On April 11, 2022, the Russian cybercrime-gang Conti gained access to a system belonging to the...
Cybersecurity Awareness Month: DDoS
Due to their technical complexity and ambiguous motives, DDoS attacks can be described as unpredictable and volatile, even lawless. As the principal objective of these attacks is to create disorder, it is difficult to calculate potential victims. One thing is certain: They are no mere low-level annoyance, as we once considered them to be.
The increase in magnitude of 865% within just over a year alone indicates the graveness of the issue at hand.
DDoS (Distributed Denial of Service): The disruption of the regular functioning of a network, service, or website by overwhelming it with a flood of traffic, rendering it inaccessible.
Over August 28th and 29th of this year, Amazon Web Services, Cloudfare, and Google Cloud independently observed a powerful HTTP/2-based distributed denial of service, known as a Rapid Reset attack, whose magnitude was larger than that of any attack ever recorded. An Internet-wide security vulnerability, namely a bug1 in the HTTP/2 protocol, was exploited by the perpetrators to flood cloud and Internet infrastructure providers with waves of traffic peaking at 201 million rps (requests per second) as observed by Cloudfare, and an astonishing 398 million rps by Google, lasting only a few minutes each. The source of the attack is unknown, as is any tangible motivation or impact.
February 2023 marked the previous record, with dozens of attacks detected and mitigated by Cloudfare, the majority of which peaked in the ballpark of 50-70 million rps, not long after the hitherto largest attack on record in June 2022, with 46 million rps.
The motives behind DDoS attacks can seem unclear. Considering the countless incidents lacking any specific objective, the assumption can easily be made that attackers arbitrarily select their targets (often large enterprises) “just because they can.” This can lead to confusion as to how to approach the issue, which, after all, is of a relatively complex nature.
Nevertheless, these attacks are seldom carried out without any agenda whatsoever. They are often used as:
A diversion technique: Distributed Denial of Service may be used to distract from a more serious cyberattack. With the victim using its efforts and resources in the attempt to mitigate the initial attack, the threat actor hopes to gain sufficient time to infiltrate its network and carry out other malicious activity.
A way to gain competitive advantage: By disabling a rival’s services, a competing organisation is able to gain significant advantage such as market share, when attacking e-commerce during peak seasons, for instance. Other effects include negative SEO, loss of business and revenue, market uncertainty, for example shortly before a product launch, and disruption of online advertising.
A political or ideological statement: DDoS attacks are increasingly motivated by political agenda, ideological convictions, and activist movements. This is known as Hacktivism, and is exploited by individuals and organisations to convey a message, by disrupting government, corporate, and other operations on a large scale.
A method for extortion: The attacker may use this type of threat as an attempt to extort money from their victim, in exchange for stopping the attack, or not launching it in the first place.
This is becoming increasingly evident as a motive, as the number of Ransom DDoS attacks is rising. Unlike Ransomware attacks, Ransom DDoS attacks bypass the need for system intrusion and deceptive strategies such as phishing, making them easier and cheaper to execute.
Regardless of the motive, these attacks can cause severe disruption and damage of networks, services, or websites, often leading to significant financial losses such as revenue, deteriorating reputation due to user inconvenience, infrastructure damage, hardware failures, and performance degradation. In addition, it is often impossible to detect the source of the attack, making it unlikely to bring responsible parties to justice.
How do they work?
Let us take the example of the Rapid Reset attack. In this incident, the threat actors exploited a zero-day vulnerability in the HTTP/2 protocol, which is essential to the efficient operation of the Internet and most websites. It dictates how browsers interact with a website, for example by allowing a user to make multiple different requests such as view images, text and videos on any website, no matter how complex, without delay. In other words, it reduces page loading times, improving user experience, and enhancing overall efficiency of web communication.
In a Rapid Reset attack, the perpetrator will automate the process of making hundreds of thousands, if not millions of requests at once, then immediately cancelling them. This “request, cancel, request, cancel” pattern on such a large scale overwhelms websites with false traffic, and is capable of disabling services of anything that uses HTTP/2, which is about 60% of all web applications.
A more commonly known way of executing a DDoS attack is with the help of a botnet. A large number of devices, be it individual computers or servers, often referred to as “bots” or “zombies,” are infected with malware, allowing the perpetrator to gain control over them. This network of compromised devices is referred to as a “botnet.” The attacker can now remotely control the collective power of said botnet to send a vast volume of requests or data to the target server or network, overwhelming its resources with a flood of traffic. The victim’s services become slow or unresponsive, resulting in legitimate users being unable to access them.
A botnet can consist of a series of devices in the possession of an individual that are all interconnected. We call this the Internet of Things (IoT). This may include your home computer, smartphone, smartwatch, smart TV, digital personal assistants like Alexa and Siri, and connected home appliances such as your speakers, thermostat, and even your refrigerator. These devices are consistently used to launch DDoS attacks, which has even expanded into use in cyber warfare.
What makes these attacks particularly difficult to combat is that they often only last a few minutes or even seconds, which – as Cloudfare states in their DDoS Threat Report for Q2 of 2023, “does not give a human sufficient time to respond. Before the PagerDuty alert is even sent, the attack may be over and the damage done. Recovering from a DDoS attack can last much longer than the attack itself, just as a boxer might need a while to recover from a punch to the face that only lasts a fraction of a second.”
Numbers of DDoS attacks are consistently rising, with nearly 7.9 Million incidents recorded in H1 2023, representing a 31% year-over-year increase, according to Netscout’s DDoS Threat Intelligence Report. In the effort of preventing them, numerous tactics can be collectively adopted, namely investing in cloud-based DDoS protection, developing a mitigation strategy, implementing rate limiting for incoming traffic, using firewalls, and many more. First and foremost, however: staying informed, training employees, and developing an incident response plan.
1 Referring to the vulnerability identifier CVE-2023-44487