The increased reliance of enterprises on remote working and internet connectivity during the Covid-19 pandemic has, in turn, increased the disruptive potential of distributed denial of service (DDoS) attacks, which threaten to overwhelm business servers and network infrastructure unless proper mitigation is put in place.
While DDoS attacks tend to be fairly unsophisticated and small in scale, they are very cheap and easy to orchestrate as they only require the attacker to send more internet traffic than the network infrastructure can handle. If successful, a DDoS attack can take entire enterprises offline in a matter of minutes and completely halt their ability to do business.
However, many enterprises still do not perceive DDoS as a major threat, largely due to them being less frequent than other cyber attacks, as well as the perception that they are both expensive to mitigate against and carried out almost exclusively by politically motivated attackers.
Despite their lower frequency, Nominet’s chief information security officer (CISO), Cath Goulding, notes that there has been a significant uptick in DDoS attacks over the past few years, and that the scale of the attacks “has gone up exponentially”, meaning organisations can no longer afford to skip putting mitigating measures in place.
Perception of risks and costs
Comparing DDoS to web application layer attacks, Akamai’s director of security technology and strategy, Richard Meeus, tells Computer Weekly that their frequency is “an order of magnitude lower”.
“[Web application layer attacks] are ongoing every single day – there are millions and millions,” he says, adding that Akamai recorded a three-fold increase in these sorts of attacks over the nine months since 1 January 2020.
“Where we would see millions of WAF [web application firewall] attacks, we would see tens or hundreds of DDoS attacks … so an organisation may well go a long time and never see a DDoS attack.”
Meeus adds that, due to the prevalence of web application layer attacks, it is easier for organisations to see the benefit of investing in mitigation measures, whereas it is perceived as easier for organisations to accept the risks with DDoS attacks.
“It is that risk balance that you have to do, and the perception is not necessarily that there’s nothing we can do about it, but ‘Is it going to be me?’,” he says.
Corroborating this sentiment, Cloudflare CTO John Graham-Cumming adds that organisations may refrain from adopting DDoS mitigating measures out of a sense that it will not necessarily happen to them.
“A lot of the high-profile DDoS attacks have often had an activist or political angle to them, and so it’s quite easy for organisations to say, ‘I’m not involved in something that’s going to upset Anonymous, I’m not doing something political so it’s unlikely to happen to me’,” he says. “The unfortunate reality is a lot of what happens with DDoS attacks is actually just economic.”
Theses economic motivations are reflected in the growing prevalence of ransom-based DDoS attacks during 2020, whereby the perpetrators ask for money to either not launch the attack in the first place or to stop one already in progress.
“The people who do it are very well-organised, so businesses need to think about DDoS as one of the risks of the business, especially when we’ve gone into this environment where people are working from home and internet connections and how we use them are so important to running the business,” says Graham-Cumming.
He adds that while DDoS mitigation has traditionally been very expensive, the increasing prevalence of cloud computing has pushed down the cost to make it much more affordable.
“The previous model of DDoS mitigation was very much around super-specialised hardware in a limited number of locations, so it was very expensive thing to put in place – cloud has made that much more affordable,” he says.
According to Graham-Cumming, enterprises should start the process of implementing mitigating measures by conducting thorough due diligence of their entire digital estate and its associated infrastructure, because that is what attackers are doing.
“The reality is, particularly for the ransomware folks, these people are figuring out what in your organisation is worth attacking,” he says.
“It might not be the front door, it might not be the website of the company as that might not be worth it – it might be a critical link to a datacentre where you’ve got a critical application running, so we see people doing reconnaissance to figure out what the best thing to attack is.
“Do a survey of what you’ve got exposed to the internet, and that will give you a sense of where attackers might go. Then look at what really needs to be exposed to the internet and, if it does, there are services out there that can help.”
This is backed up by Goulding at Nominet, who says that while most reasonably mature companies will have already considered DDoS mitigation, those that have not can start by identifying which assets they need to maintain availability for and where they are located.
Once enterprises have identified their weak points, Gould adds that they should then regularly practice their incident responses so that they understand how it would affect the organisation and its assets.
These practice sessions can help organisations recover from an actual attack and ensure the denial of service is not being used as a smokescreen for other cyber attacks.
“What happens after a DDoS attack is that people try to bring their services back up again. Routers and firewalls, for example, all take different lengths of time to boot up and, unless you’re following in the prescribed order, you may end up with a hole for a few minutes,” says Meeus. “That’s commonly where trojans are put into the network to try to exploit it.”
Choosing suppliers and the role of cloud
With this understanding of their assets and how to bring them back online, enterprises should research and approach potential suppliers to figure out which would be the best fit for their needs.
This process, according to Graham-Cumming, should start with the organisations pre-existing suppliers to see what is already in place or paid for, before moving on to more specialised firms if need be.
“Another thing I look for if you’re going to be looking for a supplier is how fast they actually mitigate an attack,” says Graham-Cumming.
“A lot of what will happen with attacks is that they will come in for a short period of time, and that can be very disruptive, but you need those stopped very quickly… I would look for somebody that can stop this in seconds.”
There are two kinds of suppliers for DDoS mitigation – those that do ‘always on’ DDoS mitigation, whereby all the traffic is going through their network all the time to detect issues, and those that do ‘on-demand’, whereby a company under attack has to contact them to get mitigation started.
“On-demand was very common, but ‘always on’ has become more common because it’s a lot easier for the end user as they don’t have to do anything. The mitigation happens just immediately, which reduces downtime,” he says.
For Meeus, effective DDoS mitigation starts in the cloud, which can either be done through a content delivery network (CDN) or by setting up a traffic scrubbing centre.
“The CDN is effective when it’s just protecting a website, so for a lot of newer organisations that rely on cloud hosting, or only have one IP address because they’re like an e-commerce website and everything runs through them, then CDN is a great platform because there are lots of security layers that we can put into that to make the DDoS mitigated,” he says.
However, for older legacy companies, including firms that have lots of disparate datacentres or a hybrid set-up with services and hosting in different locations, then scrubbing centres are the better option.
These centres can protect a firm’s entire IP space, and work by looking at all traffic to determine what is “clean” and can be let through.
“It’s all about sitting in front of the customer in the cloud, at the edge of the internet, and getting rid of all the bad stuff before it gets in the customer’s space,” says Meeus.
“If the pipe of the connection you have to the internet is one gigabit per second [Gbps], a 1.1 Gbps DDoS attack is going to take you offline – it’s that simple. Realistically, you have to move the DDoS protection away from you and move it to the edge.”
Gould adds that it is important to set the enterprise up to be able to record network traffic, so that when a DDoS attack does occur, information can be given to the police and used to forensically analyse the event to understand how it happened and put in place further mitigation.