Beyond the Flood: Understanding and Defending Against Modern DDoS Attacks

In the interconnected digital landscape, Distributed Denial of Service (DDoS) attacks pose a serious threat to organizations. DDoS attacks flood websites and networks with traffic, causing disruptions to normal operations that can result in financial losses and reputational damage. In recent years, there has been a surge in increasingly sophisticated DDoS attacks, even temporarily wreaking havoc on industry giants like Google and AWS. We’ve outlined everything you need to know about DDoS attacks—from their mechanics to actionable tips for safeguarding your company’s digital presence. 

Understanding the Mechanics of DDoS

DDoS attacks originate from a botnet, a network of compromised internet-connected devices controlled by a single attacker. These devices can be anything from personal computers to smartphones and IoT devices infected with malware. Once a botnet is formed, the attacker issues simultaneous commands, prompting the devices to flood the target with seemingly legitimate requests, overwhelming it, and causing it to become slow or unresponsive to legitimate users. DDoS attacks can take different forms: 

• Volumetric Attacks overwhelm the target system’s bandwidth by flooding it with massive amounts of data. Two of the most common volumetric attacks are User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP). 
• Protocol Attacks exploit vulnerabilities in network protocols, forcing network equipment to malfunction or become overloaded. SYN floods and Smurf attacks are the most common kinds of protocol attacks.  
• Application-Layer Attacks target the applications running on a server, such as web servers or email servers. Like volumetric attacks, they resemble legitimate user traffic in overwhelming quantities, just focused on a server rather than an entire system. HTTP floods and Slowloris attacks are common examples of application-layer attacks.

DDoS in the Headlines

DDoS attacks took over media headlines in late 2023 when a novel attack targeted AWS, Google, and Cloudflare, causing widespread disruption to their services. The attacks were the largest ever recorded, with Google reporting the volume of requests on their servers reaching 398 million requests per second. AWS and Google both experienced large-scale DDoS attacks in 2020, as well. In February 2020, AWS was hit by an attack that lasted three days and peaked at 2.3 terabytes of data requests per second. In October that year, Chinese threat actors used several botnets to spoof 167 million packets per second to Google’s servers. 

One of the most notable DDoS attacks targeted domain registration service provider Dyn in 2016. The attack caused outages for Dyn’s customers across the US, including Twitter, Netflix, Spotify, Reddit, and dozens of other popular sites. The attack originated from a botnet of IoT devices infected with Mirai malware, which has continued to be a source of DDoS attacks in the years since. These attacks underline the widespread impact DDoS attacks can have on internet services in today’s interconnected world. 

Preventing and Mitigating DDoS Attacks

While DDoS attacks pose an enormous threat to organizations of all sizes, there are proactive measures that companies can use to defend themselves. 

Every organization should have a proactive defense strategy that includes: 

• Strong Network Infrastructure: Implementing firewalls, intrusion detection systems, and intrusion prevention systems can help identify and block malicious traffic. 
• Content Delivery Networks (CDNs): CDNs distribute traffic across multiple servers, making it difficult for attackers to overwhelm a single target. 
• DDoS Mitigation Services: Specialized services can detect and filter out DDoS traffic, protecting your network from an attack. 

Some measures can be taken during an attack to minimize its impact, including: 

• An Incident Response Plan: A well-defined plan can help you react quickly and effectively to an attack. These plans should include definitions of Indicators of Attack (IoA) and Indicators of Compromise (IoC). IoAs are forensic signs that typically surround a cyberattack, like public servers communicating with internal hosts, multiple honeytoken alerts from one host, and excessive SMTP traffic. IoCs are unusual behaviors or traffic that indicate potential intrusions in a network. Some examples include spikes in outbound traffic, a sudden increase in database reads, and unexplained activity using privileged account credentials.
• Working with your ISP/Hosting Provider: Your internet service provider or hosting provider can be crucial in mitigating the attack by filtering traffic or rerouting it to scrubbing centers. 

Individuals can also play an important role in preventing DDoS attacks. Many of the devices used to make up botnets are personal laptops or phones infected with malware, so using strong, unique passwords for all online accounts can help prevent your devices from being recruited into a botnet. Anti-virus and anti-malware tools also help protect against vulnerabilities that attackers can exploit. 

Safeguarding Against DDoS

DDoS attacks grow in scale and sophistication every year, posing an enormous threat to the digital world. By understanding how these attacks work and taking proactive measures to defend ourselves and our organizations, we can mitigate their impact on the online services we all rely on. Staying informed, being vigilant, and being proactive are our most powerful tools in preventing DDoS attacks.