DDoS Attacks: Detection and Defense Mechanisms

According to Symantec, Distributed denial-of-service (DDoS) attacks, as the name implies, attempt to deny service to legitimate users by overwhelming the target with activity. The most common method is a network traffic flood DDoS attack against Web servers, where distributed means that multiple sources attack the same target at the same time. These attacks are often conducted through botnets.

Distributed denial of service or DDoS are well-known attacks within the cybersecurity world.  However, despite being around for a long time, it does not show any signs of slowing down. According to research done by surfwatchlabs back in 2016, service interruptions from these DDoS attacks rose by an astonishing 162 percent that year. The question is, why is this form of attack so prevalent if all it does is disrupts computer systems. Here are some four (4) reasons why DDoS attacks are increasing over the years.

1. Extorsion and Profit - One of the most easy-to-comprehend motivations for DDoS attacks is the desire to gain profit through extortion. In this kind of scam, attackers blackmail victims by email, demanding that they pay a fee or have their online presence knocked offline for hours by a DDoS attack. Sometimes, the extortion demand is accompanied with a short DDoS burst to demonstrate the attacker’s capabilities and to amplify the significance of the looming threat. According to Symantec, the targets are often companies that heavily rely on their Web presence. Such victims include online shops, online gambling or betting sites, and media and gaming services. Surprisingly, the attackers often demand quite a small amount of money. For example, during an attack against a US company in April 2014, the attacker demanded US$300.
   
   
2. Diversion - DDoS attacks can also be used in targeted attacks to distract the victim from the real attack or to keep the victim’s resources busy. There was a case back in 2012, according to krebsonsecurity, which highlighted how a DDoS attack could be a diversion as the attack on a Bank hid a $900,000USD Cyberheist. The idea is to distract the local CERT team with a DDoS attack while a targeted attack is conducted. According to Symantec, researchers have speculated on this tactic for a long time as it can serve multiple purposes. A DDoS attack can also be used to prevent users, for example, online banking customers, from logging into the service and discovering that their funds are missing. Servers may get restarted, which could result in the loss of forensic evidence that once was in memory.

   A DDoS attack may also cause log files to grow larger, making it difficult for the firm’s security team to find the correct entries. Of the companies that experienced a DDoS attack in 2013, 55 percent were also victims of data theft or another assault at the same time, according to a survey from Neustar. These DDoS attacks are usually smaller in volume and only last for a short amount of time, as they do not want to destroy the target.

   
   
3. Hacktivism - When discussing hacktivist collectives, one of the first groups that come to mind is Anonymous. While this loosely associated network of individuals and groups are still making their mark, their campaigns are failing to create the impact that they once did. While attacks under the Anonymous banner still pose a major risk, it is other hacktivist groups that have somewhat taken the limelight in recent times. The The al-Qassam Cyber Fighters, Cyber Berkut, or #OpHackingCup groups are good examples of the use of DDoS attacks to protest in favor of ideologies and generate media attention. DDoS is often used to show support or opposition regarding a certain topic. It could be political, but also for or against businesses or banks and ethical concerns.
   
   
4. Revenge - A widespread reason for DDoS attacks, this situation could apply to businesses, individuals, as well as governments. In an article written by csoonline, the commonality is the individual behind the attack wishes to inflict damage, swiftly and completely, on the entity being attacked. No prior experience necessary, you can rent the DDoS service, by subscription no less, with a few clicks and an anonymous bitcoin payment. Reported in the infosecurity magazine back in 2018, a New Mexico man was handed down a 15-year prison sentence for launching DDoS attacks against former employers and business competitors and public services. Between July 2015 and March 2017, he’s said to have launched attacks from his computer and via multiple DDoS-as-a-service offerings on roughly three dozen target websites.

Here are some detection and defense mechanisms organizations could employ to combat the effects of DDoS attacks and the attack itself. 

• Leverage the Cloud - Outsourcing DDoS prevention to cloud-based service providers offers several advantages. First, the cloud has far more bandwidth, and resources than a private network likely does. With the increased magnitude of DDoS attacks, relying solely on on-premises hardware is likely to fail.
  
  
• Monitor for Unusual Activity - Early threat detection is one of the most efficient ways to prevent the attack. Organizations should ensure that a network operation baseline is set and configured to alert as soon as the network experiences anomalies in its operation.
  
  
• Secure Network Infrastructure - Mitigating network security threats can only be achieved with multi-level protection strategies in place. This includes advanced intrusion prevention and threat management systems, which combine firewalls, VPN, anti-spam, content filtering, load balancing, and other layers of DDoS defense techniques. Together they enable constant and consistent network protection to prevent a DDoS attack from happening. This includes everything from identifying possible traffic inconsistencies with the highest level of precision in blocking the attack.
  
  
• Properly Configured Access Control Lists - ACLs provide a flexible option to a variety of security threats and exploits, including DDoS. ACLs provide day zero or reactive mitigation for DDoS attacks, as well as a first-level mitigation for application-level attacks. An ACL is an ordered set of rules that filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. Firewalls, routers, and even switches support ACLs. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether the packet is permitted or denied. If there is no match, the switch applies the applicable default rule (generally an implicit "deny all"). The device continues processing packets that are permitted and drops packets that are denied.

With the number of DDoS attacks increasing over the past year, it is important that network engineers, designers, and operators build services and monitor networks in the context of defending against and preventing DDoS attacks.