As geopolitical tensions rise, threat actors are weaponizing Distributed Denial of Service (DDoS) attacks to disrupt ecommerce and critical services.
DDoS attacks spiked in Q1 2024, prompting 78% of SMBs to worry that an attack could shut down their business.
According to the 2023 Comcast Business Cybersecurity Threat report, SMBs are predominant targets because few have in-house DDoS mitigation capabilities.
Below, we’re going to reveal exactly how you can protect your business against the devastating losses and reputational damage from a DDoS attack.
Understanding DDoS Attacks
Definition of DDoS attack
First, what is a distributed denial of service (DDoS) attack?
In a nutshell, it’s a large-scale, coordinated attack by an army of compromised computers against a single target system or server.
These compromised computers are called botnets, a collection of malware-infected IoT (Internet of Things) devices.
Hackers control them remotely to overwhelm the target system’s bandwidth or memory with a massive amount of traffic.
The goal is to create chaos and disrupt normal operations.
How DDoS attacks work
As mentioned, DDoS attacks are playing an increasing role in geopolitical conflicts.
Hacktivist groups acting on behalf of warring nations are weaponizing DDoS attacks to achieve military objectives. For example, Crimea — a point of tension between Russia and Ukraine — continues to grapple with DDoS-related internet disruptions.
Meanwhile, both pro-Palestinian and pro-Israeli hactivist groups continue to perpetrate DDoS attacks against each other’s critical infrastructure.
DDoS attacks differ in methodology:
- Bit-intensive DDoS attacks target network bandwidth. The goal is to exhaust the available bandwidth, making it impossible for legitimate users to access services.
- Packet-intensive DDoS attacks overwhelm the processing capacity of network devices like routers, firewalls, and switches. A large number of packets are sent, causing the devices to become unresponsive.
- HTTP-request intensive DDoS attacks target web servers and applications. A large volume of HTTP requests is sent within a short time, exhausting server capacity and making applications unavailable to legitimate users.
Common types of DDoS attacks
The above attacks are three of the most common types of denial-of-service attacks. They can be further categorized based on which layer of the network stack they target.
Volumetric attacks
Volumetric attacks are primarily measured in bits per second (bps). However, they can also be quantified in packets per second (pps). During a volumetric attack, data packets overwhelm the available network bandwidth.
In 2023, Akamai Technologies mitigated the largest volumetric attack ever launched in the Asia-Pacific region, with attack traffic peaking at 900.1 gigabits per second and 158.2 million packets per second.
Examples of volumetric attacks include:
- UDP (User Datagram Protocol) floods. This occurs when attackers send an avalanche of UDP packets to random ports on the target system. If no listening applications are accepting packets, an ICMP “destination unreachable” packet must be sent back. The target system is overwhelmed when it must check the port of each incoming packet before issuing a response.
- ICMP (Internet Control Message Protocol) Ping floods. Server resources are overwhelmed when attackers send a large volume of ICMP Echo requests.
- DNS amplification attacks. In this attack, attackers send DNS queries to public DNS servers with the spoofed IP address of the target. The DNS servers then send large DNS responses to the target, overwhelming it. DNS amplification attacks are a type of DRDoS (Distributed Reflection Denial of Service) attack.
A DRDoS attack occurs when an attacker spoofs the target’s source IP address to send requests to multiple intermediate servers. The servers then send a flood of data to the target, overwhelming its bandwidth or resources.
But, what’s the difference between DDoS and DRDoS?
DRDoS attacks are indirect, involving intermediate servers that reflect and amplify the attack traffic. Meanwhile, DDoS attacks leverage botnets to directly overwhelm a target's bandwidth or resources.
Protocol Attacks
Protocol attacks are generally measured in packets per second (pps).
Examples of protocol attacks include:
- SYN floods. A SYN flood is also a TCP attack. It exploits the TCP protocol handshake process that controls data transmission between devices. A high volume of SYN requests are sent without completing the connection establishment.
- Ping of Death. Here, attackers send malformed or oversized ICMP packets to a server, causing it to crash.
- Smurf attacks. This occurs when attackers send a large volume of ICMP Echo reply packets to the target system.
Application Layer Attacks
HTTP request-intensive attacks disrupt services by sending a high volume of requests to web applications. They are notoriously difficult to detect because they simulate legitimate traffic.
Application layer attacks are measured in requests per second (rps).
Examples of application layer attacks include:
- HTTP floods or GET/POST floods, where a high volume of GET/POST requests are sent to the targeted web server. GET requests are requests for resources like images or files. Meanwhile, POST requests occur when forms are submitted on a website.
- HTTP/2 floods — also known as HTTP/2 CONTINUATION floods — which target the HTTP/2 protocol and involve the mishandling of CONTINUATION frames.
When a HTTP/2 request is sent with a message that’s too long to fit within the initial headers frame, continuation frames are used until the entire message is sent. During a HTTP/2 CONTINUATION flood, the attacker sends a deluge of continuation frames in rapid succession. This quickly overwhelms the server’s resources.
HTTP/2 CONTINUATION floods surpass anything we’ve seen in terms of HTTP/2 attacks. In 2023, Google’s DDoS Response Team stopped the HTTP/2 Rapid Reset attack from disrupting internet services. But, HTTP/2 CONTINUATION floods pose an even greater threat, with just one TCP connection or a single machine able to cause significant disruptions to critical services like banking and medical care.
- Slowloris attacks exploit a weakness in the HTTP GET request. A massive number of HTTP requests are sent. But, Slowloris attacks are difficult to detect because they utilize a low bandwidth to send incomplete HTTP requests.
Preventing and Protecting Against DDoS Attacks
Methods for DDoS attack prevention
There are several methods to prevent a distributed denial of service (DDoS) attack. This includes:
- Implementing firewall configuration and intelligence-based filtering rules to block suspicious UDP, ICMP, or DNS traffic
- Deploying adaptive intrusion detection systems (IDS) that utilize deep reinforcement learning algorithms to enhance the detection of known and unknown threats
- Implementing rate limiting to limit the large volumes of requests
- Employing cloud-based DDoS protection solutions like Cloudflare, Akamai, or Azure DDoS Protection
- Implementing access control management to restrict traffic to legitimate sources only
Importance of DDoS protection
DDoS protection is essential for maintaining the availability of services you offer.
Unprotected systems are vulnerable to prolonged downtimes, which can lead to significant revenue losses and damaged reputations.
Best practices to defend against DDoS attacks
Maintaining consumer access to your applications is a top priority. Below, we reveal the top four best practices for defending your business assets:
- Implementing a SIEM-SOAR-XDR solution: This helps you with incident detection, incident response, and extended threat detection across endpoints and cloud security platforms.
- Building secure cloud infrastructures: The AWS Well-Architected Framework helps you design secure, efficient, and sustainable systems.
- Combining patching and isolation: Patching protects your business against known vulnerabilities while isolating protects against Zero Day and unpatched vulnerabilities.
- Prioritizing assets based on mission criticality and developing an incident response plan: Preparing a comprehensive plan helps you respond swiftly to DDoS attacks. This includes implementing an SASE security framework connected to Zero Trust architecture. The latter provides continuous authentication via identity access management and privilege access management.
DDoS Attack Mitigation
Signs and symptoms of a DDoS attack
Recognizing the signs of a DDoS attack is crucial for timely mitigation.
Common symptoms include unusually slow network performance, unexplained timeouts, “too many connections” error notices, and an increased use of server memory.
Additionally, an increase in traffic from a single IP address can indicate a potential attack.
Steps to detect and confirm a DDoS attack
There are several ways to identify whether your network is under a DDoS attack.
Tools like network traffic analyzers, behavior-based anomaly detection, and DDoS simulation tests are key to protecting your business.
Network traffic analyzers: With threat actors intensifying their efforts against businesses, continuous monitoring should be part of your arsenal of tools. For example, CloudFlare’s Magic Network Monitoring tool provides end-to-end network traffic visibility and volumetric traffic alerts.
DDoS simulation testing: This is a process where a controlled DDoS attack is performed on a system to assess its resilience. The goal is to gauge how the system performs under stress and whether it can maintain functionality during an attack.
DDoS simulation testing can also help you identify gaps in your incident response procedures. If you’re an AWS customer, for instance, Red Button (an AWS partner) can perform a DDoS simulation test on your behalf.
Meanwhile, Azure customers have access to self-service or guided DDoS simulation testing with providers like BreakingPoint Cloud, Red Button, MazeBolt, and RedWolf.
Behavior-based anomaly detection: Here, machine-learning algorithms are used to detect polymorphic malware that adapt and mutate to bypass traditional intrusion detection systems and CDNs. Meanwhile, AI-driven CDN platforms are providing real-time anomaly detection and continuous adaptation to evolving attack vectors.
Effective response strategies
How can I protect my network from DDoS attacks?
- Cloud DDoS scrubbing: Redirects malicious traffic to DDoS scrubbing facilities to achieve high availability and resiliency. Scrubbing is more effective than either sinkholing or blackholing, as it redirects all incoming traffic through a “cleaning” center. There, malicious DDoS packets are blocked, while benign traffic is routed to its original destination.
- IP Blacklisting: Blocks traffic from known malicious IP addresses.
- Elastic load balancing: With AWS, you can deploy three types of load balancers. They are Application Load Balancers (ALB), Network Load Balancers (NLB) and Classic Load Balancers (CLB). ALBs, for instance, can block DDoS attacks such as SYN floods and UDP reflection attacks.
- DDoS security services: Tools like Akamai’s Kona DDoS Defender guarantees continuous operations, even during an attack. Thus, your customers will enjoy a seamless experience. This will lead them to view your business as more reliable and trustworthy than other brands.
Impacts and Consequences of DDoS Attacks
Effects of DDoS attacks on businesses and organizations
DDoS attacks can have a devastating effect on your business. This can include:
- Prolonged downtime
- Decreased employee productivity
- Disruptions of critical infrastructure like water, power, internet, or phone services
- Widespread business disruptions
- Decreased consumer trust
Trust is the new business currency. According to PwC research, consumers are more likely to buy from businesses they trust (91%), recommend the business to others (88%), and defend the business to others (83%).
And, consumers overwhelmingly say that trust is earned through:
- The affordability of products/services
- The reliability of the experience — nothing short of 100% uptime and DNS availability
- Quick responses to consumer concerns
- The ability of the leadership team to admit to mistakes quickly and honestly
Financial and reputational implications
The financial implications of a DDoS attack can be significant, including:
- Billions of dollars in lost sales
- Costs associated with compensating customers for service disruptions
- Costs associated with DDoS mitigation efforts
Reputational damage can be equally severe, as customers may lose confidence in your ability to protect their data and maintain service availability.
Long-term consequences
Long-term consequences of DDoS attacks include:
- potential loss of market share
- decreased consumer loyalty
- increased scrutiny from regulatory bodies
Motivations and Tactics Behind DDoS Attacks
Common motives for launching DDoS attacks
DDoS attacks can be motivated by various factors:
- Financial gain. North Korean APT (advanced persistent threat) groups are increasingly targeting SMBs for financial gain. In 2022, the North Korea-aligned TA444 group infected a medium-sized American digital bank’s IT systems with CageyChameleon malware. APT groups often use social engineering to inject malware into target systems while simultaneously launching DDoS attacks to distract IT personnel.
- Political activism. Increasingly, DDoS attacks are being perpetrated by a small group of politically motivated hacktivists. The largest, NoName057, appears to have Russian connections and has targeted 780 websites across 35 countries. NoName’s focus seems to be countries that express support for Ukraine.
- Personal vendettas. Sometimes, hackers perpetuate attacks as an ego trip. For example, Julius “Zeekill” Kivimäki (a Finnish hacker who was arrested in France in 2023) uses the pseudonym “Untouchable Hacker God” on his Twitter profile. Kivimaki achieved initial notoriety as a member of Lizard Squad, a low-level hacker group specializing in DDoS attacks.
Role of botnets and attack techniques
Botnets play a crucial role in DDoS attacks by providing the computational power to generate an avalanche of traffic.
Common attack techniques include reflection and amplification attacks, where public IoT devices are recruited as botnets to amplify DDoS attacks.
Another technique is bad bots inundating mobile and residential ISPs with server requests, thus overwhelming their resources and disrupting services. According to Imperva’s 2024 Bad Bot report, ISPs experienced a 1.6% increase in bad bot traffic in 2023 (from 47.7% to 49.3%).
Understanding attacker motivations
Understanding the motivations behind DDoS attacks is the key to developing effective defense strategies.
Some attackers are focused on monetary gain. They perpetuate DDoS attacks to extort ransomware payment from victims. In 2023, Cloudflare reported a 60% increase in ransom DDoS attacks.
Effective strategies for these types of attackers may include enterprise-grade DDoS protection for SMBs, intrusion detection systems (IDS), and network load balancers that reroute traffic to available servers if one or more servers fail. This ensures the high availability and reliability of services.
Meanwhile, politically motivated attackers use DDoS to protest a religious, social, or political agenda. Their main targets are ecommerce, government, banking, and social organizations. Anonymous Sudan, Mysterious Team, and Team Insane PK are responsible for most of the religiously-driven DDoS attacks across the world.
These types of attackers may require a more nuanced approach. This can mean training religious and community leaders to perform prevention and intervention activities in collaboration with law enforcement.
DDoS Attacks and Cybersecurity
Relationship between DDoS attacks and cybersecurity
DDoS attacks are a critical aspect in the global conversation on cybersecurity. Their role in geopolitical tensions highlights the importance of robust security measures.
Thus, effective cybersecurity strategies must include measures to prevent, detect, and mitigate DDoS attacks.
Importance of proactive defense strategies
Proactive defense strategies are essential in mitigating the risk of DDoS attacks.
This includes regular security audits, continuous network traffic monitoring, and the adoption of dynamic, more powerful DDoS protections.
Here’s why a proactive defense is critical:
- What worked before is no longer sufficient — threat actors continue to deploy more sophisticated attacks against SMBs. If apps are the lifeblood of your business, traditional web application firewall rules can leave your business vulnerable. Instead, implementing a defense-in-depth approach which includes a mature Zero Trust framework and range of DDoS tools will be critical to business continuity.
- DDoS attacks come with a high price tag for you. The average cost per DDOS incident for SMBs is $52,000 USD.
Collaborative efforts to combat DDoS attacks
Combating DDoS attacks requires a robust partnership between SMBs, cybersecurity experts, and law enforcement agencies around the world.
Here are three resources that can help you protect your business from DDoS attacks:
- Joint guidance from CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on responding to DDoS attacks
- Joint guidance from CISA and partners on implementing SASE and Zero Trust
- The Global Cyber Alliance’s Automated IoT Defense Ecosystem (AIDE) platform to collaborate and share threat intelligence
- The 2023 NSFocus Attack Landscape Report on emerging attack vectors, trends, and mitigation strategies
As can be seen, the DDoS threat landscape is evolving and becoming ever more treacherous.
At LastPass, your security is our top priority. Protect your assets by combining the above DDoS strategies with LastPass Business. Start your free trial today.
FAQ
How can I protect my network from DDoS attacks?
There are four important ways to protect your network from DDoS attacks:
· Implementing a SIEM-SOAR-XDR solution for detection and incident response across endpoints and cloud platforms · Using a framework like the AWS Well Architected Framework to improve DDoS resiliency for cloud applications and workloads
· Combining patch management and network segmentation to isolate critical assets
· Preparing a comprehensive incident response plan and implementing an SASE security framework connected to Zero Trust architecture
How can I identify if my network is under a DDoS attack?
If your network is under a DDoS attack, you may see unusually slow network performance, unexplained timeouts, “too many connections” error notices, and an unusual increase in server memory use.
What are the types of DoS attacks?
The types of DDoS attacks are:
· Volumetric attacks like UDP floods, ICMP ping floods, and DNS amplification attacks
· Protocol attacks like SYN floods, Smurf attacks, and Ping of Death
· Application layer attacks like HTTP floods, HTTP/2 floods, and Slowloris attacks
