Why is DDoS mitigation and detection still relevant?

The latest data from Verizon's Data Breach Investigations Report (DBIR) reveals that denial-of-service (DoS) attacks accounted for nearly half (46%) of all recorded cyber incidents last year, the most of any "action" type. At the same time, many cybercriminals are demanding a ransom payment to stop their distributed-denial-of-service (DDoS) attacks, taking inspiration from the success of recent high-profile ransomware attacks.

If you haven't already, it's time to put DDoS mitigation and detection higher on your organization's IT security priority list.

At its most basic, a DoS attack is designed to render a target organization's online services inaccessible by overloading them. DDoS attacks differ from DoS attacks by typically enlisting the help of multiple endpoints to achieve this goal. Today's DDoS detection landscape is increasingly complex due to the ingenuity of attackers, the availability of DDoS tooling and increased device bandwidth. Digital transformation is also to blame. By expanding the corporate attack surface, it has provided threat actors with a greater opportunity to hijack computing resources for use in DDoS attacks.

DDoS can be divided into three main categories—but, within each there are a growing number of variations, indicating the continuous R&D work taking place in the cyber underground. The three umbrella categories are:

1. Application-layer attacks: These target web app servers and could include HTTP floods, BGP hijacking, Slowloris, Slow post, mimicked user browsing and more.

2. Protocol attacks: These work by exhausting the resources of servers, firewalls, load balancers and other network equipment. They include SYN floods, ping of death, smurf DDoS and more.

3. Volumetric attacks: These attacks are designed to consume the bandwidth of a targeted asset. They include DNS amplification, UDP floods, IPSec floods and ICMP floods.

Although some attacks in recent years have exceeded 1 or even 2 Tbps, this is not the norm. According to the DBIR, the median now stands at 1.3 Gbps. Moreover, attacks have become more "tightly clustered" around this figure over recent years, indicating that attack infrastructure has become "more formalized and repeatable," the report argues.

Modern-day DDoS mitigation and detection is increasingly complicated because organizations are arguably more at risk today than ever, thanks to the low cost and ready availability of DDoS-as-a-service offerings on the dark web. Malicious actors are motivated by a variety of factors, such as:

• Business extortion: This blends ransomware techniques with DDoS threats.

• Cover for data breaches: Cyber spies may fire DDoS attacks at a target to distract its IT team whilst they get to work on the real goal—exfiltrating sensitive data.

• To force ransom payments: According to the FBI, DDoS attacks are also being used by ransomware groups as an additional threat to encourage payment, alongside the prospect of data leakage.

• Revenge: Some bad actors seek to disrupt former employers or other parties they've fallen out with.

• Bragging rights: Many DDoS attackers are young adults or even children. Some are motivated financially, but many do it just for the thrill. British investigators claim that children as young as nine have launched attacks in the past.

• Cyber warfare: The more infrastructure organizations have accessible via the internet, the greater the opportunity to attack. Ukraine claims DDoS attacks against "vital information infrastructure" have been a component of Russia's cyber warfare.

Ideology: Popularized by the Anonymous collective, loose groups of like-minded individuals or lone hacktivists might use DDoS to punish organizations they disagree with.

Whatever the motivation, the business impact can be severe, highlighting the growing need for DDoS mitigation. The DBIR notes that companies in a wide variety of sectors are at risk—including information services, manufacturing, government and professional services. While most experience fewer than 10 attacks per year, it could have a significant impact when one does strike, including:

• Lost sales

• Customer churn

• Long-term reputational damage

• Loss of competitive advantage

• Productivity loss

The associated costs will vary dramatically depending on the type of business, the duration of the attack and the services affected. But any kind of DDoS-related outage is a business risk that all boardrooms should be working to mitigate. That's where DDoS detection services come in.

There are several possible causes of an online service slowing or becoming unavailable. However, follow-on traffic analysis can illuminate some tell-tale signs that DDoS actors are to blame. These include:

• Large volumes of traffic coming from a single device type, location, etc.

• Unusual traffic patterns including spikes at apparently random times of the day