A distributed denial-of-service (DDoS) cyberattack occurs when a cybercriminal attempts to disrupt an online service by flooding it with fake traffic. This attack can be achieved by overwhelming various aspects of an organization’s systems, such as servers, devices, networks and applications. During a DDoS attack, cybercriminals send a barrage of requests to the victim’s server, with the intention of exceeding the capacity limits of their websites, servers and networks, resulting in a stoppage of services. The effects of these attacks can range from minor annoyances to taking entire websites, networks or businesses offline and these attacks are on the rise!
DDoS attacks rely on multiple machines working together to target a single victim organization. To increase the size of these attacks, DDoS attackers often hijack a group of interconnected devices to carry out the attack. These groups of hijacked computers are called botnets. Botnets consist of millions of computers that can be anywhere and belong to anyone. The devices that make up botnets may be infected with malware or rented out for the attack. In both cases, the hijacked computers are used to flood victim organizations with more connection requests than they can handle.
This article describes how DDoS attacks work, explains why these cyberattacks are on the rise, and outlines preventative measures for businesses to consider.
How DDoS attacks work
DDoS cyberattacks can come from a variety of sources, including disgruntled employees, business competitors, or nation-state actors. Attackers may seek revenge, wreak havoc, or gain a competitive advantage. The purpose of these attacks is to cause server downtime and financial loss to businesses. These cyberattacks can also involve extortion, where the perpetrators install ransomware on servers and demand payment to restore the damages.
Identify DDoS attacks
DDoS attacks are designed to mimic legitimate traffic from real users, which can make them difficult to identify. Often, DDoS attacks can be mistaken for common technical problems. Therefore, it is important for organizations to be aware of the warning signs that may indicate a DDoS attack. One or more of the following symptoms should be cause for concern:
- An increase in traffic caused by similar devices from the same geographic location or browser
- One or more specific IP addresses make several consecutive requests over a short period of time
- The server timed out when testing for ping service
- The server responds with a 503 HTTP error, indicating that the server is overloaded or down for maintenance
- A traffic analysis shows a strong and consistent peak in traffic
- Traffic logs show peaks at unusual times or in unusual sequences
- Traffic logs show unusually high spikes in traffic to a single endpoint or website
Identifying the symptoms of these attacks can also help determine what type of DDoS attack is taking place.
Types of DDoS attacks
There are three main types of DDoS attacks. These attacks are characterized primarily by the type of traffic sent to a victim organization̵7;s system.
- Volumetric attacks—The goal of volumetric attacks is to saturate the bandwidth of victim sites through a flood of illegal requests. Attack methods include UDP, ICMP and other types of spoofed packet floods. Volumetric attacks are measured in bits per second.
- Protocol Attacks – These attacks target the network layer of victim systems with the goal of overwhelming firewalls, core network system tablespaces, or load balancers. In these attacks, hackers can use SYN floods, fragmented packet attacks, Ping of Death and Smurf of DDoS. Protocol attacks are measured in packets per second.
- Application Attacks – This type of DDoS attack is designed to exploit the vulnerabilities of specific applications. Such attacks may include slow and slow attacks, GET/POST floods, and attacks targeting vulnerabilities in Apache, Windows, OpenBSD, or other applications. The size of these attacks is measured in requests per second.
Why DDoS attacks are on the rise
Researchers reported 5.4 million DDoS attacks in the first half of 2021 – an 11% increase from the first half of 2020. Some factors contributing to this increase include:
- Internet of Things (IoT) devices – IoT devices are particularly vulnerable because they rarely have built-in firmware or security controls. The number of IoT devices is increasing rapidly. By 2021, the number of active endpoints globally increased by 8% to 12.2 billion. By 2030, this number is expected to exceed 25.4 billion. But as the number of connected devices increases, so does the number of devices available for hackers to turn into botnets. The increasing number of IoT devices will allow hackers to create more extensive networks of computers, amplifying the scale of attacks they can subject their victims to.
- Application Programming Interface (API) – APIs are small pieces of code that allow systems to share data publicly. Public APIs can have a number of vulnerabilities, including weak authentication controls, lack of robust encryption, and faulty business logic. In a DDoS attack, APIs can be attacked at both ends of the service. This means that an API can be attacked from the server and from the API server at the same time, which significantly increases the strength of an attack.
- Cyber warfare—War and international tensions can lead to an increase in hacktivist-driven cyber attacks. The term “hacktivist” is used to describe cybercriminals who are ethically, politically or socially motivated. Hacktivists may use DDoS attacks for reasons such as making a statement or retaliating against people, governments or organizations they disagree with.
- Ransomware/Extortion – cybercriminals are increasingly collaborating with DDoS attacks demanding ransomware/extortion. DDoS attacks can increase the pressure on victim companies and bring them back to the bargaining table after a refusal to pay a ransom by crippling their network with the promise of shutting down for the right price.
To protect critical network functions from DDoS attacks, it is important for all organizations to have a prevention plan in place before a DDoS attack is suspected.
Actions that companies can take
Organizations should consider the following steps to avoid and mitigate DDoS attacks:
- Use a virtual private network (VPN). VPNs mask and encrypt IP addresses and other identifiable network elements.
- Install antivirus software. Antivirus software can identify and block the types of malware used by DDoS attackers. Once installed, make sure the antivirus software is well maintained.
- Enroll in a denial-of-service (DoS) program. DoS protection services are designed to identify abnormal traffic and route it away from the corporate network. These services filter out DoS traffic while allowing clean traffic to continue to the correct destination.
- Evaluate security practices. Maintain good safety procedures. Such practices include limiting the number of people with access to important information and managing unsolicited traffic. Educate employees on improving password security, choosing secure networks, keeping electronic device software up-to-date, and being suspicious of unexpected emails.
- Create a recovery plan. Plan ahead to ensure an organization is ready for successful and effective communication, mitigation and recovery in the event of a cyber attack.
- Secure insurance coverage. It is important to explore the available cyber insurance options and determine how they can help an organization respond and recover from a DDoS attack. Consult a trusted insurance specialist to discuss specific coverage needs.
We can help with Cyber insurance.
DDoS attacks are a growing threat to organizations. By understanding these attacks and implementing appropriate prevention strategies, businesses can protect themselves against this cyberthreat. If you would like additional information and resources, we are here to help you analyze your needs and make the right coverage decisions to protect your business from unnecessary risk. You can download a free copy of our eBook, or if you’re ready to make Cyber Liability Insurance part of your insurance portfolio, request a quote or download and get started with our Cyber & Data Breach Insurance Application and we will work for you.