Why haven't DDoS attacks gone away?

Distributed denial-of-service attacks were once the subject of daily tech headlines, but in recent years, the hand-wringing over DDoS has died down. You could be forgiven for thinking they aren't a threat anymore, but you'd be wrong: Statistics show that the number of DDoS attacks continue to rise quarter after quarter, and security experts say these attempts continue because, well, they keep working.

The good news is that the services used to block and absorb DDoS traffic keep getting better, and big providers like Azure and Cloudflare often tout the efficacy of their DDoS protection services in blocking massive multi-terabyte attacks.

The bad news is that DDoS attacks are getting more sophisticated as well. As these attacks grow increasingly intense, complex, and plentiful, defenders are running to stand still in the fight against them.

Understanding the basics of DDoS

A long-standing fixture in the repertoire of cyberattackers, DDoS attacks work on the basic premise of disrupting system communication and networks by overwhelming them with some form of "junk" traffic. The classic forms of DDoS attack are volumetric attacks where that junk consists of massive volumes of traffic that saturate bandwidth and clog up the network to the point where legitimate traffic can't get through. The junk traffic could consist of everything from UDP packets to ICMP echo requests.

The "distributed" nature of DDoS comes from the fact that all these packets and traffic patterns come from all over the internet via criminal botnets, the massive networks of compromised machines across the world that provide the muscle for attackers to power DDoS and a kaleidoscope of other cybercriminal activity. This distribution makes it difficult to plug in simple firewall rules to shut off the malicious traffic, because it is coming from so many sources.

The intended and actual results of DDoS vary, but the baseline is to sow chaos in the IT and business operations of an attacker's target. This could be to promote some form of political or personal activism, further nation-state goals, commit financially motivated sabotage, or support or supplement other concurrent or subsequent cyberattacks.

"The goal of the DDoS attack is to disrupt business operations and/or distract," explains Tim Ferrell, distinguished technologist in the security, risk, and compliance practice at HPE Pointnext Services. "Some of this is, 'Hey, look at that shiny ball over here while we walk out the front door with something else.' From a defender's perspective, if they suddenly see everything getting knocked offline by a DDoS attack, it does mean they start to focus on that problem. The initiation of a low and slow attack could then more easily be missed by a security team."

Please read: How to prepare for and mitigate DDoS attacks

While the headlines around DDoS are most likely to revolve around massive internet, cloud, or application outages, sometimes all the attacker needs or wants to do is slow down traffic.

"It's not always a black and white case of DDoS taking something offline or leaving it online. If you start to see latency being increased because of the DDoS attack, that in some cases can have just as many negative effects as taking the whole application offline," explains Simon Leech, senior adviser in the security, risk, and compliance practice at HPE Pointnext Services. "Especially when you're talking about multi-region hyperscalers, where they've made promises to their customers about the latency that the network is going to support, and customers have built their multi-tiered application architectures to take advantage of those low-latency capabilities."

How DDoS techniques have evolved

The rise of content delivery networks several decades ago was initially devised to accelerate the delivery of web content, but security pros found that CDNs could also be used to soak up massive spikes in bandwidth caused by DDoS attempts. This principle forms the foundation of many modern DDoS mitigation efforts, which are typically focused on rerouting and absorbing the influx of malicious traffic doled out by DDoS attempts.

Over the years, attackers have continued to riff off these classic volumetric attacks with other malicious innovations to counter the DDoS protection and mitigation measures that organizations have scaled up to thwart them.

Sometimes an attacker can greatly magnify the severity of volumetric attacks by using what are called amplification and reflection techniques, where many fairly small request packets are sent to a verbose server that will reply with large amounts of data to maximize the outbound flow of junk traffic. Typically, the amplified attack will then also reflect that reply traffic back to the server by spoofing the reply-to address. For example, DNS amplification attacks see a botnet repeatedly sending something like a DNS name look-up request to a publicly accessible DNS server. The response will be orders of magnitude more data than what the attackers send, and all of it is pumped back into the name server to further incapacitate it.

Further complicating matters is the fact that even if an organization has massive amounts of bandwidth to absorb volumetric attacks, attackers are constantly evolving in response to third-party mitigation services. For example, many attackers utilize alternatives like protocol or application attacks.

Please read: Enterprise security moves to the edge

In protocol DDoS attacks, attackers go after Layer 3 and Layer 4 protocol communications. The junk in these cases are malicious connection requests, such as in the common SYN flood attack that exploits the three-way handshake process used to establish TCP connections between clients and servers. The attacker floods a server with SYN connection requests and leaves the server hanging by never completing any of the handshakes initiated by the botnet. Rather than clogging network bandwidth, these protocol attacks are devised to eat up the processing capacity of the various systems that run the network infrastructure.

Meantime, in application DDoS attacks, the criminals junk up Layer 7 application processes by opening up connections and initiating processes and transactions en masse in order to strain systems running applications, eating up resources such as disk space and available memory. For example, HTTP floods are an application DDoS where the interactions come from web browsers running on botnet systems, barraging the application with a flood of anything from GET requests for images or documents to making POST requests for the server to process calls to a database.

"Sometimes pure volumetric-based DDoS attacks are relatively easy to identify and stop," says Jeff Enters, global chief technologist and strategist for networking at HPE Pointnext Services. "It's these more complicated ones that need intelligence to deal with them. Just as IPS vendors or antivirus vendors need signatures to conduct blocking efficiently, DNS mitigation technology depends on threat intelligence- and risk-driven logic that determines when and how potentially malicious DDoS traffic is rerouted, scrubbed, and/or blocked."

Even more difficult is the fact that attackers gum up the works by using multiple techniques at once or in quick succession. According to researchers at Link11, 78 percent of DDoS attacks in the third quarter of 2021 were multi-vector attacks, up 16 percent from the second quarter. Increasingly, attackers are favoring quick-hit, shorter duration attacks versus the sustained DDoS attacks of yesteryear that were meant to completely knock infrastructure offline.

"If I'm a bad guy, I'm going to make this thing as unpredictable and dynamic as possible," explains Ferrell. "So you can't figure out what I'm doing or when I'm doing it."

The state of DDoS activity today

The more advanced DDoS attack techniques described above are often at the root of some of the mega DDoS attempts that can easily overwhelm all but the largest hyperscalers or DNS mitigation services that are equipped to absorb the shock of multiple terabytes per second flooding the network at once.

In October 2021, Microsoft recorded one of the world's largest ever DDoS attacks against one of its European Azure customers. The 2.4 Tbps attack was the product of UDP reflection techniques and marked a 140 percent increase over the previous highwater mark of 1 Tbps logged by Microsoft in 2020, which was also a reflection attack. In November 2021, infrastructure provider Cloudflare logged a 2 Tbps attack against one of its customers, an attempt that used a multi-vector approach that combined DNS amplification and UDP floods.

Both Microsoft and Cloudflare were able to fend off the attacks without impact to the targeted customers using their DDoS mitigation capacity to scale up absorption of those massive influxes of malicious traffic. That is a proof point for why so many organizations are moving toward third-party mitigation services, which frequently are the only ones that have the scalable bandwidth and routing logic at their disposal to do the heavy work of absorbing and scrubbing DDoS attacks at this level.

Please read: Top 7 Internet applications you should probably outsource

"With the throughput capacity of DDoS attacks today, there's no way anyone's standard internet connection is going to be able to withhold or withstand that," says Enters. "You see a lot of customers now moving all of their DDoS capability to third-party providers."

However, third-party protections are far from universal at organizations at the moment. The 2021 Cyberthreat Defense Report shows DDoS protection as one of the fastest growing network security segments, behind only next-generation firewalls. But as things stand, only half of organizations have any prevention or mitigation measures currently in place.

In spite of success stories like the Azure and Cloudflare mitigations, it's important to note that for every one of those cases in the news there are many others with far messier outcomes. For example, in November 2021, gaming company Activision Blizzard had its Battle.net service taken down by DDoS. And in recent months, there have been reports of DDoS taking down major financial institutions in New Zealand and causing multimillion-dollar damage from service disruption to major VoIP providers like Bandwidth.com.

The lesson here is that, in spite of technological advances on the DDoS mitigation front, DDoS attacks are still working, and they're increasing in frequency and severity. Enters says organizations must keep these trends in mind as they prepare their DDoS response.

"Even with a CDN in place to help distribute, redirect, or absorb, you need that operational aspect ready of how you respond in these situations, because they can very quickly get to a scenario that becomes 'all hands on deck,'" he says. "If you don't have that operational aspect in place to respond appropriately and understand what your options are to mitigate in that moment, you'll be much slower to respond."