Every DDoS (Denial of Service) attack is a battle between how many resources the attacker has and the resources demanded from the victim in absorbing or mitigating it. The effectiveness of an attack lies in this disparity: even when the attackers wind down the barrage of traffic, a victim is left to pick up the pieces of bloated cloud bills, disrupted online services, and dissatisfied customers.
Different DDoS attacks take advantage of different mechanisms: this article will assess the various approaches seen in the wild, and establish why DDoS attacks are a very real cybersecurity threat in 2024.
This year has seen DDoS attacks come back from the dead: long–removed from top–10 threat lists, some industry players are calling for it to be returned to the spotlight. America, France, and the UK have all seen significant increases in attack ferocity and numbers, largely as a result of wider geopolitical tensions.
Rather than a symptom of wider conflict, researchers have pointed out that DDoS attacks are now an integral weapon within the international conflicts roiling across the globe. This highly fertile ground for DDoS attacks sees them launched crossborder at any service accessible to the public internet. It’s within this wider context that the European Union Agency for Cybersecurity (ENISA) discovered that 66% of all DoS attacks are politically motivated – and attacks directed at Swedish organizations rose fourfold after the country’s acceptance of NATO membership.
Fuelling this is the emergence and evolution of botnets – allowing for largely unskilled but highly politically – motivated threat actors to achieve large scale disruption.
Understanding how to counter an ongoing DDoS attack demands a deeper understanding of the different forms that attacks can take.
The standard form that a DDoS attack takes, this approach denies service by overwhelming the target’s network resources with legitimate–seeming HTTP requests. This is achieved by the use of a wider botnet, wherein each bot is simultaneously commanded to start sending traffic volumes to the victim’s servers.
DDoS attack mitigation is fairly achievable here, however: a simple challenge CAPTCHA sent to the requesting device can sometimes be enough to prevent a low–skilled attacker from achieving service outage. Similar preventative efforts such as a JavaScript computational challenge can further stop these bots at the edge.
Further within your own network security controls, a web application firewall can manage and filter volume of traffic via an IP reputation database, helping prevent illegitimate devices from consuming server resources.
Layer 3 attacks compromise the protocols and technologies that make interconnected networks possible. Take the GRE protocol – a form of tunneling that allows protocols that aren’t native to a network, by wrapping the original packets within packets that do use supported protocols.
It’s how companies can send data across networks with different IP protocols, for instance.
However, the GRE protocol was used in the now infamous 2016 Mirai attack, thanks to its encapsulation techniques, which allowed for the already huge payload to exacerbate the damage due to the added processing demands of defragmenting.
Layer 3 attacks can be prevented by only accepting traffic to HTTP and HTTPS ports.
Volumetric attacks rely on amplification techniques such as a botnet or other protocols that increase the number of requests per second.
A typical example of these is SSDP attacks. In this, the attacker sends a spoofed UDP packet to a device such as a printer. This packet has the IP address of the target victim. Using a botnet, a spoofed packet is sent to every plug–and–play device possible, and requests as much data as possible from each. The ‘response’ to the victim can be up to 30 times the size of the initial request.
Thanks to this amplification, the target’s servers can become inaccessible to genuine traffic.
In practice, it’s common for highly skilled DDoS attacks to combine all three of these mechanisms – especially as botnets become increasingly available for hire via the dark web. A proactive approach is the only way to genuinely address the threat of DDoS attack.
Here are the best practices for preventing DDoS attacks.
Web Application Firewalls (WAFs) are integral pieces of network security for a reason. Their ability to inspect incoming traffic and prevent recognizable malicious requests from slipping through allows for heavy-handed protection against opportunistic attacks.
However, static WAFs are often reliant on rules that are manually updated and changed.
This is where next–gen WAFs apply machine learning techniques to automatically adapt rules and assess the validity of each device making requests.
Protecting the servers that keep your services up and running can also take the form of building reliable infrastructure around them. Core to this are load balancers: these direct incoming traffic to multiple servers depending on each one’s capacity and status. Similar to this are Content Delivery Networks (CDNs), which store copies of website content on third–party servers across the world.
In the case of malicious traffic targeting one server, content can still be served to the end–user, just from a different location.
Perimeter 81 provides superior network protection by ensuring each user only has access to the resources they need based on their identity and context. Through the platform’s dashboard, administrators can segment users into groups and create policies defining access to connected resources, whether they are on–premises servers or public cloud applications.
Regular security audits are conducted to identify and resolve vulnerabilities, enhancing overall network protection. Explore how Perimeter81 can enhance your overall network resilience with a demo today.