GLOSSARY

What is DDoS and What are DDoS Attacks?

A tool favored by many threat actors, Distributed Denial-of-Service (DDoS) attacks seek to make a targeted machine or network resource unavailable to its users to substantially slow the system, or force it to crash

What is distributed denial of service and what are DDoS attacks?

A tool favored by many threat actors, distributed denial-of-service (DDoS) attacks seek to make a targeted machine or network resource unavailable to its users—using overwhelming amounts of traffic, such as incoming messages, connections requests, and malformed packets—to substantially slow the system, or force it to crash.

In this article, we explore how DDoS attacks work, types of DDoS attacks, and their damaging impact. Also we provide tips on how to prepare for, prevent, and respond to a DDoS attack.

How distributed denial of service attacks work

To accomplish this, a distributed denial-of-service attack uses a botnet. A botnet is a network of computers controlled by malware that sends requests to the target’s IP address. The use of botnets distinguishes DDoS attacks from DoS (Denial-of-Service) attacks. In a DoS attack, overloading traffic is sent from only one attacking machine. Botnets make attacks appear to come from multiple devices and locations which makes it difficult to defend against.

DDoS activity is seeing a major uptick, with sources stating that over six million attacks were observed in 2022 H1. Organizations should also be aware that this trend will likely continue since botnets are becoming more publicly available via crimeware. This allows an individual to rent DDoS capabilities via illicit marketplaces, enabling low-skilled individuals or groups to perform more complex attacks. Threat actors can also leverage vulnerability exploits to conduct DDoS attacks.

Types of DDoS attacks

In general, there are three types of DDoS attacks: application layer attacks, network layer attacks, and volumetric attacks. However, organizations should be aware that DDoS attacks can also be achieved by exploiting the vulnerabilities affecting their IT resources. Modern attacks use a variety of DDoS tools, like booters or stressors, and tactics can be used alone, or combined for more complex, multi-vector attacks.

Application layer attacks

The application layer of a network connection is where a server creates a response to a request. For example, loading a webpage in response to a user entering a HTTP request in their browser. Application layer attacks make repeated requests to overwhelm the server. These attacks are categorized as “layer 7.”

Network layer attacks

Network layer attacks focus on an earlier stage in a network connection, exhausting server resources like firewalls or routing engines. For example, an attacker may overwhelm a target server with SYN packets, which are used to initiate a secure connection between two computers. These attacks are categorized as “layer 4,” which denote attacks at the transport layer such as TCP.

Volumetric attack

Volumetric attacks overwhelm the target server’s bandwidth. Usually by making repeated queries to an open domain name system (DNS) resolver using the target’s own IP address. In other words, the attacker makes multiple requests to DNS resolvers making it look like they’re coming from the target server.

The impact of DDoS attacks

Any business or industry can be at-risk of a DDoS attack since most organizations have internet-facing websites or assets. Furthermore, DDoS attacks can cause lengthy shutdowns and downtime, which can result in major financial losses, customer dissatisfaction, and reputational loss. According to Imperva, the average attack can cost victims around $500,000 total or $40,000 per hour of downtime.

DDoS attacks can also cause data loss and mask other cybercriminal activities that could breach the target’s security. More serious attacks, like those leveraged by advanced persistent threat (APT) groups, can prompt civil unrest or be considered a type of warfare—an example being the Russian-Ukraine War, where Russian hackers DDoS’d Ukrainian government portals and banking websites days before the invasion. According to Kaspersky, DDoS attack volumes have increased 4.5 times since the conflict first began.

“In Q1 2022 we witnessed an all-time high number of DDoS attacks. The upward trend was largely affected by the geopolitical situation…Some of the attacks we observed lasted for days and even weeks, suggesting that they might have been conducted by ideologically motivated cyberactivists. We’ve also seen that many organizations were not prepared to combat such threats.”ALEXANDER GUTNIKOV, KASPERSKY

In addition, it is reported that the sophisticated and powerful DDoS tools developed for the war are being adopted by other threat actors worldwide.

DDoS attack targets

In 2023, analysts observed a large uptick in DDoS attacks on various industries. Major tech companies have reported on mitigating the largest DDoS attacks in 2023. Cloudflare reported that automatically identified and mitigated DDoS attacks have increased by 65 percent in Q3. Computers and servers were the top targets for DDoS attacks, accounting for 92 percent of attacks carried out. While attack length and frequency decreased by 55 percent, attack size grew exceptionality by 233 percent.

In August 2023, a major search engine detected and successfully mitigated a DDoS attack that peaked at 398 million requests per second. This attack has been one of the largest DDoS attacks conducted thus far. Another large tech company also reported an unusual increase in HTTP/2 requests, peaking at 155 million requests per second in late August.

Steps to prevent DDoS attacks

One out of five companies with over 50 employees have been a victim of at least one DDoS attack. The proliferation of DDoS means that attempts against your organization may occur—but there are still some strategies you can use to proactively identify, or prevent and minimize damage from an attack:

  1. Monitor network traffic for abnormal activities. This includes unexpected traffic influxes, traffic originating from suspicious locations, slow servers, or even an increase in spam emails—signs that an attack could be imminent.
  2. Plan an attack response proactively. This could involve simulation testing or establishing procedures for IT personnel and other impacted stakeholders in the event of an attack.
  3. Filter legitimate traffic from DDoS traffic by using mitigation strategies like black hole routing, rate limiting, or a web application firewall.
  4. Identify exploitable vulnerabilities using tools like Flashpoint’s VulnDB. In addition to disrupting traffic, attacks may also leverage vulnerabilities within an organization’s applications. Having comprehensive vulnerability intelligence allows organizations to patch vulnerabilities before they’re exploited.
  5. Track publicly-available websites, like paste bins, social media, or forums, for conversations that may indicate a potential attack. Specialized open source intelligence tools like Echosec allows users to uncover hidden threats on a variety of sources, like the dark web.
  6. Stay informed on the latest malware trends. Threat actors are constantly finding new ways to compromise their victims. Staying up-to-date on malware strains such as Mirai, Meris, and Androxgh0st is critical. Therefore, using a comprehensive source of threat intelligence is vital.

Stay prepared with Flashpoint

Industry research shows that DDoS attacks are not only on the rise, but their approaches are becoming more sophisticated. While the Russia-Ukraine war is primarily responsible for this, nevertheless, these types of attacks will continue to plague organizations. However, organizations do have tools and strategies that can help them mitigate the risk that DDoS attacks can introduce. Sign up for a free trial to gain visibility into threat actor channels and activity.

Get the latest news and insights delivered to your inbox.

Interested to see top news from Flashpoint hit your inbox directly? Subscribe to our newsletter to receive curated content on a regular basis.