DDoS threats are back

As ransomware attacks continue to make front page news, Distributed Denial of Service (DDoS) attacks may have appeared to decrease. In reality, threat actors continue to engage in DDoS attacks, especially with continued geopolitical tensions, but many go unreported making it difficult to quantify the risk and impact. In fact, over the past three years, DDoS attacks accounted for 28% of cyber threats, but organizations were only moderately effective at detecting and responding to them.

Further, research from March 2022, notes:

While the financial services industry is a major target for threat actors, all industries face DDoS risks. During January 2022, a number of DDoS attacks impacted organizations across the financial services, IT software, IT infrastructure, government and telecommunications industries.

With rising numbers of attackers and evolving methodologies, the attacks became more complex, shifting in frequency and increasing in intensity. By understanding how DDoS attacks work and how they can impact business operations, organizations can more effectively mitigate risk.

What is a DDoS attack & how does it work?

In a distributed denial of service (DDoS) attack, threat actors use multiple machines to send high volumes of requests to networks or servers, ultimately overwhelming them with too much traffic and causing them to become overwhelmed. The malicious actors control the set of infected devices, known as a botnet, and the overloaded network is unable to respond to legitimate requests causing a "denial of service."

In the first step of a DDoS attack, the threat actors exploit a security vulnerability or device weakness in internet-connected devices. They then install malware on the device, usually a command and control software, that allows them to tell the devices what to do. The individual devices are called “zombies” or “bots,” and collectively they are known as botnets. Each device sends requests to the targeted network or server, ultimately overloading the resource and making it unable to respond to any requests.

Beware of new DDoS attack types

As organizations adopt new technologies, threat actors also evolve their methodologies, including the ones used for DDoS attacks.

Some examples of the evolution of DDoS attacks include:

• Blended attacks: incorporating DDoS as part of ransomware attacks to force companies to pay a ransom or distract from data exfiltration
• Black Storm attacks: sending spoofed User Datagram Protocol (UDP) which reduces the number of devices needed for the botnet
• Middlebox reflection: leveraging in-network middleboxes that monitor and filter packet streams to reflect IP traffic

How much a DDoS attack can cost your business

Since a DDoS attack disrupts networks and servers, they usually lead to business downtime and in turn, can cost companies hundreds of thousands of dollars, if not millions. This can include both internal or customer-facing resources and can lead to:

Customer churn

With more companies delivering digital customer experiences, a DDoS attack can prevent customers from accessing applications and data. For example, a DDoS attack against a Voice-over-Internet-Protocol (VoIP) company last autumn led to service disruption, preventing customers from sending or receiving calls. When reliability and security become a concern, customers will take their business elsewhere.

Service-Level agreement violations

Companies in the business-to-business space need to consider whether service downtime will lead to a contract violation. In this case, the organization may need to pay a penalty, or the customer may choose to terminate the contract. Companies must have a solution in place to mitigate these types of attacks.

Lost productivity

Business applications and organizational networks can also be impacted by a DDoS attack. This means that employees will be unable to access the resources they need to do their jobs, reducing productivity and impacting profits.

Response costs

Just like any other attack type, organizations need to respond to a DDoS attack promptly. They need to contain the malware and restore all devices, systems, and networks to their pre-attack state.

Legal and compliance costs

When DDoS attacks are used to mask data exfiltration, companies may find that the initial outage also leads to privacy violations and potential lawsuits. Not only are these increased costs, but they can take a long time to resolve.

How do you know you’ve suffered a DDoS attack?

DDoS attacks often begin with subtle changes in network traffic or resemble maintenance issues.

When trying to determine whether an organization has experienced a DDoS attack, security teams usually look for some of the following indicators:

• Slow network performance, like latency when opening files or accessing websites.
• Unavailable website domain
• Inability to access web resources
• Abnormal network traffic patterns from devices or an IP address
• Abnormal network traffic to a single endpoint or IP address