Getty Images
DDoS attacks surging behind new techniques, geopolitical goals
A rise in massive DDoS attacks, some of which target the application layer and cause significant disruptions, might require new defense strategies from cybersecurity vendors.
A new wave of powerful DDoS attacks has emerged across the threat landscape, and cybersecurity vendors say previous mitigation efforts are becoming increasingly ineffective.
Recent attacks over the past year against prominent vendors such as Microsoft and Google represent a shift to application layer, or Layer 7, DDoS attacks, but it doesn't stop there. The rapidly evolving threat is affecting organizations of all sizes as attackers leverage new techniques that take advantage of internet architecture protocols such as HTTP and DNS to launch highly disruptive attacks.
The adoption of new techniques, the growth of DDoS as a service, expanding attack vectors and access to more powerful botnets have led to record-breaking DDoS attacks within the past few months alone. However, vendors observed an uptick in frequency, speed and complexity over the past few years.
Last week, Akamai Technologies published a blog titled "The Relentless Evolution of DDoS Attacks." Craig Sparling and Max Gebhardt, product managers at Akamai, emphasized how quickly the DDoS threat is evolving. The pair warned that "attack vectors that deliver the maximum impact for the smallest cost will invariably rise in popularity."
"The top five vectors in 2010 represented 90% of all attacks, whereas today's top five only accounted for 55% of all attacks," Sparling and Gebhardt wrote in the blog. "This shift underscores not only the increasing sophistication of the modern DDoS toolkit, but also the immense pressure on security teams to defend against a booming library of threats."
An attack against Microsoft earlier this month highlighted the threat DDoS poses to organizations regardless of size and resources. The tech giant confirmed that widespread disruptions to services such as Microsoft 365 and Azure were caused by DDoS attacks and attributed it to a threat actor it tracks as "Storm-1359." The group, also known as Anonymous Sudan, used techniques to circumvent previous mitigation strategies, including Slowloris and cache bypass attacks.
In February, Cloudflare disclosed that it had mitigated a "record-breaking" 71 million requests per second (rps) DDoS attack. The attack was one of many highlighted in a blog post that revealed the company "detected and mitigated dozens of hyper-volumetric DDoS attacks" in just one weekend. The majority peaked between 50 and 70 rps, but one stood out.
"This is the largest reported HTTP DDoS attack on record, more than 54% higher than the previous reported record of 46M rps in June 2022," Cloudflare wrote.
The February blog post emphasized how attacks had been increasing in "size, sophistication, and frequency" over the past few months. In addition, Cloudflare's DDoS threat report for the fourth quarter of 2022 determined that the amount of HTTP DDoS attacks increased by 79% year over year.
Another significant HTTP DDoS attack from 2022 targeted a Google Cloud Armor customer, but was unsuccessful. In a blog post from August of last year, Google confirmed that it had blocked a Layer 7 DDoS attack on June 1 that peaked at 46 million rps. Like Cloudflare, the vendor also observed that DDoS attacks over the past few years have increased in frequency and grown "exponentially."
As more organizations have shifted workloads and applications to the cloud in recent years, threat actors have jumped on the trend by targeting the broadened attack surface. And until recently, much of the DDoS activity was mitigated, producing minimal disruptions. But experts say the threat landscape has changed, thanks to several factors.
Geopolitical goals advance DDoS attacks
In addition to the growth in attack surface, vendors identified an array of factors that contributed to the increasing DDoS danger. Steve Winterfeld, advisory CISO at Akamai, narrowed it down to three primary sources, including more systems being compromised to become part of botnet armies, which he said mainly comprise IoT and connected devices.
Secondly, he told TechTarget Editorial that cybercriminals are offering more DDoS tools and IaaS, which lowers the skill set necessary to conduct an attack. Thirdly, more nation-state threat groups are leveraging DDoS attacks to attain political goals.
"Furthermore, the attacks follow the money, so they launch attacks on the most critical assets -- websites and APIs. As we transition to greater employee and customer engagement online, these protections are more critical than ever," Winterfeld said.
Eyal Arazi, senior security solutions lead at Radware, agreed that geopolitical motives have played a significant role in the uptick in DDoS attacks. Radware observed a 150% increase in the number of DDoS attacks between 2021 and 2022. The cybersecurity vendor mitigated one attack that occurred between February and April that generated 15 billion requests in aggregate.
The new wave of powerful attacks traces its origins to the Russian invasion of Ukraine in February 2022, he said, particularly linked to Russian state-sponsored groups such as Killnet and NoName. Backed by the state, the groups, including Anonymous Sudan, have the resources to build bigger and more powerful botnets, and now that knowledge is spilling over.
Arazi said there's been a wave of politically motivated DDoS attacks against Israel, India, Australia and other countries. Radware's threat intelligence discovered more than 1,800 DDoS attacks claimed by hacktivists between mid-February to mid-April.
One significant concern he presented is how the new attacks masquerade as legitimate traffic because they're encrypted with HTTPS, which makes it harder for mitigation services to detect malicious requests.
"One of the biggest changes in these new attacks is the shift to Layer 7 DDoS attacks, and particularly to HTTP/S DDoS attacks," Arazi said. "This shift has introduced a new level of complexity and enabled attackers to launch far more devastating attacks than ever before. These attacks are high in requests per second and sophisticated in behavior, masquerading as legit traffic and going unnoticed upon decryption."
DDoS attacks are particularly popular among politically motivated cybercriminals where disruption is the goal. Mike Parkin, senior technical engineer at risk management vendor Vulcan Cyber, said that given the current geopolitical situation, he's not surprised to see sophisticated and highly disruptive attacks. "That said, cybercriminals will still sometimes use a DDoS and demand payment to turn it off, while state-level threats may use ransomware to conceal their motives," Parkin told TechTarget Editorial.
Current mitigations were designed to defend against volume attacks, but Parkin noted how threat actors have moved past simple flooding to more sophisticated techniques. One more advanced method involves the attacker using the web server's behavior against it.
"Rather than 100,000 bots sending a flood, I have 50 of them sending simple queries in rapid succession that hammer the target's resources. It's even worse when the attacker finds their way past a content distribution network and hits the source servers directly," Parkin said.
Revamp mitigation strategies
The DDoS attacks against Microsoft this month highlighted holes in current mitigation efforts. In an effort to curb the attacks, Microsoft recommended customers configure their Azure web application firewall to enable bot protection and block malicious IP addresses. Some security experts questioned why customers needed to take action when the tech giant was the organization under attack.
But Arazi said the problem is not with Microsoft itself, but the entire traditional approach to DDoS protection. While most DDoS mitigations rely on static signatures of known attacks and apply brute-force mitigation techniques, the new generation of attack tools uses evasion techniques such as randomized header parameters, dynamic request arguments, IP spoofing and more.
"Traditionally, DDoS mitigation solutions concentrated on Layer 3 and 4 to protect against volumetric network layer attacks. However, when you launch attacks in the application layer, it is very difficult to distinguish between a legitimate request and a malicious request," Arazi said. "Moreover, most web traffic today is encrypted under HTTPS, which means by default that the payload of the packet is encrypted to an outside observer. This makes it even harder for traditional mitigation tools to identify malicious requests."
John Grady, senior analyst at TechTarget's Enterprise Strategy Group, said Layer 7 DDoS attacks are typically less powerful but harder to mitigate because they specifically target legitimate application processes. And given the amount of computing resources, tools and techniques available to threat actors, they can use multiple approaches -- as Storm-1359 did against Microsoft -- to cause prolonged disruptions.
"These horizontal or carpet-bombing attacks force security teams to assess a wider set of resources to understand what's going on and determine how to remediate," Grady said.
Because attack patterns are constantly changing, Arazi said the new approach should be based on dynamic behavioral detection and mitigation.
Emerging DDoS threats were highlighted in Akamai's June blog post. One attack vector, which the vendor dubbed "PhoneHome," is a new reflection DDoS vector with a "record-breaking potential amplification ratio." Akamai observed PhoneHome deployed in the wild to launch multiple DDoS attacks. The second, named "TCP Middlebox Reflection," Akamai classified as an amplification vector. It exploits corporate and national firewalls to reflect traffic against a victim.
To protect against emerging vectors, Akamai recommended reviewing critical subnet and IP spaces, ensuring DDoS security controls are in an "always-on" mitigation posture, and having a crisis response team with an incident response plan ready.
"Bottom line: It is important to test your DDoS protections and validate your playbooks before you are hit," Winterfeld said.
Arielle Waldman is a Boston-based reporter covering enterprise security news.