Distributed Denial of Service (DDoS) attacks are on the rise, with the second half of 2021 showing a 43% increase in attacks since the first half of the same year. The Microsoft Digital Defence Report for 2022 shows that so far in 2022 Microsoft have mitigated nearly 2000 DDoS attacks each day. This report also shows the trends in DDoS attack frequency from March 2021 to May 2022. Large peaks are seen over the summer holidays in August, and in the October to December holiday period, with a smaller peak seen around springtime holidays in March. In previous years the October to December holiday period has shown an even greater increase in DDoS attacks. This is likely due to the increase in legitimate traffic in holiday times that can help mask attackers while the attack is in progress.
There are three main types of DDoS attack; volumetric attacks, protocol attacks, and resource layer attacks.
- Volumetric attacks use a high traffic volume to take down target websites, an example of this is domain name server (DNS) amplification attacks. This uses open DNS servers to flood their target with DNS response traffic. These kinds of attack work because the DNS query sent by the attacker is small while the DNS response sent to the victim’s network is much larger.
- Protocol attacks instead cause a service disruption through exploitation of weaknesses in the layer 3 and layer 4 protocol stack. This can consume all of a server’s resources, leaving it unavailable to perform regular tasks, such as through a SYN attack. A SYN attack works by initiating many TCP/IP connection requests but never completing the three-way handshake used to establish a normal TCP/IP session. As a result, the server allocates more and more resources to listen for responses which never arrive until it eventually runs out of memory or hits other limits.
- A resource layer attack, also called an application attack, doesn’t target the site or the server, and instead targets the web application packets to disrupt the transmission of data between hosts. This is often performed through layer 7 attacks such as HTTP protocol violations, SQL injections, and cross-site scripting (XSS).These three types of DDoS attack can be performed in isolation, however attackers often combine them in order to have a greater impact on their target.
Financially motivated DDoS attacks are not uncommon, with attackers demanding payment from their victims, essentially holding the functionality of their service for ransom rather than exfiltrated data. However, DDoS attacks can also be used as a distraction tactic for other attacks such as malware insertion or data exfiltration, which can be combined to demand a higher pay out from their victims. The combination of DDoS attacks and other cyber crimes such as ransomware are also being seen, which are referred to as triple extortion ransomware attacks. Recently vulnerabilities have been exploited on some ecommerce platforms in order to inject trojan malware onto the target site. The prevalence of all cyber crime is increasing with the introduction of many as-a-service models, where less sophisticated criminals can pay to use pre-designed cyber attacks that would be otherwise out of their technical skill set. DDoS attacks can be conducted in this way with DDoS subscription services being found in cybercriminal communities, and more advanced techniques emerging such as AI-based attacks.
In November last year, Microsoft’s Azure DDoS Protection Team mitigated one of the largest DDoS attacks ever recorded, spanning multiple countries and performed by a botnet with approximately 10,000 source devices. This attack also showed an increased bandwidth compared to other large DDoS attacks, with a throughput of 3.4 Tbps (terabits per second), whereas other attacks are considered high volume at 2 Tbps. The peak traffic recorded by Microsoft when mitigating DDoS attacks this past year was 16.3 million requests per second, and 9.89 Tbps. Attackers like to perform DDoS attacks in the holiday season due to the already increasing traffic to their target websites, which makes detecting DDoS bots a harder task as they are hidden by the increase in legitimate traffic.
Planning and preparation is needed in advance in order to best protect yourself from a DDoS attack and developing a denial-of-service defence strategy is key part of this. Once an attack is underway, it is too late to prepare. The NCSC (National Cyber Security Centre), a branch of GCHQ in the UK, offer an example response plan to help strategize your response in the event of an attack. It is also important to test these defences running attack simulation. This can give you a good picture of how your business will respond in the event of a real attack by testing the roles assigned to staff as well as any mitigation software you have in place, helping you to identify any gaps in your defences. In response to testing it is important to fix any identified weaknesses that could put you at risk in the event of an attack as soon as possible.
Monitoring the normal traffic of your sites, servers, and applications can make DDoS attacks easier to identify, even in peak times such as the holiday period. A DDoS protection service can aid with this, through monitoring of web traffic based on expected thresholds. These services can also be configured to send alerts and can mitigate suspected attacks in real time. As is always the case when mitigating the risk of cyber attacks, keeping all software up to date prevents attackers from exploiting unpatched vulnerabilities. This is especially important for known exploited vulnerabilities, which can be kept track of by using CISA’s (Cybersecurity and Infrastructure Security Agency, a branch of the US Government) Known Exploited Vulnerabilities Catalogue, or by setting up system alerts such as the Microsoft 365 Defender Vulnerability Notification service. The NCSC advise that updates including security patches are applied regularly, and that even when automatic updates are turned on that you continue to monitor the software to determine if any additional updates need to be applied manually.