Threat Reports

Understanding Distributed Denial of Service Attacks (DDoS) - A Guide

Written by Marketing | Nov 28, 2023 3:31:04 PM

executive summary

In the ever-evolving landscape of cyber threats, Distributed Denial-of-Service (DDoS) attacks stand out as one of the most challenging threats. These attacks involve flooding a server with internet traffic, rendering connected online services and sites inaccessible.

Motivations behind DDoS attacks vary from making a statement or expressing disapproval to financially motivated disruptions or extortion attempts. Even major global corporations, such as Amazon Web Services (AWS), are not immune to the rising tide of DDoS attacks, with the largest attack in history occurring in February 2020.

As the Internet of Things (IoT) expands and remote workforces grow, the number of devices connected to networks increases. This increase means there will be a security challenge, emphasizing the importance of robust DDoS protection and mitigation strategies. Let’s dive into what DDoS attacks are and how organizations can protect themselves.

 

 

 

what is a ddos attack?

DDoS attacks are powerful and typically use both compromised and uncompromised computer systems, including computers and IoT devices, to inundate designated targets with fake Internet traffic. Executed through networks of malware-infected Internet-connected devices, these devices, referred to as bots, form a botnet when organized by attackers. These attackers remotely instruct each bot, aiming to execute various malicious activities such as sending spam, swiping credentials, espionage, and, notably, orchestrating DDoS attacks.

Once a victim's server or network is pinpointed, bots utilize diverse methods to dispatch substantial traffic to the targeted IP addresses. This massive influx overwhelms the server or network, leading to a denial-of-service for normal traffic. The challenge lies in discerning and segregating attack traffic from regular traffic, given that each bot appears as a legitimate Internet device.

Unlike many cyberattacks aiming to steal sensitive information, initial DDoS attacks are geared towards rendering websites inaccessible to their users. However, some DDoS attacks act as a smokescreen for additional malicious activities. For instance, once servers are successfully brought down, attackers may operate in the background to take down the websites' firewalls or weaken their security codes for future attack strategies.

Additionally, a DDoS attack can serve as a digital supply chain attack. If cyber attackers encounter difficulty breaching the security systems of various target websites, they may identify a vulnerable link common to all the targets and direct their attack towards that link. Compromising this link results in automatic, indirect repercussions for the primary targets.

 

TYPES OF DDOS ATTACKS

DDoS attacks target different network layers and are categorized based on the layers they exploit.

  • Volume-Based Attacks: Aim to control available bandwidth, exemplified by DNS amplification attacks.
  • Protocol Attacks: Exploit weaknesses in Layers 3 and 4 of the OSI protocol stack, with SYN floods as a notable example.
  • Application-Layer Attacks: Target Layer 7 of the OSI model, overwhelming servers by forcing them to handle more than usual, as seen in HTTP floods.

 

 

recent attacks

 

GOOGLE, CLOUDFLARE, AWS

In October 2023, Cloudflare, Amazon Web Services (AWS) and Google Cloud reported the largest DDoS attacks ever. On October 10, the cloud service providers reported a series of DDoS attacks, initiated in August and still ongoing. Google labeled it the largest DDoS attack to date, peaking at over 398 million requests per second (rps), a record seven and a half times larger than the previous one.

The attackers used a novel HTTP/2 "Rapid Reset" technique, impacting various internet infrastructure companies. This method involves immediately canceling each request stream, allowing indefinite requests in flight without exceeding the limit on concurrent open streams. Notably, the attack utilized a modestly-sized botnet of approximately 20,000 machines.

The exploitation of a zero-day vulnerability provided attackers with a powerful tool, prompting affected companies to implement DDoS mitigation techniques, including load balancing. To collectively mitigate the impact, multiple internet infrastructure companies affected by the attacks formed a partnership, averting widespread outages.

 

HEALTHCARE ORGANIZATIONS IN SINGAPORE

In early November 2023, it was reported that several public healthcare organizations in Singapore were impacted by a DDoS attack. The attacks are still occurring, as reported by the national healthtech agency Synapxe, tasked with overseeing the IT operations supporting the public healthcare network in the country. This network comprises 46 public healthcare institutions, including hospitals and polyclinics, along with 1,400 community partners encompassing nursing homes and general practitioners.

The attackers behind the DDoS incident bombarded targeted servers with requests, keeping legitimate users from accessing websites of various hospitals. The impacted institutions include Tan Tock Seng Hospital, Singapore General Hospital, and National University Hospital, alongside three local public healthcare clusters, which consist of SingHealth (Singapore Health Services) and National Healthcare Group.

Fortunately, Synapxe’s networks were protected with a layered defense that was designed to detect and respond to online threats. However, the DDoS attack still overwhelmed the firewall behind the company’s blocks. This triggered the firewall to filter out the traffic, making services that depended on online connectivity inaccessible.

 

 

DEFENSE

The above examples are indicators that the DDoS attack is a tried-and-true attack vector for cybercriminals. Identifying a DDoS attack poses challenges due to activity that mimics routine network issues. These include slow performance, website unavailability, dropped internet connections, unusual media or content, and an influx of spam. Duration and intensity of DDoS attacks vary, adding complexity to detection. Below are a few ways organizations can prevent and mitigate DDoS attacks:

Preventing DDoS attacks is challenging due to evolving sophistication. However, organizations can plan effective responses:

  • Risk Assessment: Regularly assess vulnerabilities and strengths in devices, servers, and networks.
  • Traffic Differentiation: Use Anycast networks to scatter attack traffic, making it more manageable.
  • Black Hole Routing: Redirect all traffic, good and bad, to a null route to mitigate the impact, albeit with potential business loss.
  • Rate Limiting: Restrict the number of requests a server can accept within a specific timeframe.
  • Firewalls and WAFs: Employ Web Application Firewalls to filter requests and create rules to identify and block DDoS patterns.
  • Implement MFA: Multi-Factor Authentication (MFA) can enhance security during DDoS attacks by adding an additional layer of authentication, reducing the risk of unauthorized access to critical systems and services.

 

 

How Avertium is Protecting Our Customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from DDoS attacks:

  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
    • Risk Assessments
    • Pen Testing and Social Engineering
    • Infrastructure Architecture and Integration
    • Zero Trust Network Architecture
    • Vulnerability Management
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).



 

 

Supporting Documentation

Largest DDoS attacks ever reported by Google, Cloudflare and AWS (cshub.com)

Denial-of-Service (DoS) Attack: Examples and Common Targets (investopedia.com)

Cyberattack wreaks havoc on Barcelona hospital (aa.com.tr)

Hackers Behind Oakland Ransomware Attack Dump Data on City Employees | PCMag

TIR-20211011 DDoS Attacks & The Meris Botnet (avertium.com)

DDoS attack revealed as cause of online service outage at public healthcare institutions | ZDNET

What is a DDoS Attack? DDoS Meaning, Definition & Types | Fortinet

Understanding Denial-of-Service Attacks | CISA

DDoS attack revealed as cause of online service outage at public healthcare institutions | ZDNET

What is a DDOS Attack & How to Protect Your Site Against One (amazon.com)

What Is a DDoS Attack and How Does It Work | Cybersecurity | CompTIA

DDoS Attack Types & Mitigation Methods | Imperva

 

 

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.