The number of DDoS attacks in the first half of 2023 increased by over thirty percent year-on-year, with nearly eight million attacks recorded. DDoS is largely a straightforward attack aimed at exhausting the resources of a website or online service. However, it seems organizations are still unable to adequately defend themselves against such attacks, which makes DDoS a viable attack for cybercriminals.
This continued increase and viability of DDoS attacks do not necessarily mean that organizations are doing nothing to address the problem. Certainly, there are serious efforts in building better defenses against distributed denial-of-service attacks. However, just like other cyber attacks, DDoS continues to evolve to elude existing detection and prevention solutions.
Here’s a list of examples of how DDoS solutions have improved in response to the growing sophistication of DDoS attacks. These show that lessons have been learned and organizations are not exactly helpless against this attack. They just need to update their defenses.
The Necessity of Scalable Solutions
In 2016, a DDoS attack pushed the limits of DDoS protection systems, as it employed a massive botnet that targeted the DNS infrastructure of Dyn, a DNS service provider. The extent of the attack was unprecedented at that time, exhausting the ability of protective systems to keep up. This incident highlighted the need for scalability in DDoS defense, something solutions back then lacked.
The perpetrator took advantage of various techniques to launch the attack. These include the use of the Mirai malware to infect small connected and smart devices, the Internet of Things in particular, turning them into a huge botnet capable of overwhelming defenses with enormous volumes of requests.
DDoS protection solutions are built with this scalability concern in mind, already designed to be cost-efficient and scalable, providing expanding protection depending on what an incident requires. Multiple strategies are implemented to effectively respond to massive dynamic denial-of-service attacks. This usually entails cloud-based protection, traffic scrubbing, automation, collaborative threat intelligence, and the use of a global network of servers. Modern DDoS defenses anticipate the ever-expanding capabilities of attacks to maximize protection.
Multiple Layers of Protection are Necessary to Deal with Multiple Vectors
Modern DDoS makes use of various vectors to attack the different layers of a network at the same time. The attacks can target network bandwidth through volumetric assault, which saturates networks with immense amounts of traffic. There are also TCP SYN/ACK reflection attacks, which are designed to exploit TCP handshakes by transmitting a huge number of SYN or ACK packets to impair the ability to complete handshakes.
Additionally, modern DDoS attacks employ a number of amplification strategies. They can make use of UDP reflection, DNS amplification, and HTTP(S) application layer attacks. UDP reflection or amplification sends requests to servers that appear legitimate but are actually aimed at causing network congestion at the target. DNS amplification utilizes DNS server exploits to overwhelm the target with massive DNS response traffic. HTTP(S) application layer attacks, on the other hand, send huge amounts of HTTP(S) requests that appear legitimate but are actually meant to exhaust application layer capacity.
Moreover, advanced DDoS attacks employ ICMP floods, SSL/TLS attacks, and layer 7 targeting. ICMP floods overwhelm the Internet Control Message Protocol with echo request packets that can saturate bandwidth and cause network disruptions. SSL/TLS attacks similarly disrupt networks by interfering with the SSL/TLS handshake process used in establishing secure connections. Meanwhile, layer 7 DDoS attacks mimic legitimate user behavior to exhaust application resources and create anomalies in functionality.
In response to these multi-vector attacks, DDoS solutions come with a host of new functions including traffic filtering, rate limiting, SYN/ACK filtering and limiting, and IP address spoofing and filtering for vulnerable UDP services. Firewalls have also evolved into web application firewalls (WAF) capable of distinguishing malicious from legitimate traffic. Additionally, advanced DDoS defense systems provide ICMP filtering, connection limits, and timeout mechanisms, SSL/TLS offloading, and a combination of behavioral analysis and rate limiting to provide application-layer protection.
The Need For Real-time Monitoring and Response
In 2018, GitHub, arguably the world’s most popular code repository hosting service, suffered a major DDoS attack that peaked at 1.35 Tbps. This attack notably used the technique referred to as memcached reflection, which is undertaken by exploiting misconfigurations in memcached servers to enable traffic volume amplification. No botnet was employed for this massive attack.
GitHub survived the attack by calling its DDoS mitigation service provider. The call was made within 10 minutes, though. The mitigation provider routed all traffic going in and out of GitHub to its scrubbing centers to sort out and block anomalous packets. The attack stopped after eight minutes. To be fair, this was not a bad response time, but the same cannot be said if the target was critical infrastructure.
Some minutes of disruption nowadays already means a lot of lost time. Businesses would have lost a lot of potential transactions and customers in such a span of time. Lives would have been affected seriously if a disruption targeted utilities, online healthcare services, and critical facilities, and it lasted for several minutes.
Real-time monitoring and response are vital for the better handling of DDoS attacks with never-before-seen request volumes and atypical or new vectors. These are features readily baked into many of the DDoS solutions at present. Also, after the exploitation of memcached server issues, DDoS solutions have been updated to automatically check for the possibility of memcached-related amplification. More novel attacks are expected to emerge in the future, so it is crucial to have real-time monitoring to ensure prompt response and reduce the potential damage of a DDoS attack.
The Importance of Collaboration and Threat Intelligence Sharing
The Operation Ababil campaign, a series of DDoS attacks spanning nearly two years from 2012 to 2013, was a major cyber attack that spotlighted the need for business organizations, cybersecurity institutions, and government agencies to work together to address the ceaseless aggravation of DDoS. The attacks targeted multiple financial service companies over a relatively long period.
The attacks could have been arrested earlier if there had been a strong communication mechanism among organizations, the cybersecurity industry, and regulatory agencies. The attacks were characteristically persistent and multi-vectored, affecting organizations gradually to reduce quick detection.
Information about the attack was shared among those affected and other related organizations. However, better collaboration and intelligence sharing would have reduced the adverse outcomes significantly. Modern DDoS solutions have improved since this attack happened. They have been designed to facilitate collaboration and threat information sharing. They also integrate with other cybersecurity solutions to make it easier to oversee DDoS defenses along with other cybersecurity functions.
In Summary
DDoS and other attacks are here to stay, but the corresponding security solutions are not going away. They continue to improve to effectively address the threats. This dynamic can be observed in how cybersecurity solutions have been progressing. Effective cybersecurity tools already exist, and it is up to organizations to choose the right tools and take advantage of related solutions and resources such as cybersecurity frameworks, threat intelligence sources, and real-time monitoring.
Follow Techdee for more!