DDoS attacks are growing in size and number. Kate O’Flaherty questions why adversaries are using the technique and what businesses can do to protect themselves against this prevailing threat
Distributed Denial of Service (DDoS) is rising, with figures showing a surge in attacks using the technique. DDoS initially sparked the recent Microsoft outage, and in August, tech mogul Elon Musk (wrongly) said the attack method impacted his Trump interview.
The latest figures show a steep rise in DDoS over the last couple of years. DDoS attacks rose 112% from 2022 to 2023, according to F5 Labs’ latest DDoS Attack Trends Report.
“Over the last six months, they’ve been using the framework Build Your Own Botnet to compromise webservers” Michael Smith
Another report, NETSCOUT’s DDoS Threat Intelligence Report, observed more than seven million DDoS attacks in the second half of 2023, a 15% increase from the first half of the year.
More recently, adversaries are moving away from large-scale HTTP attacks on the application layer towards network layer attacks. According to CloudFlare, there was a 117% increase in network-layer DDoS in Q4 2023, with a rise in attacks targeting retail, shipment and public relations websites around Black Friday and the holiday season.
DDoS attacks see an adversary flood a service with traffic from multiple sources to bring it to a standstill. The resulting loss of service can cause extensive damage to businesses, including prolonged downtime, loss of revenue and reputational harm.
Adding to the threat, DDoS is becoming increasingly sophisticated, making attacks challenging to mitigate. “Despite advancements in cybersecurity, current DDoS protections often struggle to keep up with the scale and complexity of these attacks,” says Kennet Harpsoe, lead security researcher at Logpoint.
So why are adversaries using DDoS, and what can businesses do to protect themselves against this prevailing threat?
Evolution of DDoS
DDoS has been around since the 1990s, and since then, elements of attacks have evolved, such as their size, speed, perpetrators, and target. Yet, at the same time, some trends have remained or reappeared over the last few years.
For example, some of the early DDoS attacks used “booter” software on a web server to control a handful of machines together and knock targets offline, says Vercara CTO Michael Smith.
Today, hacktivists are using a variant of that technique, he says. “Over the last six months, they’ve been using the framework Build Your Own Botnet to compromise webservers. They then install a more modern booter tool and connect it to the group’s command and control servers.”
Over the last few years, attacks have continued to grow in size. In late 2023, adversaries used a new technique known as ‘Rapid Reset’ that exploits the HTTP/2 request transfer system to hit Amazon, Google, and Cloudflare in what they say is the largest-ever application layer DDoS attack. The firms report mitigating attacks reaching 155 million requests per second (Amazon), 201 million rps (Cloudflare), and a record-breaking 398 million rps (Google).
Before that, the most significant DDoS was recorded in 2017, with the attack targeting Google services reaching 2.54 Terabits per second (tbps), according to Cloudflare.
In 2020, AWS withstood a similarly large DDoS attack, with traffic peaking at 2.3 tbps.
Another attack on GitHub in 2018 reached 1.35 tbps.
Small attacks, less time
While the largest recorded attacks are growing, the majority are still relatively small, says Smith: 500 to 1,000 Megabits per second and five to 10 minutes in duration is typical for DDoS.
This is because adversaries launch small test attacks across many targets to check defences. If criminals find an easy victim, they will pile on additional attacks in an extended campaign.
“Modern DDoS attacks often use botnets comprising up to millions of compromised IoT devicesKennet Harpsoe
“This means monitoring, and response times matter a lot: You could have five minutes to detect and mitigate an attack,” Smith says.
However, on rare occasions, DDoS attacks can last longer than 12 hours. The longest persisted for over a week, according to Richard Hummel, threat intelligence lead at NETSCOUT.
DDoS attacks are often achieved using botnets of compromised internet of things (IoT) devices. Take, for example, the now infamous Mirai botnet used against DNS provider Dyn in 2016, which took down websites including Twitter, Netflix, Reddit and CNN.
The rise of botnets is significant in the evolution of DDoS. “Modern DDoS attacks often use botnets comprising up to millions of compromised IoT devices,” says Harpsoe.
At the same time, a new trend is seeing attackers use DDoS as a form of extortion, threatening companies with service disruptions unless a ransom is paid.
And in the future, things could get even more complex as artificial intelligence (AI) is used to super-charge DDoS attacks. For example, adversaries could deploy AI-based systems able to optimise attacks based on reconnaissance scans and real-time performance test results, says Hummel. “This would ensure attacks have the highest impact and can overcome defences as they react.”
DDoS prevention
DDoS is a prevailing threat, but preventing attacks isn’t always straightforward. Current DDoS protections are often limited when pitted against the sophistication and scale of recent attacks, says Professor Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University.
“Modern DDoS strategies involve multi-vector tactics that target various network layers simultaneously, making them difficult to detect and mitigate with traditional tools. The massive volume of traffic can surpass the handling capacity of many organisations’ infrastructures.”
Protections can also be costly and complex, requiring continual updates to combat evolving DDoS methods, says Curran.
To mitigate DDoS attacks effectively, businesses should develop a robust and redundant network infrastructure that absorbs and dissipates excessive traffic, says Curran. This involves utilising cloud services for scalability, employing advanced DDoS protection solutions such as specialised hardware or services for traffic filtering, and establishing a well-defined response plan, he says.
DDoS scrubbing services can help mitigate attacks, says George Glass, EMEA threat intel lead in the cyber risk business at consultancy Kroll. However, he advises that organisations ensure their applications and services are architected so that there are “no single points of failure vulnerabilities that might lead to denial of service”.
After an attack, firms should update their systems, continue monitoring and learn from the experience to prevent future attacks, Curran says. “This way, organisations can strengthen their defences against DDoS attacks, ensuring faster recovery and minimal impact.”
Harpsoe recommends “proactive strategies, regular security updates, and a robust incident response plan”, which he says are “crucial to minimising the impact of DDoS attacks”.
DDoS attacks are an increasingly common and complex threat, but they don’t have to have a major impact. Take the time to build up your defences against DDoS and make sure you can stay up and running if and when this increasingly common attack vector does hit your business.
Five tips for managing DDoS
- Implement redundancy and load balancing: Distribute resources across multiple servers and data centres to prevent a single point of failure and reduce the impact of an attack, says Harpsoe.
- Visibility into network activities is vital: “By detecting the early indicators of an attack, businesses can better predict and prevent being hit,” says Hummel.
- Conduct regular security audits: Regularly review and update security protocols to identify and address potential vulnerabilities, says Harpsoe.
- Consider cloud: For network-level attacks, increasing boundary processing resources in real-time can combat attempts to drown out the target system. “As an attacker sends a growing number of messages to flood the system, more cloud resource is allocated to process those requests. This allows the genuine requests through while immediately dropping the illicit ones before they hit the target system,” says Andy Grayland, CISO at Silobreaker.
- Make sure you have an incident response plan: Prepare for DDoS attacks with a detailed incident response plan that outlines steps for minimising downtime and communicating effectively.
Topics
- AI
- Authentication
- Business Risk
- Car Hacking
- Certification & Accreditation
- Cloud
- CNI
- Compliance
- Cyber attacks
- Cyber insurance
- Cyber Law
- Cyber Resilience
- Cyber Risk
- Data Breaches
- Directors and NEDs
- Diversity
- Ethical Hacking
- Events
- Hiring & Firing
- Human Factor Risk
- Incident Response
- Internet of Things
- Leadership
- Legislation & Regulation
- Mental Health
- Phishing
- Policies
- Privacy
- Public Sector
- Ransomware
- Social Media
- Supply Chain Risk
- Sustainability
- Threat Intelligence
- Training & Awareness
- Venture Capital
- Vulnerability Disclosure
Latest articles
Blogs & Opinions 17.09.2024
I Challenged Myself to Build a Ransomware Toolkit Using Only ChatGPT: Here’s What Happened
The capabilities of GenAI are aiding and speeding up the creation of effective ransomware toolkits
Blogs & Opinions 11.09.2024
Cybersecurity Must Rebrand From an Old Boys’ Club – Here’s How
The cyber industry must shake off its boys’ club reputation and ensure diversity at every level – from entry to boardroom.
Features 05.09.2024
Out of the Shadows: Why it’s Time to Shine a Light on Unmanaged Data
The cost of data breaches is rising. Shadow data is one of the reasons for this.