDoS methods, says Curran.
To mitigate DDoS attacks effectively, businesses should develop a robust and redundant network infrastructure that absorbs and dissipates excessive traffic, says Curran. This involves utilising cloud services for scalability, employing advanced DDoS protection solutions such as specialised hardware or services for traffic filtering, and establishing a well-defined response plan, he says.
DDoS scrubbing services can help mitigate attacks, says George Glass, EMEA threat intel lead in the cyber risk business at consultancy Kroll. However, he advises that organisations ensure their applications and services are architected so that there are “no single points of failure vulnerabilities that might lead to denial of service”.
After an attack, firms should update their systems, continue monitoring and learn from the experience to prevent future attacks, Curran says. “This way, organisations can strengthen their defences against DDoS attacks, ensuring faster recovery and minimal impact.”
Harpsoe recommends “proactive strategies, regular security updates, and a robust incident response plan”, which he says are “crucial to minimising the impact of DDoS attacks”.
DDoS attacks are an increasingly common and complex threat, but they don’t have to have a major impact. Take the time to build up your defences against DDoS and make sure you can stay up and running if and when this increasingly common attack vector does hit your business.