This is the first installment in a two-part series about DDoS attacks and mitigation on cloud.

In the digital age, the security of applications and networks are of paramount importance. Networks are under increasing threat from a growing number of cybercriminals — both individual actors and organized groups — around the world. The demand for qualified security professionals is escalating by the day as organizations become more aware of the consequences of these threats.

Attacks can take various forms and target many different parts of your environment, such as the network, transport and application layers. Application-layer vulnerabilities can arise due to insecure coding or use of faulty components. Actors can exploit these vulnerabilities to deface applications, steal, modify or delete customer data, or bring down applications and systems altogether.

One way to disrupt services is to flood networks and applications with overwhelming volumes of traffic. We’ll focus on two of the most common methods cybercriminals use to inflict this type of damage: denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.

DoS Attacks: Malicious Traffic Originating From a Single Source

Attacks that bring down systems and cause downtime are called DoS attacks. DoS attacks can occur over various layers of the Open Systems Interconnection (OSI) model. Campaigns that aim to flood the network or consume resources to deny genuine traffic are best handled at the network or infrastructure level using firewall rules and an intrusion detection system (IDS).

Application-level (Layer 7) DoS attacks are hard to detect because they appear as normal traffic with complete Transmission Control Protocol (TCP) connections and follow protocol rules. These attacks can target applications that directly bypass the firewall. Most common forms of Layer 7 DoS attacks are related to HTTP traffic, such as targeting the web server and application. Others forms might target services such as the Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP) and Secure Shell (SSH).

DoS attacks usually originate from one source. System administrators put in place myriad methods and filters to detect such incidents. When a DoS is detected, an IDS can stop the attack by blocking traffic from the questionable source.

DDoS Attacks: An Onslaught of Traffic From Multiple, Disparate Sources

Cybercriminals have discovered that they can circumvent DoS defenses by employing a technique known as distributed denial-of-service. In this type of attack, malicious traffic originates from multiple sources scattered across the globe and converges upon one system or network. As a result, IDS solutions and firewalls have difficulty detecting and blocking DDoS incidents.

Attackers can use their own systems or exploit other vulnerable devices to route the attack. Increasingly, DDoS-wielding cybercriminals use botnets made up of devices they commandeer from unsuspecting victims using social engineering tactics, such as phishing, or by exploiting vulnerabilities within those systems. The DDoS threat vector has grown in size and sophistication over the past few years.

DDoS Variants

Cybercriminals use DDoS attacks to flood networks, systems or applications with more traffic than the target can handle, causing it to crash or go out of service. Let’s take a closer look at some DDoS variants and determine how organizations can assess the risk and mitigate the threat.

Volume-Based Attacks

A volume-based DDoS attack aims to exhaust network bandwidth, which is limited for companies of all sizes, by leveraging botnets. Due to the increasing proliferation of connected devices, botnets with more than 1 million nodes are very common and accessible. Such a botnet can easily choke the network of a midsized company, thereby blocking all legitimate traffic.

Protocol Attacks

This type of DDoS attack is designed to exploit weaknesses in the Layer 3 and 4 protocols. Unlike volume-based attacks, which aim to saturate the target’s internet connection, protocol attacks cause disruption with relatively small amounts of network traffic.

Take TCP, a well-known Layer 4 protocol. For a connection to be established, the system must complete a three-way handshake. Attackers can exploit this process by sending only SYN packets and no ACK packets, keeping the connections open. This is known as a SYN flood attack, which exhausts the number of connections available to legitimate traffic.

Application-Layer Attack

An application-layer DDoS attack is designed to disrupt service by exploiting vulnerabilities within applications. The malicious traffic is in protocol, meaning that it is legitimate with regard to the protocol. This makes it difficult for detection tools to identify malicious traffic.

Risk Assessment and Potential Consequences for CSPs

DDoS attacks can cause significant risks to both cloud service providers (CSPs) and their clients. Cybercriminals might launch DDoS campaigns to bring down enterprise applications or simply for personal satisfaction. Malicious actors have even used this method to extort money from victims.

These attacks can last anywhere from a few hours to a few weeks. For CSPs, DDoS incidents can lead to negative publicity, and it might take years to repair the reputational damage. Long service outages can result in revenue loss for both the cloud provider and its clients. Finally, DDoS attacks against banking and financial institutions can expose sensitive customer data, including credit card information.

In the second installment of this series, we’ll look at examples of simulated DDoS attacks, and discuss mitigation strategies and techniques cloud security teams can employ to protect their networks from this threat.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read