The world is becoming an increasingly digitally connected place, with Internet use soaring to new levels during the Covid-19 pandemic.
According to Statista, an estimated 15 billion connected or smart devices are currently in use across the planet, with the number of devices expected to double by the end of the decade.
However, this rise in internet usage and digital connectivity also increases the threat posed by cyberattacks. For instance, distributed denial-of-service (DDoS) attacks have increased tenfold between the first Worldwide Infrastructure Security Report (WISR) that NETSCOUT conducted in 2005 to its latest fifth Anniversary DDoS Threat Intelligence Report.
Although NETSCOUT researchers observed a decline in DDoS attacks during the first half of 2022 – which can largely be attributed to lockdowns being lifted as the Covid-19 pandemic came to an end – this didn’t last long. Threat actors didn’t suddenly start behaving themselves.
In fact, attack activity increased once more during the second half of the year, with attacks reaching nearly 13 million for 2022, representing a new high-water mark for attack frequency.
At the same time as this increase in attack activity, adversaries haven’t rested on their laurels when it comes to expanding and launching new attack methods and vectors to devastating effect. Attacks have developed from simple denial-of-service to dynamic distributed denial-of-service, evolving and adapting to counter network defenders.
Instead of simply being content with deploying the same, basic DDoS attacks, threat actors are utilising new, innovative types of DDoS attacks, creating a shifting paradigm, at the centre of which are direct-path attacks.
Motivations for innovative DDoS attack vectors and methodologies
Threat actors are motivated by a number of factors: money, politics, competition, or simply power within their specific community, leveraging DDoS attacks in an attempt to incite fear, cause havoc, and cash out.
Organisations experienced a collection of DDoS attack motivations in 2022, stemming from events in late February as websites were taken offline just prior to the Russia-Ukraine war. Those events created a cascade of attacks against numerous nations and industries, which continue to this day.
Manufacturing, wireless telecommunications, and even the optics industry experienced these diverse motivations in the DDoS threat landscape. Whatever objectives cybercriminals may have, they must continuously develop new DDoS attack vectors and methodologies in order to achieve them.
The findings from NETSCOUT’s latest Threat Intelligence Report demonstrate the extent of cybercriminals’ innovation when it comes to developing new DDoS attack vectors and successful methodologies.
These range from TCP direct-path attack vectors to carpet-bombing and application-layer attacks against DNS servers and websites. Threat actors have accelerated their adoption of attack targets and techniques, resulting in huge increases in attack activity during the second half of 2022.
Direct-path attacks
Direct-path attacks are growing at an alarming rate. These types of attacks surged in 2022, making up roughly half of all DDoS attacks. In fact, over the last three years, they have increased by 18% while, during the same period of time, traditional reflection/amplification attacks decreased by a similar amount, highlighting the need for organisations to implement a hybrid defence approach to weather fluctuating attack methodologies.
Additionally, with there now being over one billion websites worldwide, there has been a surge in DDoS attacks targeting websites – as evidenced by a 487% increase in HTTP/HTTPS application-layer attacks since 2019.
The most significant escalation came during the second half of 2022 when pro-Russian groups such as Killnet explicitly launched attacks targeting websites. Attacks of this nature have coincided with the war between Russia and Ukraine, forcing critical financial, government, and media sites offline.
Carpet-bombing attacks
In addition to these vectors, carpet-bombing attacks – a technique that targets entire IP address ranges as opposed to a single host – increased by 110% from the first to the second half of 2022. This type of attack has been designed to evade common DDoS detection systems.
Their usage started to become increasingly widespread in November 2021, before their prominence increased further in August 2022. Daily attacks using this method rose from an average of 670 in 2021 to an average of 1,134 in 2022, representing a 69% increase.
In terms of industries targeted using this method, the majority of these attacks have come against internet service provider (ISP) networks.
DNS query floods
Lastly, DNS query floods have more than tripled since they really became weaponised in 2019, with there being a 243% increase in the adoption of this attack technique since that year.
As a form of application-layer attack, the average daily attack count for 2022 was recorded at approximately 850 attacks, a 67% increase over the daily average of 522 seen in 2021.
Further sub-divided into regions, the following increases in this attack technique indicate adversaries are using it everywhere. For instance, both APAC and EMEA saw increases of over 100% in the daily average usage of this type of attack.
Typically speaking, most DNS query floods have tended to affect ISPs. However, in the second half of 2022, adversaries used this tactic to target both the national security and commercial banking sectors in North America and EMEA, respectively.
There is a high likelihood that these attacks are almost exclusively related to the ongoing conflict between Russia and Ukraine.
The fact that complex multi-vector attacks and more sophisticated adversary methodologies have become more complex further highlights the need for intensive scrutiny of the threat landscape and an ever-evolving defence-in-depth positioning to weather the onslaught of attacks.
DDoS attacks: Response plan
The evolving nature of DDoS attacks is forcing network managers to reconsider how efficient and effective their DDoS defence systems really are. They are making organisations question how they can prevent and stop these increasingly innovative and dangerous attacks.
If businesses are unable to withstand and effectively cope with a DDoS attack, there is the potential for an attack to result in loss of revenue, compliance failures, and considerable damage to brand reputation and public perception.
As such, organisations need to have a plan of action in place when a DDoS attack occurs. This plan, like any business continuity plan, will be a living document which is regularly tested and refined over an extended period of time.
As the old adage goes: “By failing to prepare, you are preparing to fail”. The methodology for dealing with a DDoS attack is made up of six phases: preparation, detection, classification, traceback, reaction, and post-mortem. These critical components should be a feature of every DDoS response plan. Each phase informs the next, and the cycle improves with each iteration.
Successfully handling a DDoS attack is entirely dependent on a company’s preparedness and the readiness of its plan. An organisation’s DDoS response plan will be the structure supporting all six phases outlined above. It will be a document which is continually edited and updated, tailored to the environment and refined through practice and potential real-world use.
What’s more, it’s imperative for this plan to encompass the entire scope of all the different elements, processes, and procedures necessary to ensure an organisation is able to execute its mission in the face of a DDoS attack.
However, the only way to know if the plan is accurate and thorough is by conducting periodic testing. This should include both internal-only and full attack simulations involving all stakeholders and external parties.
So long as adversaries continue to find effective ways to circumvent security measures, network managers and organisations are required to constantly develop new methods to effectively block and combat DDoS attacks. For organisations to successfully mitigate an attack, they must have a comprehensive, tested plan, executing it as practised.
