The cybersecurity landscape has been witnessing a surge in distributed denial-of-service (DDoS) attacks in recent months. This increase is attributed to hackers employing more sophisticated techniques, including targeting authoritative DNS servers, utilizing hijacked virtual machines to build botnets, and launching HTTP application-layer attacks with highly randomized fingerprints. Cloudflare, a web security company, highlighted these findings in their latest report on DDoS threats in the second quarter of 2023.
During this period, Cloudflare observed a significant rise in well-planned and persistent DDoS attack campaigns on various fronts. Among the notable incidents were attacks launched by pro-Russian hacktivist groups such as REvil, Killnet, and Anonymous Sudan against Western websites. Additionally, there was a marked increase in targeted DNS attacks, amplification attacks using a vulnerability in Mitel MiCollab business phone systems, and a concerning escalation in the sophistication of HTTP attacks.
DDoS attacks are generally categorized into two types: network-layer attacks and application-layer attacks. Network-layer attacks target core data transmission protocols at layers 3 and 4 of the OSI model, including TCP, UDP, ICMP, or IGMP. On the other hand, application-layer attacks focus on the communication protocols used by applications to interact with users, with HTTP being the most common. Cloudflare’s report revealed a 15% increase in application-layer attacks in the second quarter, while network-layer attacks saw a 14% decrease.
The goal of HTTP attacks is to overwhelm the computing resources of a web application or API, hindering their ability to respond to legitimate user requests. These attacks keep the targets occupied by bombarding them with rogue requests initiated by bots. To gauge the severity of HTTP attacks, the most crucial parameter is the requests per second (rps) rate, rather than the volume of data transmitted (Gbps), which is more relevant for network-layer attacks aiming to saturate the target’s available bandwidth.
Combating HTTP DDoS attacks necessitates a combination of techniques to differentiate between genuine users and bots. For instance, if an application experiences an abnormally high rps rate, a DDoS mitigation provider may implement temporary CAPTCHA checks before allowing requests to reach the application. These checks can also be triggered if the client’s user-agent during the request is unusual or does not match typical browsers. Additionally, known botnet fingerprints can be identified in the request header to enhance detection and mitigation measures.
Cloudflare’s report emphasized the alarming rise in highly randomized and sophisticated HTTP DDoS attacks witnessed in recent months. It appears that threat actors behind these attacks have deliberately engineered them to overcome mitigation systems by accurately imitating browser behavior. Sophisticated randomization techniques applied to various properties, such as user agents and JA3 fingerprints, allow these attacks to evade traditional security measures.
The prevalent use of increasingly advanced techniques in DDoS attacks highlights the need for organizations to bolster their cybersecurity defenses. Deploying a multi-layered security approach, including robust DDoS mitigation solutions, can help organizations mitigate the risks posed by these evolving threats. As hackers continue to refine their tactics, staying vigilant and adopting proactive security measures remains crucial to safeguarding digital assets and ensuring uninterrupted online services.