Distributed Denial of Service (DDoS) attacks are a significant threat to any organization. The Internet has become a core part of how we conduct business in the modern world, and an organization’s website is often the primary means by which customers interact with the business. Denial of Service attacks threaten that direct link with the customer by deliberately overwhelming web resources with spam traffic, forcing them offline. This can have a significant impact on an organization’s ability to do business and on its bottom line.

The threat of DDoS attacks is a growing one. New technologies like cloud computing and the Internet of Things (IoT) make DDoS attacks easier to perform since computational resources can be leased at affordable prices or collected into botnets by exploiting poor IoT security.

DDoS attacks are also an important threat to businesses since anyone can be the target of an attack. The nature of the attack and the volume of traffic that these services produce mean that DDoS protection solutions are the only way to ensure that a business’s critical web services will remain available to customers.

The Traditional DDoS Attack

Distributed Denial of Service (DDoS), even massive ones are nothing new. Cloud computing, vulnerable IoT devices, and other factors make it possible for attackers to create large botnets of attackers. As a result, it’s possible for attackers to create massive DDoS attacks designed to overwhelm target systems.

In a DDoS attack, the goal of the attack is to exhaust the target’s resources by sending it more data than it can handle. This is typically accomplished by sending a large number of extremely large packets to the target. Since the overall volume is what matters to an unprotected system, even a low number of packets can do the job.

Traditional attacks also commonly make use of amplifiers. These are protocols or systems that allow the attacker to send a small request and have a much larger response sent to the target. Common amplifiers include DNS and Memcached. In a DNS amplification attack, the attacker makes a DNS request and spoofs their address to that of the target. The response from the DNS server (which is then sent to the target) is larger than the request, amplifying the impact of the attack.

An important aspect of amplifiers is that they use a certain protocol, meaning that the attack traffic generally comes from a set port. This factor makes this type of attack easier to detect and prevent.

How DDoS is Changing

Already in 2019, the shape of the DDoS threat landscape is changing. Attackers know how common DDoS protections work and how to bypass them. As a result, the sources and the consistency of DDoS attack traffic is changing.

In 2019, an increased amount of “bit and piece” DDoS attack traffic was detected. In these types of attacks, the hacker uses a large variety of attacking computers to perform the DDoS, each of which provides a smaller chunk of the attack traffic. Since each computer has its own IP address, it’s more difficult to block this type of attack using IP-based blocking rules and other standard protections. These attacks also demonstrated a growing level of sophistication and automation with regard to coordination of the various attacking computers.

Another trend detected in 2019 is a change in the consistency of DDoS attack traffic. In the past, attacks commonly consisted of a smaller (but still large) number of extremely large packets originating from similar ports (due to use of an amplifier). These packets are easier to detect and block (i.e. by filtering the port used by the amplifier).

In 2019, several large-scale DDoS attacks were detected that flipped the packet size/number relationship. These attacks used massive amounts of smaller packets that originated from a variety of different source ports (since an amplifier wasn’t needed to create those large packet sizes). This type of attack is much harder to detect and block than the traditional one since the attacking traffic looks much more like legitimate traffic.

Impacts on DDoS Protection

These new tactics in DDoS attacks make detecting and protecting against this type of attack much more difficult. Many of the traditional DDoS protection systems are designed to detect the features of the “old” style of DDoS attacks. Attackers that use a variety of different IP addresses and focus on packet rate rather than packet size may be capable of slipping past the majority of these DDoS protection systems. When shopping for a DDoS prevention system, it’s important to ensure that the product you choose has the ability to detect and protect against this new class of DDoS attacks.

The importance of including DDoS protections as part of your cyber defense strategy cannot be overstated. DDoS attacks are becoming increasingly easy to launch and are publicly available via DDoS for hire services (which doubled in number between Q4 2018 and Q1 2019). Distributed Denial of Service attacks can be affordably launched by anyone and can have a significant impact on an organization’s ability to operate, meaning that a single disgruntled employee or customer can bring a business to its knees. 

With the growing importance of the Internet in the modern age of business, investing in a modern DDoS protection system is a vital part of any business’s cyber defense strategy.