Distributed denial of service (DDoS) attacks are increasing in size, frequency and duration.

Kaspersky Lab reported a doubling of DDoS attacks in the first quarter of 2020 compared with the fourth quarter of 2019, plus an 80% jump compared with the same quarter last year.

Kaspersky also found that DDoS cyberattacks are increasing in duration. Average attack duration increased 24% in the first quarter of 2020 compared with the year-ago quarter. Meanwhile, maximum attack duration more than doubled in the first quarter compared to the same quarter last year.

A recent DDoS attack against a large European bank clocked in at 809 million packets per second, more than double the previous record on the Akamai platform.

Akamai reported a 1.44 terabits per second attack against an internet service provider last month. The attack came from nine different vectors, lasted for more than an hour, and maintained an intensity of 1.3 terabits per second.

In February, Amazon Web Services (AWS) saw a record 2.3 terabits per second DDoS attack. This was 44% larger than any previous DDoS detected by AWS.

Types of DDoS Attacks

Akamai explained that bits-per-second (BPS) and packets-per-second (PPS) attacks have different approaches to targeting victims. With BPS attacks, the goal is to overwhelm the inbound internet pipeline. It bombards the circuit with more traffic than it can handle. With PPS attacks, the aim is to overwhelm network gear and applications in the victim’s data center or cloud environment, exhausting resources. While taking different approaches, both types of DDoS attacks can have devastating effects on victims.

“Looking holistically at DDoS activity since the onset of 2020, it is clear that large, sophisticated DDoS attacks are still a significant attack vector,” says Tom Emmons, principal product architect at Akamai.

Most of the DDoS attacks involved SYN flooding, which is a protocol attack. This is one of three DDoS types, along with volumetric and application attacks.

DDoS Attackers Exploiting COVID-19

Many of these DDoS attacks are exploiting the COVID-19 pandemic by targeting healthcare organizations, educational platforms and government agencies.

For example, the number of DDoS attacks on educational and administrative web resources tripled in the first quarter of 2020 compared with the year-ago quarter. Kaspersky predicted that corporate infrastructure, such as VPN gateways, will receive more DDoS attacks as the shift to remote working becomes the ‘new normal.’

Imperva recently found that application DDoS attacks are lasting longer. Two attacks in June lasted five to six days and originated from up to 28,000 unique IP addresses. The most targeted industries were media, business and financial services.

Another development fueling DDoS attacks is botnet-for-hire services. Providers of these services are battling for control of home routers to use in their botnets, according to Trend Micro research.

Cybercriminals then sell access to these botnets for DDoS attacks or to anonymize click fraud, data theft and account takeover.

“Cybercriminals know that a vast majority of home routers are insecure with default credentials and have ramped up attacks on a massive scale,” explains Jon Clay, director of global threat communications at Trend Micro.

“For the home user, that’s hijacking their bandwidth and slowing down their network. For the businesses being targeted by secondary attacks, these botnets can totally take down a website, as we’ve seen in past high-profile attacks,” Clay says.

How to Prevent Attacks

The data is clear. By all measures, DDoS attacks are increasing. This is bad news for businesses that are in the attackers’ cross-hairs.

What distinguishes a DDoS attack from the run-of-the-mill denial of service attack? Malicious traffic comes from distributed sources around the world, such as a botnet made up of millions of devices, instead of a single source. This type of attack renders regular firewalls and intrusion detection systems practically useless in thwarting these attacks.

There are several things organizations can do to prevent attacks and mitigate their impact.

Rachel Kartch, a researcher at Carnegie Mellon University’s Software Engineering Institute, advises organizations to implement four best practices for DDoS attack mitigation.

  1. Make architecture as resilient as possible. Organizations should disperse assets to avoid presenting an attractive target to an attacker. They should locate servers in different data centers, ensure that data centers are located on different networks and have diverse paths and make sure that data centers and networks have no bottlenecks or single points of failure.
  2. Deploy hardware that can handle DDoS attacks. Organizations should use settings in network and security hardware designed to protect network resources. Many next-generation network firewalls, web application firewalls, and load balancers can defend against protocol and application attacks. Specialty DDoS mitigation equipment can also be deployed.
  3. Scale up network bandwidth. If organizations can afford it, they should scale bandwidth to absorb volumetric attacks. This step might be difficult for smaller organizations that do not have the financial resources to invest in more bandwidth.
  4. Employ DDoS mitigation providers. Organizations can turn to large providers that specialize in responding to DDoS attacks by employing cloud scrubbing services for attack traffic to divert the traffic to a mitigation center before it hits the organization’s network.

Paul Rubens, a security writer with eSecurity Planet, recommends organizations protect their DNS servers by putting them in various data centers behind load balancers or moving to a cloud-based DNS provider.

According to security experts consulted by Bank InfoSecurity, companies should use cloud-based web servers that can handle the high traffic volumes of a DDoS attack, conduct exercises that simulate real-world DDoS attacks, put in place outage mitigation and response strategies before a DDoS attack hits and train staff on how to recognize and respond to a DDoS attack.

“While technical mitigation is a necessity, educating users within the enterprise that security is a mindset, not an exception, can also reduce these incidents,” says Bill Brenner, director of research at IANS and former senior program manager at Akamai.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today