Why Does DDoS Remain To Be A Serious Cyber Threat?
The origins of DDoS can be traced to the late 1990s, when a number of online services were downed because their servers wee overloaded. This was referred to as a “flood attack” back then. Superfluous requests were sent to servers to force them into quickly reaching their maximum capacity, depriving legitimate users of the resources necessary to access sites and web services.
DDoS attacks are essentially efforts to overload web servers to force a downtime or make the target websites and services unavailable. To most internet users, this sounds like a straightforward and simplistic form of cyberattack. To the untrained mind, the solution is simply to block the malicious requests. It is not as simple as that, though.
A complicated, simple problem
While it is true that DDoS is basically the overloading of servers to strike down their availability, the ways by which this simple attack is undertaken have a lot of complex layers. From plain DoS (Denial of Service) to DDoS (Distributed Denial of Service), many things have changed in this cyber attack to remain a potent threat.
DDoS mitigation services remain relevant, not only because the same old DDoS attacks pester businesses and other potential victims. They are relevant because they also evolve with the evolution of DDoS attacks. Distributed Denial of Service Attacks has morphed. Simply identifying potential malicious request sources through IP addresses no longer works, because DDoS is not limited to a few devices that can be easily blocked through their IP addresses.
Nowadays, DDoS perpetrators use malware to infect a wide variety of web-enabled devices and turn them into unwitting “accomplices” in attacks. The rise of the Internet of Things (IoT) has given cybercriminals a massive number of new devices that can be used in DDoS campaigns. From smart TVs to smart lights, speakers, thermostats, doorbells, and CCTVs, there are billions of devices that can become tools in undertaking concerted DDoS. Add to these the prevalence of various web-enabled wearables such as smartwatches and fitness trackers.
IoT and wearable devices are viewed as unique units whenever they access the internet. They have their respective IP addresses and other identifying attributes. When they are infected by some malicious software that turns them into DDoS agents, it becomes very difficult to distinguish them from legitimate traffic sources. The requests they send to servers tend to be treated as ordinary and legitimate.
Over time, DDoS protection systems are able to identify DDoS devices and block them. However, new ones emerge, and it becomes a vicious whack-a-mole cycle wherein the attacks never end, and the most organizations can do is to address whatever new comes up after dealing with a previous attack.
Shifting to more sophisticated attacks
The majority of DDoS attacks are volumetric in nature, meaning they are reliant on large numbers of requests to exhaust bandwidth and overwhelm servers. Akamai says that volumetric attacks have been rising fast in 2021. There have been more than 50 Gbps DDoS attacks or greater in the first quarter of 2021 compared to the numbers observed in the entirety of 2019.
However, volume is not the only notable approach DDoS perpetrators are utilizing. They are also turning to previously unused attack vectors, such as the leveraging of the Datagram Congestion Control Protocol, which is also known as Protocol 33. Bad actors have discovered that they can bypass security protections that focus on User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) when they abuse Protocol 33.
Many DDoS attacks are also multi-layered. They start with a deluge of SYN packet requests originating from several sources with the goal of leaving a partially open socket while quickly reducing bandwidth. They then proceed to launch an application-layer DDoS attack to exhaust the resources of a network. This misdirection is usually successful, as it is not often the focus of the defense strategies employed by the anti-DDoS solution used by many organizations.
Moreover, there are DDoS attacks that specialize in TCP state exhaustion to target a specific server or group of servers and rapidly max out the total number of connections the server or servers can handle. An application-level attack is then undertaken to take advantage of app weaknesses in defending their CPU cycle and processing power limitations.
How organizations defend themselves
Many organizations use in-house and point security methods to deal with DDoS threats. These are typically the businesses that do not view DDoS to be that much of a threat since they do not believe they are that big or popular to be targeted by threat actors. This mindset makes them highly vulnerable to attacks.
The more cautious organizations, those that understand that their revenues and reputation greatly rely on their uptime and online reliability, use more advanced defenses. If they do not have the internal team to implement dependable DDoS defense, they use cloud services that come with integrated DDoS protection, or they turn to managed security service providers (MSSPs). They may also use hybrid solutions or combinations of on-premise and cloud solutions, usually supplied by security vendors.
Many of the third-party DDoS protection systems available at present are already good enough, so it is definitely not a bad idea to use them, especially when companies do not have the expertise or competence to operate their internal Denial-of-Service systems. According to a report by market intelligence and advisory service firm IDC, “DDoS vendors continue to improve their protection platforms, adding more features and lowering prices to address all segments of the market.”
Distributed Denial of Service attacks continues to be a serious threat because they continue to evolve to attack weaknesses not covered by older defensive solutions. The basic concept of the attack may be the same (overwhelming servers), but the ways of doing it continually get tweaked to evade existing protections.
To counter the relentlessness, aggressiveness, and creative enhancements of DDoS attacks, organizations must also improve their defenses to plug security gaps or identify and patch new weaknesses in their security posture. If they do not have the expertise or resources to do this, they can use cloud solutions, MSSPs, or vendor-provided comprehensive DDoS defense systems, which are shown to be reliable enough. They just need to make sure they choose a genuinely reliable DDoS protection provider.
Some may be wondering why DDoS is still a serious threat when the protective solutions available are regarded as mostly good enough and information on the latest attack tactics and techniques are usually made publicly available. This is because many organizations still do not take the threat seriously, and many also refuse to put in place the corresponding cyber defenses.
When threat actors continue to get something as they launch their DDoS attacks, there is no reason for them to stop. What do DDoS perpetrators get? For hacktivists, they are able to draw attention towards their advocacies or causes. For enterprising cybercriminals, they get paid by businesses or governments to attack competitors or they can launch extortion schemes where they only stop the attacks if the victim pays them to do so.