The growing threat of a distributed denial-of-service (DDoS) attack is certainly not a new phenomenon, but the sophistication and severity of the attacks has grown dramatically in recent years. Since you may be wondering what is denial of service, it is an attack vector used by cybercriminals to take a website or internet-based service offline.
There are several reasons why hackers favor DDoS and it’s clear these reasons have evolved over the last 25 years. The first known DDoS attack happened in the mid-1990’s back when the internet was in its infancy. The ISP Panix (based in NYC) was flooded with TCP handshake requests preventing customers from getting online.
DDoS was popular in the 2000s and it fueled the “hacktivism” movement that spread online. Hacking groups like Anonymous and LulzSec were all over the media after having taken some high-profile websites offline including the CIA website and the British equivalent the Serious Organized Crime Agency (SOCA).
It wasn’t long until money quickly became the motive of the hacking community as major businesses started to be targeted by DDoS, followed by demands for ransom to stop the attack. This attack vector has certainly been exacerbated since the rise of cryptocurrency.
Fast forward to today and we are experiencing some of the largest DDoS attacks in history. Attacks lasting days or weeks, attacks against major service providers such as Azure and AWS, and worryingly the recent DDoS attacks appear to be a smokescreen for other elicit cybercriminal activity.
Recent Attack Rivals Top DDoS Attack
In October 2021, Microsoft revealed that they have managed to thwart one of the biggest DDoS attacks in history with malicious traffic peaking at 2.4Tbps (Terrabytes per second). To understand how such a huge amount of traffic was created, it’s important to understand how a DDoS attack works.
The attackers use what is referred to as a “botnet”, a collection of tens of thousands of compromised computers, servers, IoT devices, and cloud instances. The botnet grows over the months and years prior to the attack, as malware is spread to infect poorly secured endpoints. The malware allows the execution of remote code on each victim’s computer.
In the recent attack on an unnamed Azure client, a botnet with 70,000 endpoints was used to bombard the client with a UDP reflected amplification attack. The attack typically targets the UDP ports used by DNS, NTP, Simple Service Discovery Protocol (SSDP), Connection-less Lightweight Directory Access Protocol (CLDAP), and systems that use Memcached objects caching.
The attack uses spoofed IP addresses and a reflector node (botnet node) to push a large response packet to the target. Essentially this tactic significantly magnifies the volume of traffic sent to the target, with the intention to overload the victim’s infrastructure.
The Challenges of DDoS Mitigation
Unfortunately, not everyone has the infrastructure available at the size and scale of Microsoft Azure to absorb a DDoS attack, and since the threat of DDoS is very real for small and medium-sized businesses, it’s important to understand why DDoS mitigation is difficult. Unless you have a managed service from a DDoS specialist, it can be very difficult to identify an attack.
Be on the lookout for slow or inaccessible parts of the network, websites going offline, or having intermittent access to networked resources. Investing in network monitoring tools is an effective way to determine when an attack is happening, and where the attack is coming from.
Even with these safeguards in place, it’s a significant challenge to stop a DDoS attack. If a botnet is being leveraged, each IP used in the attack is different making it difficult to drop the packet as soon as it hits the firewall. The attackers look to imitate legitimate traffic on popular administrative ports such as DNS (25) or HTTP(S) (80/443). Most firewalls will accept these protocols by default resulting in the firewall getting quickly overloaded.
Such attacks make it difficult to mount a defense from the targeted network, this is because the infrastructure is under sustained attack and often overloaded. Too much traffic is coming in for the local engineers to resolve the issue. This is why outsourcing to a DDoS protection provider is such a popular idea because the provider will be outside of the attack, making fixing it much easier.
Blocking the Largest DDoS Attacks
A concerning recent trend is a surge in DDoS for hire providers on the dark web. It is possible to lease access to a botnet for only a few dollars per month which has opened the door to DDoS. Businesses need the capability to defend against application-layer attacks, protocol attacks, and volumetric attacks. They should be open-minded that the DDoS attack might only be a distraction technique for some other illicit activity – perhaps data theft.
Most tactics used to thwart DDoS revolve around high levels of network security, it is expected that frontend services are protected by high-end, clustered network firewalls and preferably with all network traffic routed via a DDoS service provider content delivery network. These providers have high-capacity networks that support Anycast (any host) and Unicast (single host), and best of all they come with an SLA where the provider is contractually obliged to stop an attack within a specified time.
Investment in intrusion detection systems is great for detecting anomalies that can lead to DDoS. Enforcing AV, malware protection and system updates on all endpoints (laptops, pcs, tablets) should be mandatory, and monitoring dashboards to view the infrastructure can give sysadmins the upper hand when facing DDoS attacks.
