Distributed denial-of-service (DDoS) attacks have become more common, more powerful, and more useful to attackers. Here's how to fight back.
On the flip side of the proliferation of Internet of Things (IoT) devices, the quest for increased connectivity and bandwidth (think 5G) and skyrocketing cloud adoption, IT is increasingly being weaponized to unleash cyberattacks in an unprecedented order of magnitude. Coupled with the emergence and anonymous nature of both the Dark Web and cryptocurrencies, illicit transactions have never been easier or more convenient. Distributed denial-of-service (DDoS) attacks have become more common, more powerful, and more useful to attackers. They have advanced from mere botnet-based approaches to artificial intelligence (AI) and data-driven models.
Scholars at the University of Cambridge last year published a research note describing how they used data science to shed light on criminal pathways and ferret out the key players linked to illegality in one of the biggest and oldest underground forums. Perhaps surprisingly, they found that most cybercrime is committed by people who aren't technical geniuses. Many of them offer so-called "booter" services — basically, they're hired DDoS guns — and they have become so widespread that they even include school-age children.
While not all of these attacks are spotlighted in the media, they cause significant financial blowback for companies in the form of paid-out ransoms, business downtime, lost revenue, and reputational losses, among other costs. This havoc is perpetrated by the members of a busy underground economy where cyberattack services are traded and monetized.
Attacks on the Rise
Europol's "Internet Organised Crime Threat Assessment 2019" report outlines how DDoS attacks are among the biggest threats reported in the business world. The favorite DDoS targets of criminals in 2019 were banks and other financial institutions, along with public organizations such as police departments and local governments. Travel agents, Internet infrastructure, and online gaming services were also in the cybercriminals' crosshairs. Some arrests were made, but they had no noticeable impact on the growth rate of DDoS attacks or on the Dark Web infrastructure that makes them possible, according to Europol.
While many DDoS attacks go unreported and unnoticed, some are making the news. In October, a major DDoS attack roughly eight hours long struck Amazon Web Services (AWS), making it impossible for users to connect because AWS miscategorized their legitimate customer queries as malicious. Google Cloud Platform experienced a range of problems at about the same time, but the company says the incident was unrelated to DDoS. A few weeks earlier, a number of DDoS attacks crippled an ISP in South Africa for an entire day.
Everybody Is Vulnerable
Interestingly, it's not just legitimate organizations that are plagued with DDoS attacks. Anyone familiar with Dark Web market listing service will know that markets are usually listed with an "uptime," with the main reason for any downtime being DDoS attacks.
These hidden services are open to DDoS attacks because of certain characteristics of the Tor browser, which is commonly used to access the Dark Web. Earlier this year, the three biggest Dark Web markets all suffered serious and extended DDoS attacks. The operators of Dream Market were reportedly taken for $400,000, which illustrates that even the criminals are vulnerable to attacks by DDoS extortionists.
APIs Move into the Spotlight
But the DDoS problem is moving beyond infrastructure. As part of their digital strategy, many organizations are turning to cloud-native applications, and — as part of the Fourth Industrial Revolution — manufacturing, logistics, and utility companies are equipping their production lines, warehouses, factories, and other facilities with wireless connectivity and sensors. Each of these require an API in order to work.
However, while APIs simplify architecture and delivery, they can also become bottlenecks that open up companies to a spectrum of risks and vulnerabilities. When a business-critical application or API is compromised, it knocks out all the operations related to the business and initiates a chain reaction. Thus, simply protecting OSI layers 3/4 is no longer sufficient; layer-7 attacks create more damage with less total bandwidth.
Job #1: Building Cyber Resilience
In digital business, there is no room for outages. That's why organizations of all sizes must do everything they can to safeguard the resilience, integrity, and uptime of their digital platforms and services. As network bandwidth and computing power multiply, they enable black hats to leverage the increased resources to launch more powerful attacks. DDoS against national infrastructure networks can wreak major real-life havoc and shut down access to the services that grease the wheels of our economy and society. The US Department of Homeland Security (DHS) reports that in the past five years the size of attacks has increased by a factor of 10, and that "it is not clear if current network infrastructure could withstand future attacks if they continue to increase in scale."
Upgrading the Arsenal
The increase in attack frequency, added risk of APIs, and cost of downtime have combined to create a threat greater than the sum of its parts. This evolution of the threat landscape necessitates a similar evolution in defense methods. An organization would be naive to think that the preparedness posture that worked a decade ago can still work unchanged against modern threats.
"To address the increased frequency of attack, a modern defense must be efficient," says Andrew Shoemaker, a DDoS veteran and founder of NimbusDDoS, a pen-testing provider that vets DDoS mitigation solutions. "This means embracing automated mitigation approaches, and moving away from slow manual processes," he adds. "Manual approaches may have been effective in the past when an organization was only attacked a few times per year, but the administrative burden of manual mitigation becomes overwhelming when attacks are happening monthly or weekly."