Four ways DDoS attacks have evolved – and what it means for your DDoS defences
Distributed denial of service (DDoS) attacks aim to disrupt an organization’s network or online services, sending vast amounts of illegitimate traffic to eat up all available bandwidth, or gradually consume other essential computing resources. While the fundamental elements of DDoS attacks have remained constant, the exact methods used by cybercriminals have evolved significantly over the last few years, thwarting traditional protection methods and leaving many organizations vulnerable to attack.
So how exactly have DDoS attack methods changed, and what does it mean for your organization’s DDoS defences?
1. Attacks are getting bigger (but also smaller)
DDoS attacks are bigger than ever, in frequency and in size, according to Radware’s 2022–2023 Global Threat Analysis Report. The number of DDoS attacks increased by 150% between 2021 and 2022, with the total attack volume growing by 4.44 petabytes over the same period – a gain of 32%. The single largest volumetric attack on record was a staggering 1.46 terabits per second.
Based on these numbers, it’s clear that volumetric DDoS attacks remain a favoured tactic of cybercriminals. It’s also true that very large attacks are easier to detect and mitigate, which explains why smaller, more subtle attacks are also on the rise.
These days, large volumetric attacks are often used as a distraction from some other tactic that’s unfolding simultaneously. The big DDoS attack raises the alarm and takes the focus off mitigation efforts. Meanwhile, another attack is taking place elsewhere, such as a low-and-slow attack that gradually depletes the resources of load balancers, firewalls and other IT infrastructure. It could also hide ransomware, a kind of malicious software that locks critical files and seeks payment to restore access.
2. Application-layer attacks are on the rise
Application-layer attacks have also gained popularity among bad actors. According to the same Radware report, they grew in frequency by 88% between 2020 and 2021, and then by another 128% between 2021 and 2022.
Rather than clogging the internet “pipe” by overloading connections and consuming bandwidth (as is the case with network-layer attacks), application-layer attacks seek to overwhelm servers by sending large numbers of requests over a short period of time that are resource-intensive to handle and process. Unable to keep pace, the target server slows down or goes offline completely. Common targets are exploitable application protocols like HTTP, SMTP, FTP and SQL.
3. DDoS attacks are more complex
It’s now common to see DDoS attacks that use multiple attack vectors, change vectors and even switch targets mid attack. An example of this is the tactic I noted earlier, where a large volumetric attack serves as a smokescreen for an application-layer attack, with the latter switching application protocol targets partway through the attack to thwart mitigation efforts.
Another example are “web DDoS tsunami attacks”, which are an evolution of HTTPS flood attacks that generate extremely high requests per second, and which have much more sophisticated evasion detection. These attacks start at the network layer and transition into multi-vector, application-level attacks, sending massive numbers of encrypted requests that appear legitimate when decrypted. They use a variety of methods to beat network protections and web-application firewalls, from randomizing HTTP headers and cookies to spoofing IP addresses. They use a variety of methods to beat network protections and web-application firewalls, from randomizing HTTP headers and cookies to spoofing IP addresses.
All this complexity makes it harder for organizations to prevent their network or services from going offline when an attack occurs.
4. More DDoS attack traffic is encrypted
These web DDoS tsunami attacks are not the only ones that encrypt malicious traffic. Because most Internet traffic today is encrypted, it only makes sense that attackers are encrypting their DDoS traffic, so it doesn’t stand out from legit traffic.
Encryption makes it more difficult and time-consuming to determine whether traffic is legitimate or malicious, and many DDoS systems aren’t even able to decrypt traffic.
What these trends mean for your DDoS defences
These trends are likely to continue, so organizations need to ensure their DDoS defenses can stand up to them. For many, it will require enhanced DDoS protections, with advanced capabilities that can keep up with increasingly complex and sophisticated attacks.
Businesses will need robust volume-based detection and mitigation as well as the ability to detect smaller, more targeted attacks. Effective capabilities include web-based detection and behavioural analysis, which uses artificial intelligence and machine learning to identify new kinds of attacks based on suspicious behaviour that differs from typical network activity.
Increasingly, businesses will need to work with a third party – either a network provider like Bell or a cloud provider – to ensure that detection and mitigation are happening as close to the source of an attack as possible. That may require warming up to the idea of having a third-party partner decrypt and re-encrypt traffic as part of the process of detecting malicious requests. This would be a big change, but a necessary one as DDoS attack methods continue to evolve.
Stay ahead of the attackers with Bell
DDoS attacks are here to stay and will only grow more complex over time. To protect your business from costly downtime, you need a partner like Bell who can provide you with world-class DDoS security that keeps you protected from the full range of network- and application-layer attacks. Our portfolio of services includes network, cloud and edge solutions that provide 24/7 detection and mitigation, managed by our security experts who are always up to date on the latest threat intelligence.
Learn more on our DDoS security page or reach out to a Bell representative to discuss how we can help you stay steps ahead of bad actors.