What can my organisation do about DDoS threats?

Nick Martindale looks into emerging DDoS attacks, what your organisation can do to reduce the threat, and the role that AI could play

According to research by F5 Labs, there were an alarming 2,127 distributed denial of service (DDoS) attacks in 2023; a rise of 112 per cent compared to 2022. The damage that can be done was highlighted by the attack on Mircosoft Azure, which meant many Microsoft services were unavailable for a period of almost 10 hours in July.

Jack Smith, hive leader at cybersecurity firm CovertSwarm, says such attacks are a significant, evolving cyberthreat. “They aim to overwhelm a target’s online services by flooding them with enormous traffic, rendering the services unavailable to legitimate users,” he explains. “In simple terms, a DDoS can be achieved by exhausting the resources of the target, such as bandwidth, memory or CPU power.”

Typically, DDoS attacks are typically performed by botnets, or automated malicious code infrastructure of compromised machines, says Ken Dunham, cyber threat research director at Qualys Threat Research Unit.

“This makes it very difficult to detect and stop,” he says. “If a botnet is large, the firepower of a DDoS attack at any given target can be substantial. There are other forms of DDoS attack, such as DNS Reflection attacks, which can generate even higher amounts of DDoS impact upon availability of the targeted resource. The most common type of DDoS attack is from eCrime botnet infrastructure, often Russian in nature.”

What DDoS threats should I be looking out for?

An emerging DDoS threat is a ‘smurf’ attack, says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University. “This relies on misconfigured network devices to allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine,” he says. “The network then serves as a ‘smurf’ amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address appearing as the victim.”

There are various motivations behind such attacks, but the most common motive is financial gain. “Attackers often use these as a form of ransom whereby the attacker holds the impacted service to ransom until their financial demands are met,” explains Andy Grayland, CISO at cyber-threat intelligence firm Silobreaker.

“Less common, but more often heard about, is DDoS for political or strategic aims. Here, the attacker has no desire to stop the attack, but instead either wishes to completely stop the company from operating or has ‘ransom’ demands in the form of an action rather than cash payment. An example of such a motive might be demanding that a company stops trading with Israel due to the conflict in Gaza.”

What can my organisation do to reduce the threat?

There are steps that organisations can take to reduce the risk of being hit by an attack, or minimise its impact. “Businesses can prevent attacks using managed DDoS protection services or through implementing robust firewalls to filter malicious traffic and deploying load balancers to distribute traffic evenly when under heavy load,” advises James Taylor, associate director, offensive security practice, at S-RM. “Other defences include rate limiting, network segmentation, anomaly detection systems and implementing responsive incident management plans.”

But while firewalls and load balancers may stop some of the more basic DDoS attack types, such as SYN floods or fragmented packet attacks, they are unlikely to handle more sophisticated DDoS attacks which mimic legitimate traffic, warns Donny Chong, product and marketing director at DDoS specialist Nexusguard.

“Businesses should adopt a more comprehensive approach to DDoS mitigation such as managed services,” he says. “In this setup, the most effective approach is a hybrid one, combining cloud-based mitigation with on-premises hardware which be managed externally by the DDoS specialist provider. It also combines robust DDoS mitigation with the ability to offload traffic to the designated cloud provider as and when needed.”

For smaller firms, installing multilayer security solutions or monitoring network traffic to help identify bogus or fake requests is a good starting point, says Jake Moore, global cybersecurity advisor at ESET. Moving to the cloud can also help mitigate attacks, due to the higher bandwidth and resilience of the infrastructure.

“However, even with such protection, each year threat actors become better equipped and use more IP addresses such as home IoT devices to flood systems, which can make systems completely unusable,” he says. “A disaster recovery plan is therefore crucial in case of a DDoS attack – this includes having backup servers, website and alternative communications channels.”

The recent Azure incident also demonstrates the importance of regular testing for DDoS mitigation systems, says Chong. “According to Microsoft’s own Post Incident Report (PIR), the global disruption was due to an error in the installation of its DDoS mitigation defences that incorrectly amplified the attack rather than mitigating it,” he says. “Beyond the obvious tests on the effectiveness of DDoS defences, it’s imperative that businesses ensure that the systems are integrated properly in the first place.”

What about artificial intelligence?

There’s also potential for artificial intelligence (AI) to impact DDoS, both positively and negatively, in the coming years. “On the offensive side, attackers may use AI to identify and exploit vulnerabilities more efficiently, adapting attacks in real-time to evade defences,” suggests Smith. “For example, AI can be used to launch more sophisticated attacks by learning from the target’s defence systems and altering attack strategies accordingly.”

But AI is an equally powerful tool for defence. “AI-driven security solutions can analyse large amounts of data to identify patterns indicative of a DDoS attack, usually before it becomes evident,” he says. “Machine learning algorithms can differentiate between legitimate traffic and malicious activity, enabling faster and more accurate responses. AI can also help to automate responses, reducing the time needed to mitigate an attack and minimising the potential damage.”

The reality is that DDoS attacks are likely to continue for the foreseeable future, as long as unpatched systems remain online and easy-to-deploy DDoS tools exist, says Curran. In the short term, he urges companies to try to deal with DDoS traffic on the edge of their network immediately and make use of tools such as AI which can help with reactive misuse, anomaly detection and network-profiling techniques. But in the longer term, a cultural change is needed too, to cope with the growth in this and other threats. “Inevitably, this means increasing the amount of IT security staff and ensuring all staff are sufficiently trained, even if it’s just basic cyber skills to give the team confidence to identify and respond to these kinds of threats,” he says. “Ensuring that the proper roles and permissions are in place will provide additional accountability.”

Further reading

Keys to effective cybersecurity threat monitoring – A strong cybersecurity threat monitoring strategy that evolves with current and prospective threats is crucial towards long-term company-wide protection

Avatar photo

Nick Martindale

Nick Martindale is an experienced freelance journalist, editor and copywriter. He specialises in writing about workplace matters, including HR, procurement and technology.

Related Topics

DDoS
DDoS Attack