DDoS attacks have always been causing concern, but only recently have they grown into the downtime giant they represent today. The humble denial of service attack has now undergone several key evolutions, first into rapidly-scaling Internet of Things (IoT)-based attacks, and now constituting smaller botnets that pack a mighty punch. Recent CISA guidance has seen the US Government issue major warnings for DDoS attacks – mitigation is now considered a necessity by industry leaders. To come to grips with the true threat of today’s DDoS attacks, let’s analyze the evolution of DDoS – and see how DDoS protection works.
DDoS: The Dark Side of the Cloud
The cloud revolutionized almost every industry—in all its forms. Whether clothing eCommerce shops or underground hacking groups, the cloud has offered cost-effective storage that can be leveraged for every industry’s gain. The rapid expansion of enterprise networks that cloud computing empowers has opened major holes in preexisting, perimeter-focused security. Along the same lines, expanding the number of devices represents a key opportunity for the malicious-minded.
Botnets live and die by their size and power. Cybercriminal-controlled botnets begin via security oversight. The goal is to harness the power of an individual’s computer – preferably without the owner’s knowledge of such. The CPUs and hardware offered by even basic smartphones today are more than enough to fulfill DDoS commands; with any wifi-compatible device a target, these botnets seek to stealthily infect devices with a virus, causing no immediate or noticeable damage. The completely unnoticed attack turns the computer into a bot or a ‘zombie’ device. Once one computer is compromised, most DDoS viruses also seek out other machines connected to the same network.
DDoS attacks are highly public, making them popular among politically motivated attacks. A DDoS attack, in essence, describes a website flooded with requests in an incredibly short time. A successful attack demands too many resources from the site, overwhelming the hosting server and causing it to deny requests from legitimate users. The ‘distributed’ aspect is that these malicious requests come simultaneously from multiple locations and IP addresses. A site receiving a DDoS attack sees the sudden onslaught of thousands – or millions – of requests over minutes. This may be sustained indefinitely; sometimes attackers will demand a ransom, and other times, they aim to bring you offline for a while.
The scale of these botnets can be truly intimidating. Mirai was one of the first to prioritize ranking over all else. Breaking onto the scene in 2016, Mirai’s creators first launched a widespread attack on the website of a well-known security professional. Piggybacking off the atrocious inbuilt security of early IoT devices, Mirai botnet victims swiftly grew to millions. Mirai’s source code was leaked online shortly after that. This has since seen several evolutions, with one recent example nicknamed IoTrooper and Reaper. This strain can infect IoT devices far faster than the original Mirai code. The Reaper boasts many device manufacturers as victims and has a far deeper degree of control over the infected bots. Even more recent botnets such as Mantis have switched tactics: with only 5,000 bots under its control, it can still launch extremely heavy attacks, clocking in at over 15 million requests per second. With attackers able to pick up uber-powerful server machinery, the DDoS attack is entering its heyday.
CISA Issues Guidance
The growth of the cloud has seen industry standards shift in favor of DDoS attackers. Post-pandemic interconnectivity is here to stay, meaning externally facing resources are now essential to business operations. Maintaining these remote connectivity networks is challenging even for mature IT teams, making it impossible to avoid a DDoS attack completely.
This is one reason the Cybersecurity and Infrastructure Agency (CISA) recently published official guidance. Working in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), the three government bodies have analyzed the growing threat DDoS attacks present to national security. The guidance recommends three key defense tactics, focusing on when—not if.
The first is to understand your critical assets and services. Identifying what core services you own allows you to analyze each one’s exposure to the public internet. Keep an eye out for common vulnerabilities within these key components, too. Prioritize assets based on their mission criticality and how necessary it is that each support remain available. Good cyber hygiene, such as server hardening and on-the-ball patching, must be maintained throughout the entire tech stack, as this helps lower the risk of an attack.
Once you’ve thoroughly examined each critical asset, it’s time to turn that attention to your users. Realistically, look at the number of disparate ways each user connects to an organization’s network. This will be even more scattershot, whether onsite or via company-wide virtual private networks (VPNs). This will allow you to identify any network chokepoints, helping you maintain connectivity for your existing user base. This will be even more scattershot if you offer hybrid or remote working.
The Third and Final Step: Comprehensive Mitigation
The final piece of advice presented by the CISA report recommends a dedicated DDoS mitigation provider. DDoS attacks often take moments to go down but hours or even days to fully recover. This entire time, the organization is spiraling as critical communications and public-facing resources are wiped off the internet—every second counts regarding successful attack mitigation.
Border Gateway Protocol (BGP) routing represents one of the most reliable forms of DDoS prevention. With this mitigation solution, the third-party provider is a proxy for your apps or site. All connections pass through their servers, allowing your origin servers to remain hidden and the solution provider’s scrubbing process to kick in. Rerouting this traffic via the security provider makes it possible to analyze the incoming traffic via deep packet inspection. Comparing known troublesome IP addresses and common malicious browsing habits makes it possible to scrub the malicious request out of the barrage. This cuts off the attacker’s main ammunition: attackers are powerless if only legitimate users can request your sits. DDoS mitigation solutions will enable you to prioritize genuine users, even when actively under attack.
