Thirteen Days or One Hour: The Threat of Large-Scale DDoS Attacks

This opinion piece was contributed by Benjamin Campbell

Unfortunately, the threat of a distributed denial-of-service (DDoS) attack is an ever-growing one for any organisation. The growth of the Internet of Things (IoT) and cloud computing has made access to the computational resources necessary to perform these attacks cheaper and more easily available to attackers.

As a result, DDoS attacks lasting hours and even days have become a reality for some organisations. These attacks have the scale and volume necessary to completely deny legitimate users access to the service, causing a significant impact on an organisation’s ability to engage with and retain customers. As a result, the need to deploy a comprehensive DDoS mitigation solution has become a vital component of any organisation’s cybersecurity strategy.

Introduction to DDoS

A DoS attack is designed to deny users access to a particular website or service. This is typically accomplished by overwhelming a web server with more malicious connection requests than it has the capability to process. As a result, the server is incapable of keeping up and processing legitimate requests, causing a degradation or loss of service for legitimate users. The limitation of a DoS attack is that it may be difficult for a single attacker to overwhelm a web server, especially if multiple servers are performing load balancing. 

As a result, DDoS attacks use multiple attacking machines in order to make overwhelming the target easier for each individual attacker. By collecting large numbers of compromised machines, attackers have been able to launch massive DDoS attacks. These attacks have the ability to render an organisation’s website completely inaccessible to legitimate users.

A 13 Day DDoS Attack

A recent DDoS attack in July 2019 against an internet-based streaming service was notable for several different reasons. These included the duration of the attack, the type and volume of the attack, and the response of the targeted organisation. The DDoS attack in question would be considered exceptional for the duration of the attack alone. The attack, which lasted 13 days, was much longer than the typical attack. This demonstrated that the attacker was extremely committed to taking down their target.

The attack was also unique for its composition and scale. This was a Layer 7 DDoS attack, meaning that it targeted the application layer of the target machines rather than the network level. Instead of trying to exhaust the target’s network bandwidth, the attacker tried to overwhelm the web server’s ability to process GET and POST requests.

This type of attack is much more difficult to detect and defend against than a ‘traditional’ network-level DDoS attack. The fake traffic in this type of attack mimics legitimate user traffic to make it harder for an organisation to differentiate and block it. This particular attacker also tailored the requests to look as believable as possible in order to further complicate detection.

Finally, this attack was noteworthy for the fact that the target organisation was able to remain online and available to customers throughout the entire attack. This was the largest Layer 7 DDoS attack ever seen by the organisation’s DDoS protection provider, with over 400,000 unique IP addresses participating. Despite this, the organisation was able to filter out the attack traffic and maintain availability of the streaming service through all 13 days of the attack.

The Growing Threat of DDoS

This 13-day DDoS attack is just one example of a trend towards larger, more frequent DDoS attacks. Analysis of the attack revealed that the attacking machines were largely comprised of IoT devices collected into a botnet by an attacker. These IoT botnets have become increasingly common in recent years for a number of reasons. One reason is the insecurity of these IoT devices. Many devices have serious vulnerabilities, making them easy for a hacker to compromise and take over.

The problem is exacerbated by the easy availability of source code for creating malware to build IoT DDoS botnets. The source code of Mirai, a famous IoT botnet, was publicly released, lowering the bar for would-be botnet herders to enter the field.

As a result, IoT-drive DDoS attacks are becoming increasingly common. The easy availability of computational power for DDoS attacks due to the growth of IoT and cloud computing has driven down the price of a DDoS attack to as low as $7 per hour. This allows hackers to offer DDoS attacks for hire at affordable prices, making any organisation a potential target of a disgruntled employee or dissatisfied customer.

Protecting Your Network

As the threat of large-scale DDoS attacks grows, so does the need for organisations to deploy the appropriate security solutions to protect their networks. An organisation’s web presence has become a critical point of contact between the organisation and the consumer. Losing access to this resource, whether for 13 days or a mere hour, could have a significant impact on a business’s customer base and bottom line.

This DDoS attack against the streaming service demonstrates the value of a strong DDoS protection solution for an organisation. Despite the duration and volume of the attack, the service was able to remain online and functional throughout. As the threat of DDoS grows, every organisation should seriously consider investing in such a solution to be a critical component of their cybersecurity strategy.

Like this piece? Why not check out our CxO of the Week?