Adversaries are becoming smarter and more dangerous, says Richard Hummel, pictured, threat intelligence lead for the cyber firm NETSCOUT.
The damage caused by a distributed denial-of-service (DDoS) attack is significant. With the ability to take down websites and business critical applications for extended periods, this can lead to disgruntled customers, lost revenue, and irreparable brand damage – and the threat posed by DDoS attacks is continuing to grow. Findings from NETSCOUT’s latest Threat Intelligence Report show that there has been an increase in DDoS attack activity, with nearly 13 million attacks taking place in 2022 – a new high-water mark for attack frequency. At the same time, threat actors have been getting smarter and better at what they do, allowing them to launch increasingly dangerous attacks and evade traditional defence techniques more effectively than ever before.
Primary attack vectors and methodologies
From 2006 to 2021, volumetric attacks dominated the cyberthreat landscape, with DNS amplification attacks at the forefront of this. However, in early 2021 a tectonic shift in cybercriminals’ attack preferences was detected, with a transition to TCP-based attacks. This continued for the remainder of the year and well into 2022. For example, in 2022, four of the top five vectors used were TCP-based attacks, with the only volumetric DDoS attack vector to make the list being DNS amplification. This clearly shows a preference among threat actors. Inside these vectors, there are different types of attacks.
HTTP/HTTPS application-layer
With more than a billion websites on the internet, these have become one of the favourite targets for attackers. In fact, NETSCOUT data points to a 487 per cent increase in HTTP/HTTPS application-layer attacks since 2019. The events preceding the ongoing war between Russia and Ukraine showcased the true impact of these attacks. Government, financial, and media sites across Ukraine were knocked offline just prior to Russia’s invasion. In addition, the National Cyber Security Centre (NCSC) discovered that Russian threat actors attacked ISP Viasat, which had a Europe-wide impact, around one hour before the invasion began.
Carpet-bombing
What’s more, there has been a surge in carpet-bombing attacks. As the name suggests, rather than targeting a single host, these types of attack seek out entire IP address ranges. This uptick began in November 2021 and really accelerated in August 2022, with daily attacks using this method rising from an average of 670 in 2021 to an average of 1,134 in 2022 – representing a 69 per cent increase. When comparing the first half of 2022 with the second, this provides an even greater illustration of the increasing popularity of this attack technique. There was an increase of 110 per cent in carpet-bombing attacks during this period.
DNS query flood
A form of application-layer attack, DNS query flood attacks have more than tripled since they initially became weaponised in 2019, marking a 243 per cent increase in adoption of this attack technique. These attacks tend to be against internet service providers (ISPs). However, during the second half of 2022, threat actors used this tactic to attack national security and commercial banking sectors around the world, particularly in the Asia-Pacific (APAC) and Europe, the Middle East and Africa (EMEA) regions, with both seeing a daily increase of more than 100 per cent in this attack technique. This substantial rise is most likely related to the Russo-Ukrainian war, particularly in EMEA.
In recent years, adversaries have refined their techniques, creating a tsunami of different types of attacks. They are also conducting more pre-attack reconnaissance, probing before they strike to see what does and doesn’t get through. From this, cybercriminals will craft their methodology based on what they discover, so as to ensure weak spots in network defences are targeted. They will also monitor the attack in real-time, to see what’s successful and what isn’t. As such, it’s more important than ever for ISPs and enterprises to fully protect their critical infrastructure such as networks and stateful devices, as well as downstream customers. This has led to organisations looking for increasingly strong and effective DDoS defence systems.
Effective defence
With DDoS attacks in the modern world evolving on a continuous basis, the stakes are higher than ever. Failure to adapt and defend against new DDoS attack techniques will significantly damage businesses. This has resulted in there being a rapid shift in traditional DDoS defensive strategies, tactics, and thinking, as organisations need to implement the most up-to-date DDoS protection solution and utilise proven best practices. Experts have come to the realisation that, due to the growing frequency and complexity of DDoS attacks, there is the need for a solution which features a number of different components. Firstly, the mitigation system must automatically identify and stop all types of DDoS attacks before they affect the availability of business-critical services.
Further to this, the foundation for a comprehensive DDoS attack mitigation posture starts with an on-premises, purpose-made DDoS protection solution. With its inherent attack management agility, this solution is intended to identify and mitigate those attacks designed to bypass cloud-based solutions.
Nevertheless, cloud components are still a necessary part of any DDoS defence tool, due to their effectiveness in stopping large volumetric DDoS attacks. For instance, cloud-based products mitigate high-volume flood attacks which target internet connectivity before they’re able to overwhelm local protection. In fact, cloud-based mitigation solutions strengthen the protection of on-premises options.
As such, the most comprehensive protection is one which combines these features – a multilayer, hybrid defence strategy. The increasingly complex nature of attacks does not only reinforce the need for this type of solution, but it makes it a requirement. With a hybrid approach, the different types and targets of DDoS attacks are all recognised, enabling businesses to more effectively block DDoS attacks – both now and in the future.
Enterprises will also be adequately prepared to defend their online infrastructure should they become the target of nefarious activity, providing they act in accordance with best current practice (BCP) measures. For example, it is imperative for organisations to adhere to situationally specific network access procedures that permit internet traffic solely via essential internet protocols (IPs) and ports.
What’s more, the rapidly changing nature of the cyberthreat landscape means that it’s critical for businesses to regularly test their online infrastructure. By doing this, organisations will be in a stronger position to protect themselves should a new DDoS vector or methodology emerge. As well as this, periodic testing ensures that if any adjustments are made to applications or servers, these will be incorporated into the DDoS defence solution. This makes sure vital online business infrastructural components are protected.
To reflect the constantly evolving threat landscape, organisations must modernise and adapt their thinking and defensive approaches to DDoS attacks. As threat actors increase in sophistication, it is no longer adequate to just use the same mitigation practices which were in place last year, last month, or even yesterday. Now, they are required to take proactive steps, installing the most modern DDoS protection solution available and adhering to BCP procedures to sufficiently protect themselves from cybercriminals.
