Redefining the DDoS Attack, and Navigating the Threat Landscape

When most people think of a cyberattack, they think of a highly skilled attacker breaking through an organization’s defenses in order to steal sensitive data or plant malware on a device. However, these types of attacks aren’t the only way for a hacker to make money or hurt a target. DDoS attacks require a much lower level of sophistication on the part of the hacker. By hammering a target device with more traffic than it can withstand, even an unskilled hacker can have an impact on an organization. These attackers can also monetize their attacks by offering DDoS attacks as a service or extorting a ransom from the target to cease the attack.
The growth of the Internet of Things (IoT) and cloud computing have made it cheaper and easier to launch larger DDoS attacks. Poorly secured IoT devices and cheap rented cloud processing power give an attacker all of the resources that they need to launch a massive-scale DDoS attack. As a result, organizations need to deploy DDoS protection solutions and Content Distribution Network (CDN) nodes to increase their resiliency against these types of attacks.
However, the DDoS attack is evolving. In the past, DDoS attacks were defined by floods of massive packets designed to overwhelm an organization’s bandwidth. More recent DDoS attacks have branched out to accomplish their goals in other ways.
“Traditional” DDoS Attacks
The traditional DDoS attacked a target at the network level. Any network connection or computer has a certain maximum amount of data that it can process before things start to fail. Traditional DDoS attacks are designed to push systems to these limits using large numbers of massive packets.
While this type of attack is effective, it can also be detected and blocked relatively easily. Detection of a traditional DDoS attack only requires basic monitoring of a network connection and/or a webserver’s accessibility. When a network is receiving volumes of traffic far in excess of normal or a webserver is not responding, then the organization may be under attack and needs to implement scrubbing to allow legitimate traffic in while blocking attack traffic.
Implementing protections for these types of attacks are relatively easy as well. In order to achieve the massive packet sizes used in the attack, attackers often use DDoS amplifiers. An amplifier is a service that has a request size larger than the response size and runs on UDP or ICMP (allowing an attacker to spoof the source address of a packet). An example of such a service is DNS, which is used to translate domain names (like google.com) into IP addresses (like 127.0.0.1). A DNS response includes all of the
information included in the corresponding request and then some, so an attacker who sends a DNS request (while pretending to be the target) “amplifies” their attack since the target receives more traffic than the attacker sent.
Attacks using amplifiers are relatively easy to detect since they often come from a small number of IP addresses and ports (i.e. all DNS-amplified traffic will come from port 53). Simple DDoS protection systems rely on this to identify DDoS attacks.
The New Normal in DDoS
Unfortunately, DDoS attackers have diversified their attacks. In recent years, a variety of different types of DDoS attacks have been detected. In general, these tend to lack the distinguishing features that make the “traditional” DDoS easier to detect and prevent.
- Degrading Rather Than Denying Service
One recent trend is the use of smaller-scale DDoS attacks designed to degrade but not destroy an organization’s ability to provide their services to customers. These smaller scale DDoS attacks may not trigger threshold-based DDoS detection systems, allowing them to continue on to the target system. Even a small-scale attack can have an impact on the target system, and attackers are also using these attacks to scan for vulnerabilities on target systems, setting themselves up for future attacks.
- Application-Level Attacks
DDoS attacks have also moved from attacking at the network level to attacking at the application level. To be effective, all a DDoS attack needs to do is identify a bottleneck in an application and exploit it.
By operating at the application level (Layer 7 of the OSI model), attackers no longer need to send enough traffic to exceed a network’s bandwidth. Instead, they send more requests to a webserver than it is capable of handling. The amount of attack traffic needed can be much lower, which enabled an attacker to launch a 13 day DDoS attack.
These attacks can also be much more difficult for a DDoS protection system to defend against. Since the attacker’s traffic is “valid” and can come from a variety of IP addresses and ports, it is not as easy to differentiate between “legitimate” and “attack” traffic. As a result, some DDoS prevention systems struggle with protecting against these types of attacks.
Navigating the DDoS Threat Landscape
The evolving DDoS threat landscape has made it much more difficult for organizations to effectively detect and protect against DDoS attacks. The algorithms used in many DDoS protection systems are designed to look for large volumes of traffic, typically consisting of “amplified” protocols. New DDoS attacks don’t always use these methods, making them more difficult to attack.
As DDoS attacks become cheaper and easier to perform, organizations run a growing risk of being targeted by one. Deploying a state-of-the-art DDoS protection solution is essential to keeping up with the rapid pace of DDoS innovation.