Insights on the DDoS threat landscape

Tony Lam Tony Lam Senior Business Manager
Tony Lam

Preparing your customers for surging DDoS attacks

Distributed denial-of-service (DDoS) attacks remain one of the most effective cyberattack methods. By flooding organizations’ servers, services, or networks with traffic from compromised devices or networks, attackers can cause significant financial, operational, and reputational damage. 

Unfortunately, as overall Internet traffic has surged, DDoS attacks have, as well. In 2021, the Australian Bureau of Statistics endured close to a billion cyberattacks against its census website in 2021. More recently, in March 2023, the pro-Russian hacker group Killnet and their affiliate AnonymousSudan targeted university websites in Australia. The hackers also called for attacks against multiple airports and hospital websites.

Below, we explore some key trends (including insights from Dicker Data partner Cloudflare’s Q1 2023 DDoS threat report) — and ways you can help customers modernize their approach to DDoS protection. 

 

Who and what are being targeted? 

From a high level, a DDoS attack is like a traffic jam clogging up motorways, preventing drivers from arriving at their destination. Threat actors launch DDoS attacks (via compromised devices) to disrupt the normal traffic of a certain Internet server, service, or network. As our partner Microsoft explains in more detail here, DDoS attacks fall under three primary types: volumetric attacks, protocol attacks, and resource (or application) layer attacks.

Regardless of type, a successful DDoS attack will make your customers’ websites or servers unavailable to legitimate users. As noted in Cloudflare’s Q1 2023 DDoS threat report, threat actors “kicked off” this year with a series of hacktivist campaigns — including the Killnet and AnonymousSudan attack mentioned earlier. That particular attack focused on the application layer (layer 7), where common Internet requests (such as HTTP visits to a website) are made. 

Another example of an application layer DDoS attack is a “hyper-volumetric” attack, which consumes all available bandwidth between the intended victim and the larger Internet. Quarter over quarter, Cloudflare detected and mitigated more hyper-volumetric DDoS attacks globally — including the largest-ever reported HTTP DDoS attack. Some of the attacked websites included a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms. 

Your customers should be aware that modern “hyper-volumetric” DDoS attacks use a new generation of botnets (networks of computers infected by malware) that are comprised of virtual private servers (VPS). Botnet attacks using VPS infrastructure are more dangerous, because they can be as much as 5,000x stronger than botnets using IoT devices.

That said, the majority of attacks are short and small; according to Cloudflare, 86% of network-layer DDoS attacks end within 10 minutes, and 91% of attacks never exceed 500 Mbps. 

But even a “smaller” attack can hurt your customers. According to the Azure Network Security Team’s “2022 in review: DDoS attack trends and insights”, attacks that are shorter “require less resources and are more challenging to mitigate for legacy DDoS defenses. Attackers often use multiple short attacks over the span of multiple hours to make the most impact while using the fewest number of resources.”

 As far as who is being attacked, threat actors will target organizations of all sizes and industries: any IP infrastructure connected to the Internet is vulnerable. However, according to Cloudflare’s data for Q1 2023:

 

  • Israel was the No. 1 country targeted by HTTP DDoS attack traffic — followed by the United States, Canada, and Turkey.
  • Globally, Internet companies saw the largest amount of HTTP DDoS attack traffic. After that, the marketing/advertising industry, computer software industry, gaming/gambling, and telecommunications were also highly targeted.
  • In the Oceania region specifically, the health and wellness industry was the most-attacked. (This just shows attackers keep track of business trends — Australia is ranked as the world’s 10th largest wellness market).

Picture1-May-24-2023-12-12-02-1404-AM

(Image source: Cloudflare)

 

As far as where attacks originated, in the first quarter of 2023, the most HTTP DDoS attack traffic (by overall volume) came from IP addresses in the United States. China came in second, followed by Germany, Indonesia, Brazil, and Finland. 

Layer 3 / layer 4 DDoS attacks, which target network equipment and infrastructure — as opposed to applications — originated closer to our side of the world. Vietnam was the largest source of L3/L4 attacks last quarter (followed by Paraguay, Moldova, and Jamaica). 

 

Core DDoS protection capabilities 

Because of the increasing complexity and volume of DDoS attacks (as well as evolving attack methods, which are explored more in Cloudflare’s report), your customers need specially designed network equipment or cloud-based DDoS protection. 

Generally speaking, these are the core DDoS mitigation service capabilities:

  • The ability to differentiate between attack traffic and legitimate traffic: Your customers need to be able to tell the difference between an attack and a high volume of normal traffic (for example, during peak holiday online shopping seasons). They shouldn’t block service for legitimate visitors.
  • The ability to detect bad bots and block malicious bot traffic without interrupting legitimate user traffic: Some bots, like those used for customer chatbots and digital assistants on websites, are “good.” But other bots — like those used to launch DDoS attacks — are malicious. Your customers need a way to proactively stop malicious bots before they ever reach their website.
  • The ability to analyze traffic to find malicious patterns that can aid in improving defenses: An effective DDoS mitigation solution will look for patterns across the Internet, like particular attacks coming from certain countries, repeating offending IP blocks, and more.

 

Four questions to ask customers seeking DDoS protection

Selecting the right DDoS mitigation service requires a comprehensive approach to protecting networks and users. Here are four questions to consider when helping your customers create the strongest possible security posture:

  1. Are they migrating to cloud-native services? Cloud-native DDoS mitigation can scale seamlessly with their business needs without imposing artificial performance bottlenecks, while cloud-hosted virtual appliances may come with more management complexity.
  2. How much network capacity do they need? Network bandwidth can vary greatly depending on an organization’s size and the applications they use. Some organizations can be easily knocked offline by relatively small attacks if their provider has insufficient network capacity to absorb DDoS traffic. Help them combat attacks by selecting a provider that offers enough network capacity to withstand attacks without causing downtime or degraded performance.
  3. What is their tolerance for business risk and latency? If your customer acknowledges that anything longer than a few seconds of downtime is unacceptable, then they should use a service with the lowest possible time-to-mitigation (TTM), and with DDoS capabilities across every data center.
  4. How and when do they want to automate DDoS protection? As DDoS attacks are typically carried out by bots, automated detection and mitigation are crucial for effective defense. Certain DDoS mitigation services offer automation and self-serviceability from a dashboard or API, enabling customers to quickly turn on and manage their threat protection.

Contact sales@dickerdata.com.au for all your technology needs.

Comments

Start a discussion, not a fire. Post with kindness

Comments

SUBSCRIBE

Subscribe to the Dicker Data blog

for regular updates and insights