A distributed denial of service (DDoS) attack can take down a company’s infrastructure, communications, applications, or other services. It costs money to recover from such an attack, but the revenue losses due to outages can be even higher. In 2021, the scale of these attacks hit record highs, and they are expected to continue to increase in number as botnets and DDoS-as-a-service platforms proliferate.
Cyber criminals have also begun demanding ransom payments for stopping the attacks — or not launching them in the first place.
As companies get better at defending against crypto-based ransomware, some experts expect that denial-of-service extortion will grow this year.
Denial of service attacks aren’t always top of mind for organizations dealing with cyber threats. Often, they’re seen as nuisance threats, said Kayne McGladrey, IEEE senior member and cybersecurity strategist at Ascent Solutions. When hit, companies can often just hire a mitigation vendor and block the attack traffic.
“And our politicians aren’t really talking about this,” he said. “They haven’t personally been affected by it.”
These kinds of attacks also don’t have the same kind of compliance implications as other types of cybersecurity incidents, he added. Data breaches, for example, have to be reported and remediated, both of which can be costly.
But denial of service attacks may finally be getting their moment in the spotlight.
In October, Bandwidth, a global cloud communications company, reported losses of between $9 and $12 million due to a DDoS attack.
This was just one of several attacks against communication companies last fall, some of which included multi-million-dollar ransom demands.
And communications companies weren’t the only ones hit last year. In the fourth quarter, manufacturing saw a 641% increase in application-layer DDoS attacks compared to the previous quarter, according to a report by Cloudflare.
According to Vidisha Suman, partner in the digital transformation practice at Kearney, a global strategy and management consultancy, typical targets of DDoS attacks include, but are not limited to, financial services companies, gaming companies, security-sensitive military entities, global chemical, utilities, telco companies, heavy industrial firms, and government bodies.
Having plans in place for business continuity and recovery will be key in 2022, she said.
“If it’s not on your board agenda now, it really ought to be,” she told Data Center Knowledge. “In 2022, cybersecurity will become a competitive differentiator.”
With the scale and complexity of attacks going up, adversaries increasingly use denial of service to extort money or to disguise other types of attacks; preventing and mitigating these cyber assaults should be a foundational piece of cybersecurity hygiene for data center managers in 2022.
5G, IoT, and DDoS-as-a-service
The increase in unsecured connected devices, the switch to high-speed 5G networks, and the continued growth in the DDoS-as-a-service industry has helped fuel some of the biggest attacks in history this year.
In January, Microsoft reported the largest DDoS attack it has ever recorded, at 3.47 terabits per second and a rate of 340 million packets per second.
Meanwhile, Cloudflare reported a record-breaking volumetric attack, with 17 million requests per second last summer, almost three times larger than any attack the company had seen before. Volumetric attacks attempt to swamp networks with high volumes of traffic.
In November, Cloudflare saw a multi-vector attack that peaked at just below 2 terabits per second, the largest attack of this type the company had ever seen. This attack used a combination of a DNS amplification strategy, which uses public DNS servers to multiply the number of malicious messages, and a UDP flood attack, which overwhelms random ports with UDP requests.
The barriers to entry for becoming a DDoS attacker have fallen dramatically last year as well, due to the growth of DDoS-as-a-service platforms.
According to Akamai, the cost of launching a DDoS attack from dark web toolkits recently dropped by half, from $10 to $5.
Botnets are used to launch the biggest DDoS attacks, and the number of botnets has also gone up last year.
According to Carl Wearn, head of risk and resilience for e-crime and cyber investigation at Mimecast, part of the reason for the growth in botnets is the explosion in connected devices which can be hijacked by botnet operators and used to send out malicious traffic.
“Your lightbulb feels a strange compulsion to connect to the Internet,” he told Data Center Knowledge. “And security is not an underlying premise that people take in connection with these devices.”
The firmware that comes installed in these devices is not only rife with vulnerabilities but also difficult to upgrade, he said. And even when it can be upgraded and patched, manufacturers often stop supporting it after a year or two.
Despite some high-profile takedowns by global authorities, research firm Spamhaus reported more than 3,200 botnet command and control servers in the fourth quarter of 2021 — up from under 1,400 in the fourth quarter of 2020.
And that’s not counting the number of botnets using DNS over HTTPS communication instead of traditional HTTP, the company said. This communications channel encrypts DNS traffic, which was designed to protect the global Internet community — but also lets botnet operators hide from security researchers and defenders.
Criminal groups looking to DDoS for new ransom revenues
According to a January report by Cloudflare, ransom-focused DDoS attacks increased 29% in the fourth quarter of 2021, compared to the same time last year.
In December alone, a third of all companies hit by DDoS attacks received a ransom demand, the company said.
Steve Winterfeld, advisory CISO for Akamai, said that his company has been seeing a new wave of extortion activity, including new Bitcoin demands, new groups of attackers, and new attacker tactics, techniques, and procedures.
“We continue to see active extortion campaigns against all verticals,” he told Data Center Knowledge.
For example, in September, UK-based Voip Unlimited told The Register that it has been slapped with a "colossal ransom demand” after a DDoS attack.
Also that month, Canadian VoIP provider VOIP.MS was hit with a $4.2 million DDoS ransom demand, according to a report by cybersecurity vendor Avast. It took almost two weeks for the company to update its infrastructure and restore services to customers.
According to Kiel Murray, managed detection and response solution owner at Crowe, a public accounting, consulting, and technology firm, enterprises have been learning how to defend against traditional ransomware for the past few years, and have been getting better at it.
“This may be why attackers move to denial of service,” he told Data Center Knowledge. “It really doesn’t require any sort of initial access, like a ransomware attack requires. So, in a way, it’s a little easier to execute.”
There are ways to defend against denial of service attacks, he said, but smaller companies, in particular, might not be aware of them or might be hesitant to adopt them due to increased costs or management overhead.
And, as this past year’s outages demonstrate, even some large companies can fall victim.
Collateral damage and smoke screens
The point of a DDoS attack isn’t always to take down a company’s operations until it pays a ransom. The goal might have been to conceal another kind of attack — or to hit another target entirely.
“DDoS attacks are often used as a smokescreen to disrupt and distract network teams,” said David Elmaleh, director of product management for edge security at Imperva, a cybersecurity provider.
“While IT staff are preoccupied with getting a firewall or intrusion prevention system back online, the attackers are busy installing malware or accessing other parts of the network,” he told Data Center Knowledge.
Or the attackers might have been going after somebody else, and other companies got caught up in the attack. Collateral damage, if you will.
For example, an attack last month on Andorra’s only ISP, Andorra Telecom, started during a SquidCraft games tournament in Minecraft. The attack was designed to disrupt the tournament and wound up shutting down the entire Internet in the principality for 30 minutes.
Something similar can happen with shared data centers, said Ascent’s McGladrey.
“If you’re hosting data in a data center, you probably want to have a conversation with them about what are your DDoS protections,” he said. “It’s not a new problem. At this point, it should just be a checkbox like yes, we provide this and know what we’re doing.”
Preparation is key to DDoS defense
Despite the increase in scale, a large uptick in ransom requests, and the low cost to launch an attack, if companies have up-to-date, automatic DDoS protection and monitor networks carefully, they’ll be able to detect and mitigate even the largest attacks, experts say.
“In 2022, DDoS is not going away – it is one of the easiest attacks and it remains one of the most popular ways to attack,” said Priya Iragavarapu, VP in global management consultant AArete’s Center of Data Excellence.
DDoS mitigation and protection service providers have network bandwidth far greater than the largest recorded DDoS attack, and a content delivery network will automatically reroute traffic as needed.
When companies neglect any of these preventative steps, they open themselves up to DDoS attacks which could result in a costly disruption of service.
Relying on manual responses isn’t a particularly effective strategy, said Cloudflare product manager Omer Yoachimik.
“The majority of attacks, even the largest ones, are relatively short-lived,” he told Data Center Knowledge.
In addition to using a service or tool with sufficient network capacity and automated DDoS mitigation, he suggests minimizing the number of open ports and IP addresses, putting in an alerting system to notify security teams about critical events, and educating employees about being on the lookout for ransom demands.
Gary Kenick, senior director of consulting services at Sungard Availability Services, also recommends that data center cybersecurity managers assemble a multi-disciplinary cyber response team to manage DDoS attacks and ransom demands.
He also recommends that organizations conduct simulation exercises to work through decision-making protocols, including whether to pay or not pay a ransom.
“Distributed denial-of-service attacks are popular because they are fairly simple and inexpensive to deploy, yet are highly effective,” he told Data Center Knowledge. “Because of this, they will continue to grow in popularity.”
Freelance technology writer Alex Korolov contributed to this report.