There is a real divergence happening in the distributed denial-of-service (DDoS) attack landscape. On one hand, some vendors are regularly reporting headline-grabbing DDoS attacks that are often simple, single-vector, easy-to-mitigate attacks like UDP floods. Are these attacks high in volumetric terms? Yes, of course!
On the other hand, well-resourced cyberthreat actors are using botnets powered by artificial intelligence (AI) and the internet of things (IoT) to orchestrate highly sophisticated DDoS attacks. Note the key word: “sophisticated.”
That has been the flavor of modern DDoS attacks. These are often multi-vector, multidestination (multiple IP addresses) DDoS attacks, and they use AI-enabled tools to probe your defenses, identify weak spots, and launch an attack that often disables the DDoS protection solution itself, before taking your digital infrastructure offline. We have entered the era of distributed denial of defense (DDoD).
Can your current DDoS solution actually protect you from modern DDoS attacks?
Simple, easy-to-mitigate vectors like UDP floods can be easily blocked by any rudimentary DDoS protection solution. No matter how many terabits per second (Tbps) of attack traffic is generated by an attacker. In many cases, even a simple access control list (ACL) can do the job. These types of simple tactics, techniques, and procedures (TTPs) are hardly anything new or noteworthy to network security practitioners.
An entirely different story are AI-enabled, sophisticated DDoS attacks that intelligently probe your defenses, identify weaker points in your security posture, and then launch a moderate-volume but complex mix of attack vectors. These attacks take your DDoS defenses down and then take your network offline.
Sophisticated DDoS attacks do not need to rely on volume
Sophisticated DDoS attacks are almost never high in volumetric terms. That’s because the attacker doesn’t have to generate a lot of traffic if it can overwhelm your defenses with a relatively moderate amount of carefully crafted malicious traffic.
Think of it this way: If someone were trying to break into your house, they could either use brute force to break through the front door, trigger the home alarm system, and be prepared to confront the police or they could identify how to disable your security system and then use a moderate level of effort to break in. Some of the modern DDoS attacks use the second technique: They disable your security system and then break into your network. Customer networks often have different levels of redundant capacity or technology built-in so as to absorb or shunt the initial blow of an attack. Unfortunately, that’s not enough.
Controls or devices such as stateless firewalls, for example, can help initially but often have finite capacity to absorb protocol misuse and/or to distribute load equally while also concentrating on servicing legitimate hosts or users. Sometimes all an attacker needs is just enough attack capacity to bring down infrastructure and bypass automated controls.
The new era: Distributed denial of defense (DDoD)
Over the past few years, an emerging trend has been observed where cybercriminals are pivoting from the old game of distributed denial of service to the new sport of distributed denial of defense. The attacks in the Asia-Pacific region cemented this transition.
Once your automated DDoS defense system is down, the attacker does not need a high volume of malicious traffic to disrupt your network.
In the Asia-Pacific example, this approach allowed the attacker to successfully attack and disrupt multiple companies at the same time and over weeks. They used the “firing power” of their botnets in an economically efficient way, rather than exhausting their resources with conventional massive-size attacks.
How to protect your organization in the current DDoS landscape
As a network security professional, what recourse do you have? You can start with these five steps.
- Develop a robust network security posture that is underlined by proactive detection, behavior-based analysis, and an intelligent combination of automation and human interventions. Relying solely on automated defenses only puts consistency and the quality of mitigation at risk.
- Understand attacker behavior and build a baseline for rapid mitigation. Are attackers probing for API vulnerabilities or bypassing application-layer defenses? Is there unusual and irregular request activity from spoofed or untrusted sources? These might be leading indicators of a sophisticated DDoS campaign.
- Adopt a DDoS defense platform that has dedicated defense capacity not shared capacity and does not have a track record of becoming repeatedly unavailable.
- Ensure that your incident response plan is up-to-date. This plan should include a crisis response team with clearly defined roles, communication channels, and predefined strategies for mitigating a DDoS attack.
- Benchmark your current network security posture against the DDoS defense maturity model developed by FS-ISAC and Akamai, and identify improvement areas to mature your security.
During a DDoS attack, it is crucial to follow a structured response to minimize damage and maintain service availability. Start by assessing your current risk exposure and the effectiveness of your existing defenses, engaging with your mitigation provider to address vulnerabilities in real time. Ensure that your critical IP spaces and subnets are secured with proper controls to prevent attackers from compromising essential infrastructure. Always-on DDoS security controls should be activated to provide a proactive first layer of defense, easing the burden on your response teams.
Strengthening protection further by implementing an edge-based cloud firewall which blocks malicious traffic before it reaches internal systems. Safeguarding your DNS infrastructure is equally important, as DNS attacks are a common tactic. In parallel, activate your incident response plan to ensure a calm, coordinated reaction during the crisis. Finally, extend defenses to the application and API layers, since many modern DDoS attacks exploit them.
The article has been written by Sven H. Dummer, Global Director of Product Marketing; Sandeep Rath, Senior Product Marketing Executive at Akamai and Dennis Birchard – Akamai
