You may be thinking: Why do we even still have distributed denial of service (DDoS) attacks in 2022? Two reasons:
- Modern DDoS attacks have become more profitable and commoditized
- Defenders haven’t found a way to make DDoS more trouble than it’s worth
Trends show the gap may be widening, but emerging best practices could put time back on defenders’ side . . .
For only $500, anyone can pay for a DDoS subscription service to launch a DDoS attack.
Microsoft
What do DDoS Attacks Look Like in 2022
DDoS attacks have wreaked havoc for nearly 40 years since a high school kid launched the first one back in 1974 (before SecOps was even a thing). The fundamental goal of Denial of Service (DoS) hasn’t changed:
To shut down normal business operations by overwhelming a website, service, or underlying network infrastructure with a flood of simultaneous requests.
POPULAR DDOS ATTACKS
| Type of Attack | Layers Attacked | How it Works |
| Application (includes HTTP floods) | L7 | Floods sites with HTTP requests, Exhaust application resources Consumes memory, CPU, etc |
| Protocol (SYN, ACK floods) | L3-L4 | Destroy processing capabilities/exhausts resources of server/network equipment resources (switches, firewalls, etc.) |
| Volumetric | L2 | Sends large amounts of data to exhaust available bandwidth |
Sort of like a Starbucks drive-thru at 8AM on Monday morning, only with devastating consequences and no cranberry scones. While the basic principle remains the same, DDoS attacks have evolved into a massive and time-tested industry.
Same Goals, More Targets
Malice, greed, and political pressure still top the list of motives driving DDoS attacks. Virtually any company—or any virtual company—may now be targeted, from cloud providers and e-commerce portals to financial brokerages and the Ubers of the world.
Doing More Damage
In commoditizing DDoS, threat actors made a formidable weapon available to just about everyone through marketplaces on the Clearnet and Darknet. The process became more efficient such that, even as slightly fewer attacks succeed, the cost to businesses targeted continues to rise. Today’s campaigns cost businesses $22K per minute (Ponemon) and more than $200K per attack in 2021 (Radware).
Modern attacks also appear to succeed more often. In 2022, the YoY DDoS growth is 109%. Research from Nexusguard shows that in FH ’22, DDoS attacks increased by 75.6% compared to the second half of 2021, application attacks increased a whopping 330% compared to the second half of 2021, and amplification attacks increased by 106.7%
DDoS attacks increased steadily in the third quarter of 2022, particularly those conducted by professionals. The number of sophisticated attacks doubled, compared to the same period last year, while the number of attacks by hacktivists almost vanished in the third quarter, following a notable rise in the previous two quarters.
Kaspersky quarterly DDoS report
New Levels of Sophistication
Today’s highly orchestrated and commoditized attacks bear little resemblance to their early ancestors in that they:
- Use botnets: Floods of valid requests come from large global networks of compromised PCs and IoT devices (temperature/water/occupancy sensors, CCTV cameras, CPE, etc.) infected with malware that turns them into bots (linked together via “botnets”)
- Occur in stages: Attacks can last minutes, hours, even days, and may be repeated at regular intervals
- Come in multiple flavors: Application, protocol, and volumetric attacks target every layer of the stack
Complexity Confuses Defenses
DDoS attacks initially resemble spikes in legitimate traffic which makes them harder to spot, and defenders slower to respond or even recognize the telltale signs:
- Excess of traffic coming from a single IP address or range
- Atypical traffic from one region or browser type
- Abnormal or off-house spikes in traffic
DDoS may now furnish one element of multi-vector “triple extortion ransomware” attacks aimed at squeezing higher payouts from ransomware victims. Cybercriminals might also use it as a smoke screen to divert resources away from more sophisticated campaigns like malware insertion or data exfiltration.
Campaigns that cycle attack vectors or target multiple layers of the stack make it harder to flag anomalies. Threat actors might also combine bursty attacks on DNS servers with attacks rooted in encrypted (SSL/TLS) to make it harder for defenders to detect and understand when and where they’re under attack.
Above All: Size Matters
Research shows the game-changing aspect of today’s DDoS attacks isn’t the frequency, technique, success rate, or even the complexity, but rather, the sheer speeds involved. According to NIST:
The rapidly growing threat can be characterized by the orders of magnitude increases in the bandwidth of such attacks (from 100s of millions bits per second, to 100s of billions bits per second) and the growing range of targets (from ecommerce sites, to financial institutions, to components of critical infrastructure).
F5’s 2022 Application Protection Report: DDoS Attack Trends Report shows DDoS attacks larger than 250 Gbps grew by 1,300%. Radware reported that the largest known DDoS attack occurred in Q2 2022 topping out at 1.46 Tbps (and larger ones may have occurred since then). Radware also reports clients blocking 3.39 TB attack volumes per month.
DDoS Mitigation Aims to Keep Pace
During any attack, the defenders’ goal is the same: to maintain business operations while quickly detecting and shutting down incoming threats. As DDoS attacks matured into a lucrative industry, the DDoS mitigation industry grew up around stopping attacks. DDoS mitigation refers to the process of protecting targeted networks and servers using dedicated equipment or cloud-based protection services.
Experts project the DDoS Protection and Mitigation Security Market to reach $8B in 2027 as emerging best practices put time back on defenders’ side.
DDoS mitigation involves monitoring, detection, and increasingly, automated response. Many enterprises already operate firewalls, load balancers, and other devices to create resilient, rock-solid perimeters with no single point of failure.
Modern DDoS mitigation solutions and strategies also include deploying specialized Web Application Firewalls (WAFs) between your servers and the Internet to filter requests and detect DoS techniques. WAFs intercede by applying custom rules set by IT in response to attacks.
Along with service providers and manufacturers of network equipment (routers, switches, servers, firewalls), eCommerce providers and enterprises with a large web presence rely on DDoS mitigation to maintain business continuity and reputation. The trick is to make sure it all works as advertised.
Putting DDoS Mitigation to the Test
If you can easily tell the good guys from the bad, thwarting DDoS becomes a race against time. When you can’t, you need greater agility, more practice, and a wider range of proven responses to minimize downtime, avoid financial losses and aggravate as few customers as possible. For example, simply throttling back on bandwidth or rate-limiting the volume of requests a server will accept won’t make anybody happy (even if it slows an attacker’s roll temporarily).
To be as ready as you can, you need to test existing and prospective DDoS mitigation solutions and procedures before you invest, while evaluating third-party risk, and during day-to-day operations. Proof that mitigation works as promised may also impact compliance and cyber insurance premiums.
Start with Visibility
The first step in giving defenders more time is understanding the normal behavior of your applications and recognizing anomalies. These might include service degradation, user complaints, and deviant usage patterns. Visibility should entail user-configured alerts that signal analysts when traffic exceeds predefined thresholds and real-time telemetry to speed investigation.
Simulating Attacks
The next step is to simulate attacks that might resemble your normal traffic to evaluate the ability of monitoring tools and mitigation teams to respond. Validating your ability to detect and disrupt today’s massive-scale DDoS/ransomware campaigns requires four vital simulation capabilities:
- Realism: The ability to create and experiment with attacks originating from various mixes of countries, using a range of preset and custom attacks to target multiple layers and components of your mitigation process. Traditional testing typically includes flooding targets with traffic that appears to come from a single device. More advanced traffic generation must be used to simulate multiple devices with unique IP or MAC address originating from a custom mix of countries.
- Scale: Simulators must generate multi-terabit per second attacks that either launch all at once or ramp slowly to avoid detection.
- Repeatability: The most critical aspect of any worthwhile test process, admins must repeat tests as they compare solutions and tweak configurations to see how far changes move the needle.
- Ease of use: Or people won’t do it. Period.
With these criteria in mind, Apposite developed DDoS Storm for expanded cybersecurity testing using Netropy traffic generators. DDoS Storm lets manufacturers, providers, and enterprise IT teams simulate and evaluate monitoring, detection, and DDoS mitigation—within minutes—using a fast, five-step process:
STEP 1: Configure an Attack and Target
Users configure DDoS Storm to act as the attacker (using one port) or both the attacker and target (two ports). One or multiple targets can include firewalls, routers, DNS or web servers, or DDoS mitigation services and features related to eCommerce portals.
STEP 2: Configure the Bot
Thorough testing requires generating traffic from specific regions. Administrators can use DDoS Storm’s interactive world map to specify the makeup of an attack, defining when, where, and how many devices will be contained in the bot used to launch the campaign.
STEP 3: Configure Load Profile
Attack profiles specify the percentages of traffic coming from each region and whether the attack loads all at once or ramps slowly over time. Attacks can be launched against actual devices (simply type in the real target IP address) or DDoS Storm can simulate target devices to avoid disrupting production defenses—or, in evaluating prospective new solutions prior to purchase.
STEP 4: Configure your Attack
Last but not least, select which layers to target. Testers can drag and drop to select one layer or a mix of Layer 2, 3, and 4-7 traffic. The Apposite test library features 128 pre-defined attack variations.
Typical Attack Summary
STEP 5: Evaluate your Results
Here, you’ll see how many packets were sent and received by targets with graphs illustrating packets per second (PPS), throughput, and latency for each attack stream. If all the simulated DDoS packets were identified and dropped, defenses are working effectively. If too many packets reach the target, devices or configurations may be updated and tested again.
Don’t Transform without Testing your DDoS Mitigation
Today’s hybrid infrastructures weather constant change. Moving services to and from the cloud creates new availability zones, new geographic target locations, and often exposes infrastructure temporarily without adding sufficient protection. Accelerated digital transformation continues to make cybersecurity—and flagging old standbys like DDoS in particular—everyone’s job.
DDoS Storm makes the job easy.
