Distributed Denial of Service (DDoS) attacks have long been a favorite tool for online extortionists and troublemakers.
In a DDoS attack, a botnet (a network of private computers being remotely controlled by malicious software and without their owners’ knowledge) is used to overwhelm a server or other online target with bogus requests, which either greatly slows down site performance or completely shuts down the target’s ability to service the requests.
In other words, bad guys can take control of your security cam, internet-connected refrigerator, and other connected devices, and tell them to send data requests to a targeted server (belonging to Amazon, for example), overwhelming it. (Think of rush hour in Los Angeles. Everyone tries to drive on the 5 freeway at once, leading to an overall traffic jam.)
In the past, DDoS attacks have targeted corporate sites to force the victim to pay a ransom to obtain relief from the attack. However, in this, the year of the U.S. presidential election and the year of the COVID-19 coronavirus pandemic, the targets, and intents behind the attacks have changed somewhat.
In this article, we’ll take a look at the current status of DDoS attacks on the web, how they’ve grown, and how they have changed during the last year or so. We’ll take a look at the how, why, and when of such attacks, as well as the costs and damages.
1. Q1 2020 DDoS Attacks Change Target Focus
2020 is an election year, and it has also been the year of the COVID-19 pandemic. This has led to a change in the focus of DDoS attacks during the first half of the year.
New election year-related attack targets have included a U.S. voter registration and information website that was hit in early February. Luckily, the website was well protected against DDoS attacks, and this attack failed.
Since the beginning of 2020, when the COVID-19 pandemic began, much of the world’s day-to-day activities have shifted to the internet. This includes work, shopping, food delivery, school work, recreation like streaming video and playing games, and much more.
Another reason for the increased use of the internet is that people are searching for information about the COVID-19 coronavirus. This has made government and health-related websites an attractive target for DDoS attackers.
In mid-March, attackers attempted to overrun the official website of the U.S. Department of Health and Human Services (HHS). The attempt was apparently designed to take down a source of official data about the pandemic, while other bad actors spread misinformation about COVID-19 via text messages, email, and social networks.
However, the fine IT folks responsible for the HHS website were ready for such an attack, and it failed.
Similar attacks hit other health-related organizations in other parts of the world, as the Paris-based group of hospitals Assistance Publique-Hôpitaux de Paris was hit by a DDoS attack designed to take down the infrastructure of the organization.
While remote workers were unable to use corporate apps and email for a while, the attack failed to take down the entire organization.
DDoS attacks hit at least two food delivery services (Lieferando in Germany and Thuisbezorgd in the Netherlands). Both companies were still able to take orders, but were unable to process the orders and had to return their customers’ money. The cybercriminals responsible for the Lieferando attack demanded 2 BTC to put a halt to the attack.
Cybersecurity researchers are also becoming targets of DDoS attacks. In 2016, prominent security researcher Brian Krebs was the target of a tremendous DDoS attack, which came close to disrupting his website’s ability to service requests. Only a valiant attempt by his web provider, Akamai, was able to fend off the nearly overwhelming attack. More about that later.
2. Financial Services Continue to Be Popular DDoS Victims
Financial services have continued to be popular targets for DDoS threats during 2020. Late February saw several Australian financial institutions receiving emails that threatened attacks unless ransom was paid in cryptocurrency. Institutions in Singapore, South Africa and other countries received similar emailed threats.
3. DDoS Attacks Expected to Double by 2022
Cisco estimates that the total number of Distributed Denial of Service attacks will double from the 7.9 million attacks experienced in 2018 to 15.4 million attacks in 2022.
This despite the fact that a series of 2018 FBI crackdowns on DDoS-for-hire services closed down 15 such services, resulting in a substantial drop in attacks. However, much like Marvel’s fictional group of bad guys called Hydra, when you cut the head off of a DDoS group, two seem to take its place.
4. DDoS Attacks Can Eat Up Bandwidth – a Lot of Bandwidth
This may seem like a fact to be filed under “D” for “DUH!”, but you may not realize exactly how much internet traffic a DDoS attack can generate. Such attacks are a massive threat to a country’s internet infrastructure, and they continue to grow.
DDoS attacks can represent up to 25% of a country’s total internet traffic when they are in progress. For example, the largest DDoS attack in Q1 2019 was 587 GB in volume, compared to the largest Q1 2018 attack that amounted to 387 GB in volume. Please note, these numbers are for a single DDoS attack.
5. DDoS Attacks Benefit From the Increasing Number of Internet of Things Devices
Gartner estimates that this year we’ll see the number of Internet of Things (IoT) devices hit 20.4 billion.
Why is this important? Because IoT devices (such as security cams, smart thermostats, refrigerators, baby monitors and more) are notoriously unsecure.
Users often fail to change the default administrator password, or flaws in the firmware of such devices leave them open to hackers who enroll the devices into botnets that are used to overwhelm DDoS attack targets.
A10 Networks claims it has tracked over 20.3 million DDoS weaponized devices, which includes infected IoT devices, as well as infected computers and servers.
6. China and the United States Were the Most Popular DDoS Attack Targets
During the second quarter of 2019, China and the United States were the two top targets for DDoS attacks, being targeted 63.8% and 17.5% of the time, respectively. Hong Kong was a distant third with 4.61% of all attacks.
Two new countries made an appearance on the target list, with the Netherlands coming in at 4th with 1.54% of all targets and Taiwan snagging 7th place with 1.15%.
7. China and the United States Are Also the Most Popular DDoS Launchpads
China and the United States might have been the two top attack targets, but they were also the top two homes for DDoS attack originations.
A10 Networks says that in 2018, over 4.5 million DDoS attacks originated from China, while the U.S. was home base for 2.7 million during that same year. Russia was also a popular DDoS launch site, with 1.5 million. Italy and South Korea rounded out the top 5 with 940,000 and 840,000, respectively.
8. India and China Are Most Popular Botnet Hubs
The Spamhaus Project says its research shows that the country with the most botnets is India, with more than 2.3 million bots, while China ranks in at second with over 1.4 million bots.
Numerous autonomous system number (ASN) operators – mostly Internet Service Providers – showed large numbers of infected IP addresses due to extensive botnet malware. The top 5 infected ASN operators were located in China, India, Egypt, and Vietnam.
9. DDoS Attack Expenses for Victims Continue to Mount
DDoS attack victims continue to face rising costs associated with the attacks. A recent survey by web analytics firm Neustar of 1,000 executives from enterprise firms revealed that DDoS attacks are on the rise, and businesses are forced to pay more to repair the damage, even as they are losing increasing amounts of money due to online service disruptions.
84% of survey respondents say they have experienced at least one DDoS attack in the 12 months preceding the survey. That’s an 11% increase over the previous year.
86% of participants say they had been the victim of multiple DDoS attacks in the previous 12 month period. 63% said the loss of revenue experienced by DDoS attacks can be more than $100,000 an hour.
Over 45% of businesses that responded in a separate survey by Corero say they believe the loss of consumer confidence is the worst result from DDoS. The loss of confidence can cause customers to move to competitors, making it difficult to determine the overall financial impact of such attacks.
10. Bad Actors Are Using New Techniques to Perform Attacks
The bad guys are making use of numerous new techniques to disrupt businesses. These new approaches include Generic Routing Encapsulation (GRE)-based flood attacks, as well as Connectionless Lightweight Directory Access Protocol (CLDAP) reflection techniques.
Things are aggravated by the increased use of Internet of Things (IoT) devices in the enterprise. These are sometimes left unsecured, allowing them to be used as entry points to avoid business network defenses. The IoT devices become slave nodes, which are used in the DDoS traffic stream.
Multi-vector DDoS attacks are becoming more popular. These attacks combine different methods of attack into one quick attack, then repeat the attack shortly after. Approximately 77% of attacks in Q1 2019 used two or more attack vectors.
11. Tools Are Available to Ward Off DDoS Attacks
Earlier I told you about how cybersecurity researcher Brian Krebs saw his website become the target of a DDoS attack. While his web hosting service (Akamai) was able to turn back the attackers, the sheer size of the attack and the costs related to defending against it led to Akamai telling Krebs that it could not defend against another attack of that size.
Luckily, there are services available to enable websites to ward off DDoS attacks. For example, Google offers Project Shield, a free DDoS protection service designed to protect websites against such attacks. This is the service Krebs turned to for future protection against attacks.
Project Shield availability is limited to certain types of websites, including:
- News or journalism
- Human rights
- Elections monitoring or information
- Political organizations of certain countries (access is subject to local law)
Google does not accept applications from other types of websites, such as gaming, commercial or personal sites.
As we’ve discovered, Distributed Denial of Service attacks are a problem that won’t be going away any time soon. As a matter of fact, the problem continues to grow with each passing year. Corporate IT providers will continue to face mounting pressure to prevent and resolve such attacks.
DDoS Attacks FAQ
Can a Firewall Stop a DDoS Attack?
While a firewall cannot stop a DDoS attack on its own, it can be a valuable tool in your DDoS prevention arsenal. Firewalls on their own cannot distinguish between malicious and legitimate traffic. DDoS attacks sometimes use HTTP floods, which are composed of legitimate HTTP sessions.
You should make use of other protections such as appliances that sit in front of firewalls, like those offered by Arbor, Fortinet, Check Point, Cisco and other vendors.
That said, you can configure your firewall to drop incoming ICMP packets or block UDP port 53 to block DNS responses from outside your network. This can help prevent some ping-based and DNS attacks.
Can a DDoS Attack Create a Data Breach?
While a DDoS attack is not a data breach on its own, it is a means to perform a breach. A DDoS attack should act as an alarm for IT professionals not only due to its ability to hamper network performance but also because it can lower a system’s ability to defend itself.
Many times, bad actors will launch a DDoS attack to mask a more deadly security breach. This is like a magician’s trick that draws attention to his left hand while his right one performs the sleight of hand required by the trick.
If a DDoS attack can down an intrusion prevention system or a firewall for only a few moments, that could be all the time needed for a bad guy’s data breach trick.
Can a DDoS Attack Be Traced?
DDoS attacks have become tougher to trace thanks to the layers of bot armies that disguise the original source thanks to their use of encrypted and peer-to-peer connections.
That said, if a DDoS attacker has not properly masked their IP address, it could be possible to trace the attack back to them, but only in the time during or immediately following the attack. The longer an investigation takes to be initiated, the lower the chances of finding the originator of a DDoS attack.
How Long Can a DDoS Last?
A DDoS attack can last from minutes to weeks.
TechRepublic reported that during the last quarter of 2018, one DDoS attack lasted 329 hours. (That’s almost 2 weeks.) During 2018, the average length of a DDoS attack more than doubled from the start of the year to its end (95 minutes to 218 minutes). Attacks are increasing in length due to the fact that they are becoming more complex and tougher to mitigate.
Does Changing Your IP Address Stop DDoS?
Changing your IP address can end a DDoS attack (at least temporarily). When requesting a new IP address from your provider, make sure you also send a DHCP release or renew request as part of the process. Otherwise, you may receive the same IP address you had before.
Also, if you use a dynamic DNS service and the attack is directed at your hostname instead of the IP address, you may find that you are still under attack, as the hostname follows you to your new IP address.
- 1. Q1 2020 DDoS Attacks Change Target Focus
- 2. Financial Services Continue to Be Popular DDoS Victims
- 3. DDoS Attacks Expected to Double by 2022
- 4. DDoS Attacks Can Eat Up Bandwidth – a Lot of Bandwidth
- 5. DDoS Attacks Benefit From the Increasing Number of Internet of Things Devices
- 6. China and the United States Were the Most Popular DDoS Attack Targets
- 7. China and the United States Are Also the Most Popular DDoS Launchpads
- 8. India and China Are Most Popular Botnet Hubs
- 9. DDoS Attack Expenses for Victims Continue to Mount
- 10. Bad Actors Are Using New Techniques to Perform Attacks
- 11. Tools Are Available to Ward Off DDoS Attacks
- In Closing
- DDoS Attacks FAQ
- Can a Firewall Stop a DDoS Attack?
- Can a DDoS Attack Create a Data Breach?
- Can a DDoS Attack Be Traced?
- How Long Can a DDoS Last?
- Does Changing Your IP Address Stop DDoS?