The Scale and Scope of DDoS Attacks
DDoS attacks have been increasing in size, frequency, and impact over the last decade. Major attacks have set new records for the amount of traffic generated, causing widespread outages and demonstrating the destructive potential of DDoS. In 2020, Google reported mitigating the largest-ever DDoS attack, peaking at 46 million requests per second (rps) (Google Cloud Blog). That record was shattered just two years later, when Google mitigated a colossal attack reaching a peak of 398 million rps using a novel “Rapid Reset” technique that exploited weaknesses in the HTTP/2 protocol (Google Cloud Blog). Major cloud providers like Google and Amazon Web Services have found themselves frequent targets of massive DDoS campaigns.
Other major attacks include the 2016 DDoS on DNS provider Dyn, which disrupted access to major sites like Twitter, Netflix, and PayPal by attacking Dyn’s DNS servers (Cloudflare). In 2018, DDoS extortion attacks caused outages at banks across the US. The increasing scale of DDoS attacks presents major challenges for defense and mitigation.
The Variety of DDoS Attack Vectors
DDoS attacks can happen in a variety of ways. The three main types of DDoS attack vectors are volumetric attacks, protocol attacks, and application layer attacks.
Volumetric attacks aim to overload network infrastructure by flooding it with huge amounts of bogus traffic. Common volumetric attack types include UDP floods, ICMP floods, and spoofed-packet floods.
Protocol attacks target the protocol weaknesses of the victim site. Examples are SYN floods, ACK floods, and SYN-ACK reflection attacks which consume server resources and bandwidth.
Application layer attacks focus on disrupting web applications and servers. Common methods are HTTP request flooding, SQL injection attacks, cross-site scripting, and abuse of APIs or page functionalities.
Attackers often combine multiple volumetric, protocol, and application layer attack vectors into powerful multi-vector DDoS attacks.
The Internet of Things as a Source of Attacks
The rise of insecure Internet of Things (IoT) devices has provided new fodder for DDoS attacks. IoT devices like security cameras, routers, and digital video recorders often have poor security features such as default or hard-coded passwords. This allows them to be easily compromised and added to botnets.
Botnets are networks of devices infected with malware that allow them to be controlled remotely. The controllers, known as “bot herders,” can direct the botnet to flood targets with traffic to carry out DDoS attacks. Some of the largest DDoS attacks have been powered by IoT botnets.
One infamous example is the Mirai botnet, which caused widespread disruption in 2016 by infecting hundreds of thousands of IoT devices. Mirai and its variants have been used in record-breaking attacks exceeding 1 Tbps.
Other IoT botnets like Hajime have also assembled huge networks of compromised devices. Until IoT security is improved, these botnets will remain a potent vector for large-scale DDoS attacks.
The Ease of Renting DDoS Services
One major factor that makes DDoS attacks easier to execute is the availability of DDoS-for-hire services, also known as “booters” or “stressers.” These criminal providers enable anyone to easily rent access to a network of compromised devices that can launch DDoS attacks on demand (1). By paying a nominal fee, often just a few dollars, even unsophisticated attackers with no technical expertise can launch powerful volumetric DDoS attacks capable of taking down major websites and networks (2).
Some of the most prolific DDoS booter services engaged in criminal activity include BootStress, Nightmare Market, and VistaBooter (3). These underground providers typically rely on botnets comprised of hundreds of thousands or even millions of Internet of Things (IoT) devices infected with malware. The sheer scale of these botnets allows the DDoS services to overwhelm targets with massive amounts of junk traffic.
The convenience and low cost of these turnkey DDoS attack services significantly lower the barriers for conducting disruptive denial-of-service attacks. Without the need for technical skills or resources, even novice cybercriminals and bored teenagers can now easily rent DDoS attacks and cause major headaches for businesses and organizations.
The Asymmetry of Offense and Defense
One of the key challenges in defending against DDoS attacks is the inherent asymmetry between offensive and defensive capabilities. Launching a DDoS attack requires relatively little effort and resources compared to what is required to mitigate such an attack. Attackers can easily rent DDoS services and botnets to overwhelm targets with junk traffic, often for just a few dollars per hour. Defenders, on the other hand, need to invest in expensive mitigation services, extra bandwidth, sophisticated monitoring and filtering systems to have a chance at withstanding large attacks.
This imbalance means that attackers have an advantage in agility and cost efficiency. A single attacker can take down even well-defended sites through sustained DDoS barrages. Defenders not only need to block current attacks but also stay ahead of new attack vectors. DDoS mitigation relies on advanced technologies like traffic profiling, scrubbing, and machine learning algorithms. Implementing and maintaining these systems requires significant expertise and resources.
According to Imperva, recent attacks exceeding 1 Tbps show that DDoS capabilities are growing faster than many organizations can keep up through mitigation alone. Ultimately, the asymmetry means defenders have to work much harder and invest more to be resilient against attacks. Not all organizations have the scale and budget for state-of-the-art DDoS protection.
The Difficulty of Filtering Attack Traffic
One of the biggest challenges in mitigating DDoS attacks is separating legitimate user traffic from attack traffic. This is difficult because DDoS attacks often rely on spoofing techniques to mask the true source of the malicious traffic. Spoofing involves forging the source IP address of packets to make them appear to be coming from valid users rather than the botnet performing the attack [1].
Attackers can spoof IP addresses to match those of real users, making it seem as if the traffic is legitimate. This means that simply blocking traffic from specific IP addresses isn’t an effective defense. More advanced filtering techniques are required to analyze traffic patterns and identify anomalies indicative of an attack.
Attackers also frequently change and randomize the spoofed IP addresses, making it challenging for defenses to keep up. The scale of modern botnets with tens or hundreds of thousands of compromised devices allows attacks to mimic normal traffic patterns and evade detection.
As DDoS attacks continue to grow in size and sophistication, developing smarter filtering mechanisms capable of detecting anomalies and separating good traffic from bad with high accuracy remains an ongoing challenge.
The Costs of DDoS Mitigation
DDoS attacks can have a significant financial impact on businesses. According to a report from InfoSecurity Magazine, the average cost of a DDoS attack in the US is around $218,000 without mitigation strategies in place [1]. The costs come from business disruption, lost sales, downtime, and reputational damage. A DDoS attack that causes an ecommerce website to go down can result in staggering losses of revenue. One report estimates that the downtime cost of an application DDoS attack averages $6,130 per minute [2].
Implementing DDoS mitigation solutions does add costs, but they pale in comparison to the potential losses from an attack. DDoS mitigation services typically cost between $2,000 to $10,000 per month. While not insignificant, these costs allow businesses to avoid much larger losses from attacks. With the frequency and scale of DDoS attacks increasing, having mitigation solutions in place has become a necessity for organizations of all sizes.
DDoS Extortion
DDoS extortion, also known as ransom DDoS attacks, refers to cybercriminals threatening to launch DDoS attacks against organizations unless a ransom payment is made. This type of extortion scheme has become increasingly common, presenting a lucrative criminal business model. The attackers often first launch a short demonstration attack, then follow up with extortion demands promising worse attacks if the ransom isn’t paid.
Some examples of ransom DDoS attacks include the following:
- In 2021, cybercriminals targeted banks, crypto exchanges, and online casinos in Russia, Turkey, and other countries demanding ransoms of 5-10 bitcoins (worth hundreds of thousands of dollars at the time) to call off threatened DDoS attacks (Cloudflare).
- The e-commerce site Basecamp was hit by a ransom DDoS attack in 2021, receiving a Bitcoin ransom demand after an initial attack took the site offline. Basecamp refused to pay (Netscout).
- In 2022, a threat actor named Fancy Lazarus launched DDoS extortion campaigns targeting organizations across sectors in the US and Europe, including banks, hotels, and hospitals. Ransom demands ranged from 10-100 bitcoins (Indusface).
These examples show how DDoS extortion has evolved into a criminal business model that can generate substantial payouts from targets desperate to avoid disruption of online operations.
Lack of Accountability and Enforcement
One major challenge in preventing DDoS attacks is the difficulty of holding attackers accountable and enforcing laws against them. DDoS attacks often utilize botnets composed of thousands of compromised devices across the globe, making the true source of the attack obscure and difficult to trace. According to the DHS, “Attribution is difficult, allowing adversaries to launch attacks with little fear of reprisal” (DHS). Even if the botnet is identified, the attacker themselves may be using VPNs or other anonymizing techniques to mask their identity and location.
Furthermore, many DDoS attacks originate from overseas jurisdictions where laws are lax or not enforced. A 2021 report found that over 90% of DDoS traffic came from only 20 internet service providers, many in developing nations (LinkedIn). International cooperation and extradition is required to prosecute foreign-based attackers, which can be challenging. Thus, attackers often act with impunity knowing that they are unlikely to face consequences.
In summary, the distributed and anonymous nature of DDoS attacks, along with jurisdictional challenges, make it extremely difficult to hold attackers accountable. This lack of enforcement reduces deterrence and allows DDoS attacks to remain a persistent threat.
The Need for Improved Mitigation
Given the evolving nature of DDoS attacks and the challenges of defending against them, organizations need to constantly enhance their DDoS resilience and prevention capabilities. Some key ways to improve mitigation include:
Conducting regular DDoS testing and simulations to find vulnerabilities before attackers do. Services like AWS Shield provide testing tools to help identify weak points.
Using CDN caching and services like Cloudflare to absorb and filter malicious traffic before it reaches origin servers.
Deploying advanced mitigation techniques like Anycast routing and blackhole filtering to quickly divert DDoS floods.
Building in redundancy across servers, networks, and ISPs to minimize single points of failure.
Working with ISPs and internet backbone providers to craft improved DDoS detection and cleaning capabilities.
Backing up critical data and processes offline or in the cloud to enable fast recovery after attacks.
Keeping software patched and firewalls updated to remove vulnerabilities attackers can exploit.
Creating in-house DDoS response teams and processes that can be rapidly activated during attacks.
Leveraging AI and machine learning to continuously tune DDoS defenses based on the evolving threat landscape.
By combining multiple layers of technology and processes, organizations can develop robust, resilient DDoS defenses capable of withstanding large-scale attacks.
