Richard Hummel, threat intelligence lead for the network and cloud security product company NETSCOUT, offers DDoS attack trends organisations should look out for.
Over time, the distributed-denial-of-service (DDoS) threat landscape has become a playground for bad actors to flaunt the latest innovations in powerful attack tactics, dodging their targets’ traditional cybersecurity measures. Organisations can’t afford to fall behind on threat detection and mitigation, and should aim to stay one step ahead of cybercriminals. Indeed, DDoS attacks can impose significant damages onto targeted businesses and are capable of endangering business continuity in the most severe cases. To prevent these risks and subsequent damages, companies must stay up to date with key DDoS trends, changes in attack tactics, and effective DDoS mitigation tools to thwart emerging threats.
DDoS attacks and geopolitical unrest
Findings from NETSCOUT’s latest DDoS Threat Intelligence Report show that DDoS attacks and geopolitical conflicts are intrinsically linked. As DDoS attacks have steadily increased in volume and sophistication over the past two decades, cybercriminals and nation-state actors are able to target internet infrastructure to hinder critical online services which rely on internet connectivity to operate. For example, just days before the start of the Russian-Ukrainian war, there was a significant rise in DDoS attack activity aimed at internet service providers (ISPs) in the EMEA region.
Following the start of the war, Ukrainian internet properties were relocated to other nations to ensure that their infrastructure was protected. However, DDoS attacks were then launched against countries in support of and offering help to Ukraine. Ireland, for example, faced a 200 per cent rise in DDoS attacks following the relocation of Ukrainian cloud-based systems to the country. Although these attacks can be successfully blocked, doing so can take up valuable resources by the targeted network.
As the year carries on, global geopolitical tensions are likely to continue and DDoS attackers will likely take advantage. As a pre-emptive measure, organisations, such as government departments and private companies, must stay aware of emerging DDoS-related tactics and reinforce their cybersecurity accordingly. As a result of DDoS mitigation systems becoming more effective, cybercriminals are innovating their tactics to evade modern solutions. There are several types of DDoS attack vectors that have gained popularity amongst threat actors.
These include adaptive DDoS attacks, which allow attackers to thoroughly investigate before launching an attack to find components of the service delivery chain to later target. To reduce the amount of boundaries DDoS attack traffic needs to pass through, attackers are utilising botnet nodes and amplifiers that are nearer to the target. This activity was observed with botnets targeting Ukraine, and often results in fewer chances to spot and stop an attack before it progresses. The use of stronger bandwidth and large numbers of vulnerable devices available, combined with adaptive DDoS methods, will amplify the threat onto network operators and severely disrupt the services they provide to customers.
The most popular vectors are TCP-based flood attacks – making up nearly 46 per cent of all global DDoS attacks observed. Contributing to its popularity among bad actors is its effectiveness. These attacks are derived from powerful sources with considerable bandwidth and computing resources – like cloud-based infrastructure. Along with this, adversaries are striking hosts at far closer proximity to the target, allowing them to evade layers of transit, potential discovery, and mitigation systems.
Speaking of attacking at closer proximity, the rate of DDoS attack traffic originating from within the same network it’s attempting to target is increasing – allowing traffic to evade potential transit and ingress points. Beforehand, DDoS defence systems prioritised protection of internet networks and properties by integrating detection and mitigation tools for inbound network traffic at multiple convergence points. This approach did initially work well in protecting targeted organisations and their networks from inbound DDoS attacks. However, it did not do much against cross-bound and outbound DDoS attacks – which can be just as damaging as inbound attacks.
Triple extortion attacks have been largely adopted by professional adversaries, with future campaigns expected to become increasingly destructive and sophisticated in time. Powered by the speed and bandwidth of 5G networks, triple extortion attacks combine the use of DDoS attacks, file encryption, and data theft onto their targets. Due to the level of effectiveness – causing major disruptions to day-to-day business operations – these high-profile attacks can enable cybercriminals to increase their extortion pay-out potential.
With this, current DDoS mitigation solutions should match or even exceed the level of sophistication demonstrated by modern threats. Therefore, companies should consider upgrading their current DDoS mitigation systems to incorporate DDoS suppression capabilities to effectively mitigate these threats.
Mitigation and suppression
Placing adaptive DDoS defences at all edges of the network is the best method companies can take to block DDoS attacks. In doing so, DDoS attacks are suppressed before they enter from multiple points throughout the network edge, preventing a larger attack from taking place. With intelligent DDoS mitigation, network-infrastructure-based mitigation techniques, and edge-based attack detections placed at all network access points, network operators can install adaptive suppression systems at the scale needed to prevent DDoS attacks and other emerging threats.
A DDoS suppression solution that enterprises should utilise is one that can predefine which IP addresses could be used to deploy an attack. Once an attack with an identified infrastructure begins to launch, systems with these capabilities can quickly and successfully block the attacks before it imposes any major damages. The attack is annulled before any manual analysis or further routing decision is necessary, leaving the organisation unscathed as a result.
Organisations must keep abreast of new and evolving threats that may emerge. In doing so, they can prepare far in advance and adapt their cybersecurity measures to keep up with the rise of new tactics. Only with an understanding of the cyberthreat landscape, awareness of changes to current attack methodologies, and effective mitigation tools can organisations successfully mitigate DDoS threats and ensure business continuity.
