Adaptive DDoS Attacks Get More Sophisticated: How to Beat Attackers’ New Ground Game
By Gary Sockrider, Director, Security Solutions, NETSCOUT
The rapid expansion of Internet of Things (IoT) devices, which now number in the billions, not to mention upgrades to network infrastructure and the acceleration of 5G deployments, means that network operators and IT managers have to become even more nimble at identifying and remediating security vulnerabilities. One increasing vulnerability that remains relatively elusive is DDoS attacks.
What is not often considered is that modern DDoS attacks are not what they once were several years ago. Now, such attacks are carefully orchestrated in campaigns involving reconnaissance. These campaigns identify weaknesses, tailor attacks, and monitor in real-time for efficacy, followed by adjustments in attack vectors. We call these “adaptive DDoS” attacks. And while attack methods of this nature have been perpetrated by nation-states, now they are increasing in prevalence in other sectors, such as healthcare and business.
In this article, we will explore how to prepare for these attacks so organizations don’t become the unintended victims of an adaptive DDoS campaign. We will also explore how organizations can defend against these highly organized adaptive DDoS attacks by implementing edge-based detection and mitigation methods.
DDoS Attacker Evolution: From Rogue Agents to Sophisticated Operators
Today, DDoS attacks are getting more advanced by the day and are no longer the domain of rogue threat actors. This phenomenon has been observed with botnets launching attacks against Ukraine and other nation-states. Increasingly, attackers are shrewder and more brazen, performing extensive pre-attack scouting, exploiting weaknesses, and making use of botnet nodes and reflectors/amplifiers that are topologically adjacent to the target. This, in turn, minimizes the number of administrative boundaries that DDoS attack traffic must traverse, thus avoiding multiple network protection layers and making attack traffic more difficult to detect and mitigate.
While nation-state attacks are one example of the ways in which DDoS attacks are getting more organized at the ground level, businesses and other organizations are not at all immune. For example, this year, the U.S. Department of Health and Human Services (HHS) warned about DDoS attacks on the country’s healthcare industry by Russian hacktivists with the goal of targeting ventilators. Killnet, a group of Russian hacktivists, already has claimed responsibility for more than a dozen DDoS attacks on U.S. healthcare organizations to date, including major hospital networks such as Cedars-Sinai and Duke University Hospital.
This is just another example of the lengths that nefarious actors go to planning, executing, and sustaining DDoS attacks. What may seem mundane is actually incredibly complex. DDoS attacks can span countries, networks, and techniques like water finding a path through any available means. Ultimately, organizations must adopt new strategies, including dynamic defenses that are just as adaptive to input as modern attacks, to combat the growing complexity.
Edge-Based Detection and Mitigation to Thwart Savvier Attackers
Because of the damage that can be done by short-duration attacks on an organization’s critical business applications and services, as well as the requirement for near real-time mitigation to stop these attacks, a packet-level, stateless mitigation solution is a key consideration. This always-on technology sits on the edge of the network, and it is the foundation for a multilayered comprehensive DDoS defense against savvy attackers. Further, any edge-based solution must also be fully integrated with upstream mitigation to handle volumetric attacks exceeding the bandwidth available at the network edge.
Any DDoS protection solution must automatically identify and stop all types of DDoS attacks before they impact the availability of business-critical services. Unlike solutions that employ hard-coded logic, an adaptative DDoS defensive approach combines intelligent machine learning algorithms with dynamically updated actionable DDoS threat intelligence, which includes historical and real-time data tracing the methodologies and patterns of attackers.
DDoS attacks are indeed challenging, but focusing on static mitigations and upstream defenses will miss attacks that are deliberately designed to evade these defenses. Ultimately, defeating these attacks requires a solution designed to adapt defense strategies to changing tactics. Only then can organizations ensure effective, comprehensive DDoS protection as bad actors become more organized and exploit more attack vectors — and in a more methodical way — than ever before.
About the Author
Gary is an industry veteran bringing over 20 years of broad technology experience including routing and switching, wireless, mobility, collaboration and cloud but always with a focus on security. His previous roles include solutions architect, security SME, sales engineering, consultancy, product management, IT and customer support. Gary seeks to understand and convey the constantly evolving threat landscape, as well as the techniques and solutions that address the challenges they present. Prior to joining Netscout in 2012, he spent 12 years at Cisco Systems and held previous positions with Avaya and Cable & Wireless. Gary can be reached on LinkedIn and at www.netscout.com.