DDoS attacks have always been cause for concern, but only recently have they truly grown into the downtime giant they represent today. The humble denial of service attack has now undergone a number of key evolutions, first into rapidly-scaling Internet of Things (IoT)-based attacks, and now constituting smaller botnets that pack a mighty punch. Recent CISA guidance has seen the US Government issue major warnings for DDoS attacks – mitigation is now considered a necessity by industry leaders. To come to grips with the true threat of today’s DDoS attacks, let’s analyze the evolution of DDoS – and see how DDoS protection works.
DDoS: The Dark Side of the Cloud
The cloud revolutionized almost every industry – in all their forms. Whether clothing eCommerce shops or underground hacking groups, the cloud has offered cost-effective storage that can be leveraged to every industry’s gain. The rapid expansion of enterprise networks that cloud computing empowers has opened major holes in pre-existing, perimeter-focused security. Along the same lines, the expansion in the number of devices represents a key opportunity for the malicious-minded.
Botnets live and die by their size and power. Cybercriminal-controlled botnets begin via security oversight. The goal is to harness the power of an individual’s computer – preferably without the owner’s knowledge of such. The CPUs and hardware on offer by even basic smartphones today is more than enough to fulfill DDoS commands; with any wifi-compatible device a target, these botnets seek to stealthily infect devices with a virus, causing no immediate or noticeable damage. The completely unnoticed attack turns the computer into a bot, or a ‘zombie’ device. Once one computer is compromised, most DDoS viruses now also begin to seek out other machines connected to the same network.
A DDoS attack, in essence, describes a website that is flooded with requests in an incredibly short period of time. A successful attack demands too many resources from the site, overwhelming the hosting server and causing it to deny requests from legitimate users. The ‘distributed’ aspect refers to the fact that these malicious requests are coming from multiple locations and IP addresses at the same time. A site on the receiving end of a DDoS attack sees the sudden onslaught of thousands – or millions – of requests over a period of minutes. This may be sustained indefinitely; sometimes attackers will demand a ransom, other times their aims are just to bring you offline for a while. DDoS attacks are highly public, making them a firm favorite among politically-motivated attacks.
The scale of these botnets can be truly intimidating. Mirai was one of the first to prioritize scale over all else. Breaking onto the scene in 2016, Mirai’s creators first launched a widespread attack upon the website of a well-known security professional. Piggybacking off the atrocious inbuilt security of early IoT devices, Mirai botnet victims swiftly grew to millions. Mirai’s source code was shortly thereafter leaked online. This has since seen a number of evolutions, with one recent example variously nicknamed IoTrooper and Reaper. This strain is able to infect IoT devices at a far faster rate than the original Mirai code. The Reaper boasts a larger number of device manufacturers as victims, and has a far deeper degree of control over the infected bots. Even more recent botnets such as Mantis have switched tactics: with only 5,000 bots under its control, it can still launch extremely heavy attacks, clocking in at over 15 million requests per second. With attackers able to take their pick of uber-powerful server machinery, the DDoS attack is entering its heyday.
CISA Issues Guidance
The growth of the cloud has seen industry standards shift in the favor of DDoS attackers. Post-pandemic interconnectivity is here to stay, meaning externally-facing resources are now essential to business operation. Keeping and maintaining these remote connectivity networks is a challenging demand even for mature IT teams; it also makes it nigh impossible to completely avoid a DDoS attack.
This is one reason for the cybersecurity and Infrastructure Agency (CISA)’s recent publication of official guidance. Working in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the three government bodies have analyzed the growing threat that DDoS attacks present to national security. With a focus on when – not if – the guidance recommends three key defense tactics.
The first is to understand your critical assets and services. By first identifying what core services you own, it then becomes possible to analyze each one’s exposure to the public internet. Keep an eye out for common vulnerabilities within these key components, too. Prioritize assets based on their mission criticality, and how necessary it is that each asset remains available. Good cyber hygiene such as server hardening, and on-the-ball patching needs to be maintained throughout the entire tech stack, as this helps lower the risk of an attack.
Once you’ve taken a thorough look at each critical asset, it’s time to turn that attention to your users. Have a real-time look at the number of disparate ways each user connects to an organization’s network. If you offer hybrid or remote working, this will be even more scattershot. Whether onsite or via company-wide virtual private networks (VPNs), this process allows you to identify any network chokepoints, alongside helping you maintain connectivity for your actual user base.
The Third and Final Step: Comprehensive Mitigation
The final piece of advice presented by the CISA report recommends a dedicated DDoS mitigation provider. In the realm of DDoS attacks, it can often take just moments to go down, but hours or even days to fully recover. This entire time, the organization is spiraling as critical communications and public-facing resources are apparently wiped off the internet. Every second counts when it comes to successful attack mitigation.
Border Gateway Protocol (BGP) routing represents one of the most reliable forms of DDoS prevention. With this mitigation solution in place, the third-party provider acts as a proxy for your own apps or site. All connections pass through their own servers, allowing your origin servers to remain hidden and the solution provider’s scrubbing process to kick in. By rerouting this traffic via the security provider, it becomes possible to analyze the incoming traffic via deep packet inspection. By comparing known troublesome IP addresses, and common malicious browsing habits, it becomes possible to scrub the malicious request out of the barrage. This cuts off the attacker’s main ammunition: if only legitimate users are allowed to request your site, attackers are left completely powerless. DDoS mitigation solutions allow you to prioritize genuine users, even when actively under attack.