Distributed Denial-of-Service (DDoS) Attacks: What You Need to Know

The Burgeoning of DDoS Attacks

Distributed Denial of Service (DDoS) attacks are growing quickly, not simply in the number of attacks but also in intensity. In mid-2022,  Cloudflare blocked a 26 million rps (requests per second) DDoS attempt. That Cloudflare event was the largest DDoS attempt known until mid-August 2022, when Google blocked the largest known Layer 7 DDoS attempt, clocking in at 46 million rps. Check here for more DDoS attacks (so far) in 2022.

For a fascinating visual of DDoS attacks, look at NETSCOUT’s live map. 

What Is a DDoS Attack?

A DDoS attempts to stop normal website traffic by making lots of fake website traffic. Most often, it’s malicious, like when angry shoppers block entry to a department store. Sometimes, it’s quite by accident, such as when several web developers stress-test an app and the app fails. But we’ll talk about the malicious kind here.

 With this simplified explanation, it doesn’t necessarily sound all that bad. What’s wrong with a site going down for a few minutes? That appears to happen every time my internet connection goes down, and I have to reboot my ISP’s router.

A DDoS is often more than just an attempt to stop traffic for a bit. An attack against a provider can end up taking down entire businesses for hours. Too much traffic and how the packets are crafted can cause servers to “tip over” by rebooting or failing.

There Are 3 Common Types of DDoS:

1. Volumetric attacks create network traffic that appears legitimate but is designed to inundate the network.
2. Protocol attacks are attempts to inundate edge devices (e.g., firewall) to disrupt connections.
3. Application attacks (Layer 7) impersonate legitimate user behavior to exhaust a web server's resources. An example is an HTTP Flood, where a bot sends an inordinate amount of GET requests to a webpage. The Cloudflare and Google attacks were of this kind, except they were HTTPS instead of HTTP.

The equipment used in the attacks is an interesting (and disturbing) change in DDoS. Historically, the strategy has been creating a botnet from a multitude of infected computers, then launching the attack from the zombies. These recent enormous HTTPS attacks have been launched by criminals using their own gear. That scale takes an enormous amount of computer power, which entails an enormous amount of money. While many DDoS attempts will continue relying on infected botnets, some attackers don’t have to rely on others, making it almost impossible to use something like the MITRE ATT&CK framework to anticipate such attacks. Application Security (AppSec) teams continue to have their jobs cut out for them!

This may sound technical and only relevant to those working in AppSec, but here are several business and concrete implications of a successful DDoS attack:

• Immediate financial loss due to lack of sales
• Reputation loss – often considered the greatest risk - and the ensuing loss of sales due to mistrust
• Data loss (it’s never easy or quick to restore)
• System restoration (data restore hard; system restore can be even harder)

On a larger scale, DDoS attacks that, even temporarily, take down critical infrastructure services can disrupt food supply, cause power outages, foul up water purification, and even cause loss of life. 

What Can Be Done?

There’s a quote attributed to Joseph Stalin that says, “Quantity has a quality all its own.” The onrush of a ton of simple bits and bytes involved in DDoS is enough to take down the best orgs or, in the cases mentioned above, enough to necessitate emergency response (snowstorms and sandstorms are apt analogies). What can be done before and when DDoS strikes? Here are some strategies:

Know your endpoints 

Inventory, inventory, inventory. If it’s public-facing, it’s a target that will be found and exploited.

Remember APIs 

Endpoints are more than sites, pages, and apps. “The average number of APIs per company increased by 221% in 12 months” - APIs are everywhere. And because of that, they can be easily overlooked and even forgotten.

Rate Limiting

Rate limiting and throttling are miracles of technology - use them generously and wisely. They take testing, but they are actually fun to test, enable, and see that they really work!

DDoS protection

Many providers offer DDoS protection; some include it in their services. As early as possible, get it in place. Even if there’s a cost to the protection, a DDoS will increase a company’s cost due to the increased traffic, and that cost will likely be greater than the cost of the protection (think insurance).

Schema Validation

Whatever tool or documentation is available, make the best effort to validate the schema. 100% schema validation is likely too costly, but anything is progress. 

Assessing a DDoS Protection Strategy

A picture is worth a thousand words; a good question is worth a thousand pictures. So here are some questions to help work through assessing a DDoS protection strategy.

• Can your vendor detect and remediate a DDoS attack?
• How quickly can your company detect, analyze, and mitigate the attack?
• If you were DDoSed, would your critical apps remain up?
• Would there be collateral damage?
• How many real users would be affected?

Make Security a Priority

Depending on the circumstance, securing applications can seem like a marathon, like Sisyphus eternally pushing a rock up the hill, like a maze, or like shifting sands. But one thing is for certain – security is always in season.