The list of recent DDoS attacks makes grim reading.
Poland’s tax office, German airports and Danish hospitals have all been hit this year, while the US Super Bowl weekend saw the most intense DDoS attack ever recorded, at a heart-jolting 71 million requests per second.
These attacks are also hitting close to home, with Asia-Pacific one of the most heavily targeted regions. Singapore is second only to the US in attack numbers, while the Australian census had to deal with a billion malicious connections in 2022. New Zealand also suffered disruptions to ISPs, banks and its post office.
DDoS is about maximum disruption and zombie hosts
While phishing and ransomware attacks see criminals try to access and exploit organisations’ data, Distributed Denial-of-Service attacks rely on sheer force of numbers to overwhelm their targets. Attackers aim to overload services with dummy web traffic, hoping that repeated fake requests, combined with genuine traffic, will be enough to slow or crash their victim’s website.
Attacks generally rely on a zombie host of malware-infected computers, servers and Internet of Things (IoT) devices known as a botnet. These attacks may be as short as a few minutes, typically causing only minor disruption, or last many weeks, which may cause significant damage to your revenue or your customers' trust, or may even bring down vital national infrastructure. This disruption may be an end in itself, or may be part of a more sophisticated assault, in which hackers strike again while the victim rushes to get vital services back online.
Mercenaries and state-linked groups are raising havoc
So why are DDoS attacks a problem today? Whereas once you needed some level of technical skill (and therefore cost) to launch a DDoS attack, over the years, the whole process has become much more user-friendly and affordable. The result is the rise in DDoS-as-a-Service, which sees hacker groups offer DDoS tools and expertise to clients, typically on dark web forums. In recent years, they’ve flooded the market, driving costs down to the floor. Between 2017 and 2020, the cost of an average DDoS attack dropped from $25 to $7. In 2022 one estimate suggested you could buy a lifetime supply of DDoS attacks for $100.
With such bargain-basement prices, it’s no surprise to see some groups, and even nation states, turning to DDoS attacks to harm their rivals. The war in Ukraine saw attack numbers rocket, with the conflict viewed as the prime driver in a threefold rise in attacks in early 2022. When US congresswoman Nancy Pelosi visited Taiwan later that year, the Taiwanese president’s website was hit with 8 million traffic requests in a single minute, with most IP addresses being traced back to China. With geopolitics in APAC heating up, and attacks spreading to sectors such as energy, transport and media, all organisations should be on their guard.
DDoS isn’t just a big, dumb blitz: attacks can be cunning too
Today’s DDoS attacks aren’t just about size: they’re getting smarter too. We’re increasingly seeing criminals:
Avoiding the classic focused assault and instead targeting a larger number of IP addresses or devices. This attack type aims to overwhelm multiple services but stay below the thresholds that prompt protective responses when a single IP address is bombarded.
Using “water torture” attacks, in which large numbers of randomly generated bogus subdomain requests are sent to overwhelm application-layer services.
Building bigger botnets, a tactic made easier by the proliferation of IoT devices and the rise in vulnerable devices thanks to increased remote working.
Using generative adversarial networks (GANs), machine learning techniques that make attacks appear to come from a real user, making it harder for firewalls and detection tools to identify attacks.
The diversification into Ransom-Denial-of-Service (RDDoS), in which further attacks are threatened unless the victim pays up.
Audit, monitor and respond – but don’t jump to conclusions
You must investigate before jumping to conclusions about possible DDoS attacks. Maintenance work, in-house problems, a sudden surge in legitimate traffic or even natural disasters can also cause service outages. And even if a DDoS attack is the cause, it may not have targeted your organisation – instead, your ISP may have been hit.
If you are under attack, an incident response plan that maps out DDoS responses will be a big help. By analysing data from security monitoring you can assess web server log entries, identify if particular IP addresses are being targeted, and discover whether a particular aspect of your service is affected. Normal monitoring should be continued in case the DDoS attack is only part of a wider assault on your defences.
Your ISP or CDN (Content Delivery Network) may be able to offer assistance, while optimising firewall rules and application mitigations (such as disabling some functions) may limit the damage. It’s vital to log your actions to ensure you can return to a known state after the attack.
How CISOs can harden their security against DDoS attacks
With damaging DDoS attacks becoming increasingly common, the best protection is prevention. The Australian Cyber Security Centre (ACSC) offers guidance and threat updates. You can manage your risk by:
Using DDoS or CDN mitigation provider or cloud-based hosting providers.
Keeping your “origin servers” safe through network filtering.
Using web-application firewalls (WAFs).
Employing IP stresser services to test your bandwidth.
Patching regularly, and ensuring systems are up-to-date.
While spotlight-stealing threats such as ransomware often loom larger on CISO radars, DDoS attacks are not dying out. Indeed, the rise of cyberwar, hackers for hire and diversifying attack types mean DDoS threats are quietly on the rise. The right plan can help CISOs respond quickly and effectively in the moment, but risk mitigation is a must if your organisation is to avoid downtime – or in a worse-case secnario, full-on disruption and damage.