Raising the Alarm on DDoS Attacks
By Ivan Shefrin, Executive Director for Managed Security Services at Comcast Business
Many organizations underappreciate the risk of distributed denial-of-service (DDoS) attacks, which remain a significant threat to the availability of networks, systems, and application infrastructure. Recent events shown just how costly DDoS attacks can be.
DDoS attacks compromise the availability of network, server, and application resources to render them unavailable for legitimate users. Criminals and nation states can launch severe DDoS attacks using millions of compromised botnet computers simultaneously. Botnets help ensure attacker anonymity because malicious traffic originates from what would otherwise be a legitimate IP address. DDoS attacks are hard to defend against because they often look like legitimate traffic and firewalls can run out of capacity. Defending against DDoS attacks upstream of your perimeter is a best practice to maintain Internet availability.
Threat actors constantly innovate to exploit new attack vectors, to avoid detection, and to hide their tracks. Defenders must continually evolve their countermeasures to stay safe from financial and reputational damage. With good reason, business and public sector stakeholders currently focus on defending against malware and zero-day vulnerabilities. However, because DDoS attacks are much less expensive and easier to launch than ransomware but can still cause a complete outage lasting for days, they are a significant residual risk. With the right partner, defending yourself against DDoS attacks is relatively straightforward. The first step is to determine if your organization is at risk and how much a complete outage would cost you.
The state of DDoS attacks
2021 was a record year for global DDoS attacks – at 9.84 million, it represents a 14% increase from two years prior. But this number is likely much higher, as some corporations have extensive internal resources to withstand attacks without noticeable disruption, and most typically don’t report publicly on attacks against their networks, applications, and infrastructure. This trend may change with new cybersecurity regulations.
Buoyed by the COVID-19 pandemic and the quick transition to remote work environments, Comcast Business threat research shows DDoS attacks have evolved into a lucrative business and, unfortunately, are here to stay.
Why are DDoS attacks so prevalent?
While threats like ransomware can take months to develop, DDoS attacks are very sudden. A large one can result in a complete business outage just as effectively as ransomware. That’s why we’ve seen them increase by over 125% in the last couple of years.
There are several reasons why DDoS attacks have greatly increased in popularity. For one, these attacks are incredibly cheap and easy to create, and the attacker does not need to have any technical knowledge. All the attacker needs to know is the target IP address or range of IP addresses they want to attack.
Secondly, it is more difficult to defend against DDoS attacks that target multiple layers. In fact, multi-vector attacks involving layers 3, 4, and 7 combined rose 47% in 2021.
Multi-vector DDoS attacks aren’t new, but our research shows criminals increasingly using repeat short-duration vectors, often part of multi-vector attacks, as a misdirection tactic to distract IT teams while exploiting other network vulnerabilities to steal data, activate malware, or install viruses. Short duration attacks are more difficult to detect, and you have less time to respond.
For instance, DDoS attacks using L7 application services are designed to masquerade as legitimate traffic to avoid detection. This makes multi-vector DDoS attacks harder for victims to defend against.
Lastly, the volume of DDoS attacks is driven by the economics of botnets. These large networks of compromised computers and IoT devices across the internet can be used for a variety of malicious cyber activities, including DDoS attacks, e-commerce click fraud, ransomware, and crypto mining to name a few. Additionally, it is very easy to repurpose botnets across different types of attack vectors.
This has led to the creation of a botnet black marketplace across the criminal underground. Essentially, botnets have become a fungible asset for organized crime. As the price of crypto currencies drops, we expect to see a corresponding drop in botnet crypto mining.
Finding weak spots in your cybersecurity plan
With threat actors constantly changing tactics, techniques, and procedures (TTP), organizations must stay equally vigilant to protect their infrastructure from bad actors determined to cause financial or reputational damage. This includes assessing your risks and assets to find DDoS vulnerabilities.
Bad actors often combine strategies for maximum impact against easy, unprotected targets. They may launch repeated short burst attacks to distract or consume the resources of an IT organization. And, while the organization is at capacity defending itself, aggressors may use several small-volume attacks to map out network vulnerabilities for follow-up data breaches. We increasingly see ransomware attacks launched against business customers in combination with DDoS. After all, attackers can leverage the same botnets for both purposes.
Even if you are a small business and think you are at a lower risk, you could be in the supply chain for a larger organization that’s a target. Before ignoring the risk of a DDoS attack, ask yourself if your organization can shoulder the costs of reputational damage or lost opportunity and if you’ll be able to recover from the financial damage.
Considerations for mitigating DDoS attacks
DDoS attacks can bring even large enterprise networks to their knees, prevent businesses from reaching customers, cause financial and reputational damage, and even force businesses to close their doors. Yet, they can also be difficult to recognize. Often, business owners may just assume that their network is down, when in reality the server is under attack. Lengthy dwell times to determine the root cause mean organizations lose even more revenue during a DDoS-related outage.
The best way organizations can effectively protect themselves against DDoS attacks is by using a fully managed DDoS mitigation service provider that can block malicious traffic at the provider’s network edge before it ever reaches the target. These services provide real-time detection to minimize damage and typically mitigate attacks within seconds.
Regardless of whether an organization wants to mitigate the residual risk of DDoS attacks, there are steps everyone should take to assist with detection. Implementing an advanced firewall rate-limiting policy at least gives IT an early warning and better log details about whether a DDoS attack is underway. In addition, many DDoS mitigation service providers also offer emergency options that IT organizations can use in a pinch after an attack takes place.
It is vital that businesses of all sizes take active steps in DDoS attack prevention and mitigation to help maintain network availability. Investing in the right security tools and services can provide an extra layer of defense to prevent DDoS attacks from taking over your business.
About the Author
Ivan Shefrin is the executive director of Managed Security Services for Comcast Business. He is a hands-on cybersecurity leader with 25-years of experience partnering with enterprise and communication service providers to anticipate and capitalize on disruptive technology trends, transform IT architectures, and generate security value using data analytics, machine learning and automated threat response. He is responsible for Comcast Business DDoS mitigation, managed detection and response, and endpoint protection services.
Ivan can be reached online at business.comcast.com/enterprise.