The DDoS threat landscapes in 2023 – tackling high-performance botnets
By Omer Yoachimik, Senior Product Manager, DDoS Protection Service at Cloudflare
Distributed denial-of-service attacks (otherwise known as DDoS) are a constant of the Internet landscape and are on the rise already in 2023. DDoS attacks aim to overwhelm Internet services such as websites with so much traffic that they’re significantly disrupted and ultimately inaccessible to legitimate users who need to access them or make use of the services they provide. These types of malicious attacks can cause significant problems for organisations, both costing them money and damaging their reputations,or even worse by disrupting a critical public service
Today’s DDoS threat landscape is characterised by increasingly larger and more sophisticated attacks, often with a ransom demand attached. Newer breeds of high-performance botnets make these attacks larger than ever and more disruptive to companies that aren’t adequately prepared. To prevent and address DDoS attacks, organisations need to know how they work, what the current threat landscape looks like, and what can be done to stop these increasingly common attacks.
The rise of ransom DDoS attacks
This year is off to an eventful start for threat actors. So far, 2023 has seen several ‘hacktivist’ efforts targeted at Western organisations like universities, healthcare centres, banks, and airports by groups like Killnet and AnonymousSudan.
DDoS attacks are often conducted to extort ransom payments from an unprepared victim, and the proportion of DDoS attacks with a ransom demand attached has been steadily rising over the last year or so. While they may seem similar, these ransom DDoS attacks are different from ransomware attacks – and they’re easier for attackers to execute.
In a ransomware attack, the victim is tricked into clicking on an email link or downloading a file that encrypts their data and makes it completely inaccessible until the victim pays the ransom fee; these classic ransomware attacks can be avoided by using Zero Trust email protection services such as Cloudflare Area1. In a ransom DDoS attack, however, the victim doesn’t need to take any action at all. And unlike a ransomware attack the attacker doesn’t need to first gain a foothold into the corporate network. They don’t even need access to the victim’s computer – instead, they bombard them with enough traffic to take down their websites and other Internet-connected property like DNS servers so that it’s either unavailable or performs poorly enough that it renders it unusable.
To stop the attack or sometimes to prevent or avoid future ones, the attacker demands that the victim pays a ransom, usually in the form of cryptocurrency. So far in 2023, 16% of DDoS’d customers surveyed reported being targeted by a ransom DDoS attack or threatened. With such activities on the rise, organisations should be on their guard for these kinds of demands and prepared for such an event, in order to stop attackers in their tracks and keep the internet running smoothly.
When it comes to DDoS attacks, bad actors seem to have come to the conclusion that bigger is better. Volumetric DDoS attacks are orchestrated to be able to overwhelm the network’s capacity, as well as the protections an organisation might have in place to mitigate DDoS attacks, with a high volume of malicious traffic. Typically, they are launched against one target, often a critical service provider or large corporation. These volumetric attacks are often used to hide more specific and damaging application layer DDoS attacks, which take advantage of services like DNS and disrupt the network infrastructure.
‘Hyper-volumetric’ attacks are on the upper end of the volumetric attack scale in terms of the sheer amount of traffic they produce. There’s been an increase of hyper-volumetric DDoS attacks so far this year, the largest of which peaked above 71 million requests per second (rps), which significantly exceeds the previous world record identified by Google of 46M rps. These attacks are on a particularly large scale and have the potential to cause extended downtime for websites, which can not only cost a company money but is often a significant time drain. This is not to mention the potential damage that such an attack can do to the organisation’s reputation.
It’s not only large corporations and governments that are targets for DDoS attacks. By percentage of attack traffic out of total traffic to an industry, the most targeted industry for attacks in the first quarter of 2023 was actually non-profits, followed by accounting firms. This goes to show that organisations of all sizes and industries can be targeted – each and every type of business should have a strategy in place to manage such an attack.
Overall, DDoS attackers are executing larger attacks and are increasingly attaching ransom notes for their targets. In light of the current threat landscape, which is growing increasingly treacherous and sophisticated, organisations should be paying attention to what’s behind these attacks and how they can shore up their protections.
Tackling high-performance botnets
We’ve seen how DDoS attacks are becoming larger and more likely to include a ransom payment, but what’s behind these hyper-volumetric attacks, and how can companies put a stop to them?
Hyper-volumetric DDoS attacks are becoming larger and more common because of a new generation of botnets that use virtual private servers (VPS) instead of Internet of things (IoT) devices. Botnets are a network of computers with malicious software that can be controlled remotely to launch an attack. DDoS botnet malware can take on different forms and purposes; some is designed to completely take over control of a device, while some runs as a background process and is designed to go undetected until the attacker gives it instructions. Botnets, like the infamous Mirai botnet, can even be self-propagating, recruiting additional bots through different channels, including exploiting website vulnerabilities, or recruiting other hardware devices in the surrounding network of an infected device.
Traditionally, these botnets such as Mirari and its varients relied on a relatively large network of IoT devices working together to generate enough traffic to disrupt the target. But the new generation of botnets need far fewer devices to do their work. Specifically, exploiting virtual private servers from cloud computing providers allow attackers to create botnets that can be up to 5,000 times stronger than traditional ones. Attackers can access through unpatched servers and hack into management consoles using leaked API credentials to gain access to these virtual private servers and generate enormous amounts of malicious traffic.
Making the Internet a better and safer place is a team effort and collaboration is key to taking down the botnets that are responsible for large-scale DDoS attacks. Fortunately, Cloudflare and cloud computing providers are working together to crack down on these botnets. Companies such as cloud computing providers, general service providers, and hosting providers should be looking to have continuous visibility into attacks launching from within their networks using proven, dedicated tools from reliable brands. By working together, the cybersecurity community can tackle these botnets and make sure we’re staying one step ahead of attackers.
Staying on top of DDoS attacks
Understanding what a DDoS attack looks like is essential for organisations looking to fend them off. If your website is offline, or slow to respond to requests without any planned maintenance, that could be a sign that you’re under a DDoS attack. There may also be strange requests in your origin web server logs that don’t match typical visitor behaviour, or unexpected spikes in your requests or bandwidth.
No matter how big or small your organisation, ensuring your tech stack is constantly being monitored and kept updated with the latest botnet protection is key to making sure you’re prepared for the next generation of DDoS attacks. There are several ways to stay on top of DDoS protection without accidentally blocking out legitimate traffic. DDoS protection tools may use a set of pre-configured rules to identify known attack patterns and tools, as well as suspicious patterns, excessive traffic hitting the origin/cache, protocol violations, requests causing large amounts of origin errors, and additional attack vectors in the application layer. Other more sophisticated systems may leverage traffic profiling, stateful inspection, dynamic real-time fingerprinting and Machine Learning models to classify and mitigate suspicious traffic.
Furthermore, it also might be worth taking the time to customise your DDoS protection settings to avoid false positives, which can happen when legitimate traffic is incorrectly flagged as attack traffic and blocked. This can happen when there are times where legitimate traffic spikes beyond what’s normal for your site or if traffic to your Internet property includes potentially suspicious patterns. If you know this ahead of time you can tell your DDoS tools, so they recognise the legitimate traffic for what it is.
Additionally, if targeted with a ransom attack, it’s recommended not to pay the ransom. Attackers will try to instil a sense of urgency, but any delay gives the victim time to consider and put in place mitigation options that lower the chances of an attack succeeding. If a ransom attacker receives payment, they also may return to collect another payment as they know they’ve found a valuable target. Don’t be fooled—ransom attackers often pose as security researchers who’ve found a vulnerability in your website. This increases the response rate of website owners, as it’s not obvious that a ransom DDoS attack is going on.
With the right tools in place, your organisation can even block large DDoS attacks automatically, without even noticing any slowdown in your website or key services. In an environment where website users expect speed and efficiency from every touchpoint with a company, remaining online and performant is vital to keep a company’s website open for business as and when it’s needed.
Armed with an understanding of the current DDoS threat landscape and what an attack might look like, you can stay one step ahead of bad actors and keep the right tools in place to stop attackers in their tracks.