Check out all the on-demand sessions from the Intelligent Security Summit here.
As technology continues to advance, so do the methods of cyberattackers. Malicious actors, such as lone hackers, criminal gangs, hacktivists and state actors employ various techniques to disrupt or disable target systems, which range from small and large businesses to nation-states.
One of the most alarming trends in cybersecurity is the recent rise of the botnet and DDoS (distributed denial of service) attacks. According to a report by the NCC group, there was a 41% increase in ransomware attacks from October to November 2022, with the number of incidents rising from 188 to 265.
Another recent study conducted by Imperva revealed a significant uptick in the frequency of layer 7 DDoS attacks, with a staggering 81% increase in attacks that reached a minimum of 500,000 requests per second (RPS) over the past year. The study also observed a threefold increase in application layer DDoS attacks from Q1 to Q2 of 2022, again highlighting the alarming rate at which DDoS botnet attacks are escalating.
Such attacks are even more concerning today, as predictions for 2023 indicate that they will become even more prevalent and sophisticated, posing a significant threat to businesses and individuals worldwide.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
These cyberattacks use a network of infected devices to flood a target website or server with traffic, causing it to crash or become unavailable. The consequences of these attacks can be severe, with organizations experiencing significant financial losses and damage to their reputations. As we move into 2023, botnet and DDoS attacks are undeniably becoming more frequent and powerful.
Botnets and DDoS attacks: A deadly duo for security infrastructures
A botnet, also known as a network of infected computers or devices, is controlled by a single entity, referred to as the botmaster. The infected devices, referred to as bots, are commonly compromised through malicious means such as malware or phishing attacks. Once infected, a device can be controlled remotely and used for various nefarious purposes, including DDoS attacks.
DDoS cyberattacks themselves aim to overload a website or network with excessive traffic, rendering it inaccessible to legitimate users. These attacks are frequently executed using botnets, as the botmaster can command the infected devices to transmit a large volume of traffic to the targeted website or network.
DDoS attacks and botnets have been major problems for the technology industry for over a decade. They have proven particularly challenging to trace and prevent, as the traffic generated by a DDoS attack originates from various sources, making it hard to identify and block the IP addresses of the attackers. Furthermore, botnets can be dispersed across various types of devices, making it arduous to locate and eradicate them.
In 2022, the number of botnet and DDoS attacks reached a record high, primarily due to the widespread adoption of Internet of Things (IoT) devices that are often inadequately secured. The hijacking of internet-dependent devices for such attacks typically involves identifying devices with security vulnerabilities to enable infection with “botware.” The COVID-19 pandemic, which led to increased remote work, and thus for many organizations a dispersed workforce, further facilitated attacks targeting such organizations.
Bigger and better; worse and worse
DDoS attacks and botnets have become increasingly sophisticated and potent. Larger and more complex attacks make them harder to defend against. According to the 2022 DDoS threat report by A10 Networks, Simple Service Discovery Protocol or SSDP-based DDoS attacks resulted in generating more than 30 times the traffic volume, making them some of the most devastating attacks by DDoS botnet agents.
“Rather than a single, homogenous entity, the internet comprises hugely disparate infrastructure spanning (at least part of) all public networks globally. Consequently, large parts of the internet have very poor security and are rarely patched correctly,” said Dominic Trott, UK head of strategy at Orange Cyberdefense.
“A variety of ‘solutions’ aimed at the ‘market’ of malicious actors places the capability of executing DDoS attacks within reach of so-called ‘script-kiddies’ (unskilled individuals who use scripts or programs developed by others, primarily for malicious purposes) and other low-skilled attackers,” he said.
Ransom DDoS attacks on the rise
The proliferation of ransom distributed denial of service (DDoS) attacks is a significant concern for organizations. In these attacks, nefarious actors use DDoS attacks to extort a ransom payment, typically in the form of a cryptocurrency.
These attacks involve either an initial DDoS attack followed by a ransom note demanding payment to halt the attack, or a ransom note threatening a DDoS attack if the demanded amount is not received.
According to a survey conducted by Cloudflare, during the third quarter of 2022, 15% of its customers reported being targeted by HTTP DDoS attacks accompanied by a threat or ransom note, indicating a 15% quarter-over-quarter and 67% year-over-year increase in reported ransom DDoS attacks.
“There have been instances where DDoS attacks are used as a distraction technique to mask a more sophisticated attack that is occurring concurrently or to create additional pressure that further incentivizes ransom payments, like in the triple extortion ransomware model,” Daniel Farrie, operational threat intelligence manager at NCC Group, told VentureBeat.
“On their own, they have limited impact, but as we can see, when combined with other tactics they provide a valuable addition in a threat actor’s arsenal. This is very much how these attack types have evolved, now being used as an extra tool, rather than a standalone threat.”
Another memorable example of such attacks involved a “WordPress pingback” attack against a large gambling company’s website. The attack took advantage of a vulnerability (one present in over half a million WordPress sites) to send millions of requests to websites owned by the gambling company, resulting in many of its services being taken offline. While this played out, the attackers used a “Sentry MBA” tool to steal data from thousands of user accounts. This went unnoticed by the gambling company for days until it managed to block the WordPress attack. Neither attack was sophisticated, but the damage to the gambling company was huge.
“Such examples highlight the imbalance of DDoS attacks, and the major challenge they pose for organizations, their customers, and consumers. The shallow bar of entry means that almost any, and therefore many, threat actors can launch attacks successfully. However, their risk scale creates the potential for significant disruption,” explained Trott.
As such, organizations must implement robust DDoS protection measures to safeguard against such botnet and DDoS threats. These can include cloud-based DDoS protection services to detect and block DDoS traffic before it reaches the targeted website or network. Additionally, it is vital to have a plan in place to respond to DDoS attacks and to conduct regular testing and simulations to ensure the strategy is effective.
Driving factors and how to respond
According to Steve Benton, vice president of threat research at Anomali, several pivotal factors have contributed to the surge of botnet and DDoS attacks in recent years.
- Availability: DDoS attacks are increasing due to factors like the growth of the DDoS-as-a-Service market. It has probably never been easier to “order” a DDoS attack.
- Capability: The services themselves have become more adept at modifying their attack vectors in flight in response to a target’s DDoS defense responses. As such, they are achieving more success.
- Opportunity: More and more businesses have become dependent on their online services (including to support a remote/hybrid workforce), digital marketplaces, and real-time services (e.g. streaming, gambling and gaming). Service interruption here is costly for businesses (lost revenue, customers, service) and potentially reputation and brand, and offers an extortion opportunity.
Benton explained that such attacks are more “real-time” than the “send and wait” process of phishing or phishing-based ransomware. The shift to cloud-based services and the growing use of edge computing will also present new opportunities for attackers to target these systems.
“The phishing/ransomware attack[er] does not know when or whether they will be successful and whether their tactics worked. On the other hand, the DDoS attack[er] gets immediate feedback and can prolong and modify their attack on their chosen target,” Benton told Venturebeat. “And in fact, whereas phishing/ransomware is often random in finding successful targets, DDoS is targeted from the onset.”
For CISOs, the key to protecting against botnet and DDoS attacks is to focus on certain key metrics. Benton recommends that CISOs assess their defense solutions and measures in terms of the following factors to protect their organizations against the growing threat of botnet and DDoS attacks in 2023:
- Strength of capability: Resilience/flex — the ability to scale above any impact of attack, plus deflection/neutralization — blocking, black-holing the attack traffic while preserving legitimate service
- Strength of adaptability: Ability to pivot in response to changing attack vectors during an attack
- Strength of reflex: Ability to detect and mitigate from the beginning of an attack through any and all phases that follow
“The best thing that a security leader can do, with regard to DDoS, is to have a proper inventory of all assets exposed to the internet and the understanding of what the impact is if those assets become unavailable [due] to [an] attack,” David Holmes, senior analyst at Forrester told VentureBeat.
“For some assets (a small, remote office for example), the projected impact may not be severe enough to merit putting protection in place. But for revenue-generating and/or customer-facing applications, DDoS protection is a must. So a CISO needs to recognize those applications and put appropriate protection in place.”
Likewise, Sean Leach, chief product architect at Fastly, said it’s essential for CISOs to have a playbook of how they will respond to such attacks.
“A DDoS attack doesn’t just affect your website or API, it affects your entire company. It isn’t just your technical/ops team that deals with the fallout; it’s customer support, finance and marketing as well. So it would be best if you had a playbook of how to respond [and] who is responsible for what. You also need to inventory and assess your third-party risk,” said Leach.
“Today so many applications and APIs depend on third-party providers. What happens if you aren’t even the target of an attack, but one of your critical providers is? Do you have a backup? Do you know how the site functions without them? All of those questions need to be answered,” he added.
The future of botnet and DDoS attacks
Farrie predicts that in 2023, we should expect an uptick in the number of compromised devices being used for DDoS attacks. This will inevitably mean that the effectiveness of DDoS attacks will also increase.
“As more and more devices become connected to the internet (Internet of Things), the higher the likelihood that the size of botnets will increase, especially when one considers the rapidly evolving use of IoT in smart cities, connected vehicles and smart tech in our homes. While it is clear that some organizations face a higher risk of attack than others for a myriad of reasons, this does not mean that some are immune,” said Farrie. “We advise that all organizations take steps to understand how the threat of these attacks may impact their operations and look at the many service offerings offered by reputable security providers.”
“As such, the effectiveness of DDoS mitigations or controls are ideally measured in the amount of ‘downtime’ to systems that have been targeted. When conducting risk assessments against an organization’s critical assets, particularly those that rely on [their] availability, due consideration should therefore be given to ensuring these have adequate protections in place,” he said.
Because DDoS and botnet attacks affect the availability of systems or services, such as customer portals or websites, he said, organizations should focus more on such threats in the future.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.