Distributed denial-of-service (DDoS) attacks continue to grow in size, frequency, and complexity, threatening businesses and service providers around the world. A warning was recently issued about a steep uptick of DDoS attack threats demanding bitcoin ransom with thousands of organizations across industries and around the world targeted. In June, AWS disclosed a record-setting 2.3 Tbps DDoS attack, breaking the previous record, a 1.3 Tbps attack mitigated by Akamai back in 2018.
Denial-of-service (DoS) attacks are nothing new -- they have been around since the early days of the web. In 1996, a New York City ISP experienced the first widely publicized DoS attack, which knocked out the provider's mail and web servers for a week. The first documented DDoS attack occurred in 1999 when a hacker took down systems at the University of Minnesota for more than two days using a tool called Trin00. Primitive by today's standards, Trin00 hijacked 114 different computers to overwhelm a target with User Datagram Protocol (UDP) traffic.
Over the years, bad actors have grown more and more savvy, launching increasingly sophisticated DDoS attacks to disrupt businesses, obfuscate other types of attacks, or extort ransom payments. Akamai recommends not making ransom payments as there is no indication it will change the outcome. Not surprisingly, cybercriminals most often aim DDoS attacks at businesses with deep pockets. The 2019 Akamai State of the Internet report revealed that more than 40% of all DDoS attacks thwarted by Akamai were aimed at financial services customers.
DDoS Attacks Overwhelm Critical Infrastructure
While DDoS attacks can take many forms, the basic premise behind most is the same -- bombard a target with traffic generated from multiple compromised devices. Perpetrators often use botnets to mount DDoS attacks, infecting vast numbers of internet-connected devices -- such as PCs, servers, and Internet of Things (IoT) endpoints -- with malware to orchestrate large-scale assaults.
An infamous 2016 attack against DNS service provider Dyn used 50,000+ compromised IoT endpoints to disrupt major sites like Amazon, Netflix, Twitter, and Visa. The "attackers" were said to be smart refrigerators, televisions, webcams, and other IoT devices that are often poorly secured. These days, criminals can even rent botnet services on the dark web to carry out massive attacks.
DDoS attacks are typically measured in bits per seconds. While the largest attacks exceed a terabit per second, Akamai research shows the majority of DDoS attacks average about 50 Gbps -- sufficient to rattle a small ISP.
DDoS Attacks Come in Many Flavors
DDoS attacks come in a variety of forms, including volumetric bandwidth, resource exhaustion, and application-layer attacks.
Volumetric bandwidth attacks are the oldest and simplest type of DDoS attack. Just like a traffic jam clogs up a highway and delays drivers, a volumetric bandwidth attack clogs up a network, preventing legitimate traffic from reaching its destination in a timely fashion. These attacks can be difficult to isolate and mitigate because the nefarious traffic appears to originate from legitimate sources. Examples of volumetric bandwidth attacks include UDP flood attacks like the original 1999 attack against the University of Minnesota, as well as Internet Control Message Protocol (ICMP) and Packet Internet Groper (PING) flood attacks.
Resource exhaustion attacks target servers, routers, firewalls, load-balancers, intrusion detection/ prevention system (IDS/IPS) devices, or other IT infrastructure. Unlike volumetric bandwidth attacks that flood a network with traffic, resource exhaustion attacks flood servers and network elements with requests to consume memory, state tables, or other resources. A SYN attack, for example, overwhelms a server by repeatedly sending it TCP SYNchronization messages.
Application-layer attacks target Layer 7 of the Open Systems Interconnection (OSI) model, exploiting common messages like HTTP GET and HTTP POST requests. Unlike flood attacks, application-layer attacks typically employ "low and slow" tactics, using a small, slow stream of traffic to gradually tie up every server thread and prevent legitimate requests. Application-layer attacks are difficult to detect because they generate legitimate-looking traffic. In addition, DDoS defense mechanisms designed to identify suspicious traffic surges often won't detect these stealthier attacks.
Worse still, unlike other types of DDoS attacks, low and slow attacks don't require a lot of resources, and can be easily mounted from a single computer using open-source tools. Examples of common low and slow application-layer attacks include Slowloris, which slowly sends partial HTTP headers to a web server, and R.U.D.Y. (RU-Dead-Yet?), which slowly injects one byte of information at a time into an application POST field.
Defending Against DDoS Attacks
Identifying and mitigating DDoS attacks can be a real challenge in today's world. Cybercriminals are continuously honing their skills and improving their techniques. Many use a combination of different attacks to foil security teams, evade detection, and maximize results. In fact, about one-third of the DDoS attacks mitigated by Akamai this year have involved three or more attack vectors, including an impressive 1.44 Tbps attack that employed nine different attack vectors.
Whether your applications are deployed in the cloud or in your own data center, DDoS attacks can disrupt your online business and tarnish your company's reputation. Here are 10 concrete actions you can take to strengthen your company's security posture and protect your business against DDoS attacks:
- Know your traffic. Use network and application monitoring tools to identify traffic trends and tendencies. By understanding your company's typical traffic patterns and characteristics, you can establish a baseline to more easily identify unusual activity symptomatic of a DDoS attack.
- Build your defensive posture during peacetime, steered by your executive team's risk assessment guidelines. Be sure to analyze risk and prioritize DDoS mitigation and service recovery efforts in meaningful business terms like lost revenue in accordance with your company's strategic information risk management models.
- Have a restrictive Plan B defensive posture ready to go. Be in a position to rapidly restore core geographies and business-critical services in the face of a DDoS attack.
- Eliminate political obstacles and organizational barriers that might impair SecOps agility. Time is of the essence when responding to a DDoS attack. Empower your security team to quickly enact defenses without a peer chain of approvers.
- Include cybersecurity in business continuity, disaster recovery, and emergency response planning. DDoS attacks can be as devastating to the business as a natural disaster and should be an integral part of your company's incident preparedness plans. Be proactive -- create run books and carry out desktop exercises to improve readiness.
- Practice good cyber hygiene. At the risk of stating the obvious, a strong DDoS defense strategy begins with sound online hygiene practices. Foster a security-oriented corporate culture and be sure developers and system administrators follow industry best practices for cybersecurity.
- Use a combination of automated and human mitigation. Attackers continually evolve their tactics to avoid detection and outflank security solutions. You'll need the right combination of people, automation, and processes to stay one step ahead of the bad guys and defend against increasingly sophisticated, continuously evolving attacks.
- Consider implementing a Zero Trust security model. A Zero Trust framework can help protect against DDoS attacks by enforcing least-privileged access and ensuring only authorized users gain access to critical applications and services.
- Engage your upstream providers to prepare and address risks. Work proactively with your upstream service providers to evaluate DDoS risks and develop readiness and recovery plans.
- Test, re-test, document, and measure. Incorporate DDoS attacks into penetration testing to simulate complex attacks, identify vulnerabilities, and shore up defenses.
DDoS attacks can disrupt your online presence, impair productivity, and impact the bottom line. By taking a proactive approach -- aligning people, processes, and automation -- you can defend against DDoS attacks and minimize service disruptions. Following these 10 recommendations will strengthen your company's security posture and reduce risks.