DDoS attacks are on the rise. The COVID-19 pandemic forced our school, work, and social lives to go online. As a result, DDoS attacks grew significantly in 2020, compared to 2019. In fact, there were almost twice as many DDoS attacks in Q1 2020 as there were in Q1 2019. And Cisco predicts that the total number of DDoS attacks will double from the 7.9 million seen in 2018 to over 15 million by 2023. In addition, RDDoS (Ransom DDoS), is also correlated with the rise in Bitcoin price, which occurred at the end of 2020 and the beginning of 2021. A large number of organizations received an extortion note and then we attacked with DDoS for not paying them.
The size and length of attacks are evolving
But it’s not just the number of DDoS attacks that matter. The type of attacks and the size of the botnets are also evolving. A Distributed Denial of Service attack of one gigabit per second is enough to knock most organizations off the internet but we’re now seeing peak attack sizes in excess of one terabit per second generated by hundreds of thousands or even millions of suborned devices.
The average attack now lasts 24% longer.
The maximum attack length has jumped by 264%.
The number of DDoS attacks over 100 GB/s in volume increased by 776%.
Modern DDoS attacks are smart using multi-vector attacks more frequently
A growing number of attackers are using multi-vector DDoS attacks, combining different DDoS attack methods into one repetitive attack.
An attacker may start with NTP, then switch to a DNS reflection attack, then switch to a SYN Flood, for good measure. Sometimes they layer different vector types and sometimes they just vary the attack vector itself in an attempt to evade detection. Multi-vector attack rates are often additive in terms of bandwidth and packet rate. By dynamically and automatically changing parameters and vectors in response to the cyber-defenses they encounter, cybercriminals make it much more difficult to mitigate, or even detect their attacks, in the first place.
According to Kaspersky labs’ statistics, the trend line of smart attacks is growing from quarter to quarter.
In Q1 2020 only 37.5% of the attacks, were smart.
In Q4 2020 44.29% of the attacks, were smart.
In Q1 2021 46.6% of the attack are smart.
Is it also clear from the data that smart attacks are longer than regular DDoS attacks.
DDoS attack categories
DDoS attacks are classified into the following categories:
● Volumetric attacks – this is the least sophisticated attack. Essentially this type of attack uses high traffic to flood the network bandwidth. These attacks typically include UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (bps). This type of attack is usually handled at the ISP, CDN, or Cloud Service provider level.
● Protocol (or infrastructure) attacks – this type of attack focuses on exploiting server or network component resources. The attacks include SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS, and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second (PPS). These attacks are also handled by the ISP CDN or Cloud Service provider but also with on-premise appliances. The level of sophistication is much higher than Volumetric attacks.
● Application attacks – these attacks focus on web applications and are considered the most sophisticated and serious type of attacks. They include low-and-slow attacks, GET/POST floods, and more. The application attacks utilize the logic of the application to saturate one of the main resources, CPU, RAM, Storage, Network of any of the components in the chain. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the component such as the database, and the magnitude is measured in Requests per second (RPS). These attacks are the most sophisticated attacks requiring off-the-shelf products such as on-premise appliances, WAF, but also very much reliant on the expertise of the implementation team.
DDoS mitigation solutions require more than just a set and forget approach
Although Volumetric attacks can be mitigated by simply buying and enabling a mitigation solution, the Protocol/Infrastructure and Application attacks are more dependent on how the solutions are configured, how the network is set up, and other such factors. This means that the expertise of the security team implementing these solutions plays a larger role in the effectiveness of the solution. It is therefore not a “boolean” “on/off” matter of enabling a mitigation solution or not, but rather a “resiliency spectrum”. So, this also means that to be protected, you will constantly need to check your current resiliency to DDoS attacks by simulating these attacks through a DDoS Simulation Platform.
How the DDoS simulation works
D.Storm, for example, offers a broad range of DDoS attack types that can be conducted in an automated and controlled manner. Using Over 20,000 attack bots, which are distributed over different countries and continents, the system simulates an attack, while using over 20 out-of-the-box attack types, including Volumetric, Protocol/Infrastructure, and Application Attacks. The bots are able to fully simulate real browsers, which means that they are practically indistinguishable from legitimate users. Following the simulation, the system then collects attack information from the bots and presents it to the user for in-depth analysis.
The objective is to identify the weak points and vulnerabilities in the client’s infrastructure through hacking methods. This approach allows the client to mitigate its cyber risk exposure and take corrective action to be able to withstand potential DDoS attacks against its sensitive and strategic assets.
Ongoing testing is required
Ongoing testing is required
Network and application environments are always changing. A change in a component may cause degradation in the DDoS resiliency of the entire environment. For this reason, it is important to run periodical DDoS attack simulations, to check that you are protected at all times, even after changes have been introduced.
Summary
As we’ve seen, protecting against DDoS attacks is not as simple as “plugging” a solution and then forgetting about it. DDoS protection combines solutions and expertise, which means that the DDoS resiliency testing through a DDoS simulation platform, becomes a crucial component.
