A new wave of powerful DDoS attacks has emerged and cybersecurity vendors are concerned that previous mitigation efforts are becoming less effective. Over the past year, attacks against major vendors such as Microsoft and Google have shifted to application layer, or Layer 7, DDoS attacks, which are highly disruptive. These attacks are taking advantage of internet architecture protocols such as HTTP and DNS to launch their assaults.
The adoption of new techniques, the growth of DDoS as a service, expanding attack vectors, and access to more powerful botnets have all contributed to the rise of record-breaking DDoS attacks. However, vendors have observed that not only are these attacks becoming more frequent, but they are also increasing in speed and complexity.
Researchers at Akamai Technologies recently published a blog titled “The Relentless Evolution of DDoS Attacks,” in which they emphasized the rapid evolution of the DDoS threat. They noted that the top five attack vectors in 2010 accounted for 90% of all attacks, but today’s top five only represent 55% of all attacks. This shift underscores the increasing sophistication of the modern DDoS toolkit and the immense pressure on security teams to defend against a growing library of threats.
One recent attack against Microsoft highlighted the threat posed by DDoS attacks to organizations of all sizes. The company confirmed that disruptions to services such as Microsoft 365 and Azure were caused by DDoS attacks attributed to a threat actor known as “Storm-1359” or Anonymous Sudan. These attacks employed techniques to bypass previous mitigation strategies, including Slowloris and cache bypass attacks.
Another notable attack occurred in February when Cloudflare disclosed that it had mitigated a “record-breaking” 71 million requests per second DDoS attack. This attack, along with many others, highlighted the increasing size, sophistication, and frequency of DDoS attacks in recent months. Cloudflare’s DDoS threat report for the fourth quarter of 2022 revealed that the number of HTTP DDoS attacks increased by 79% compared to the previous year.
Google also experienced a significant HTTP DDoS attack in 2022. In a blog post from August, the company confirmed that it had blocked a Layer 7 DDoS attack that peaked at 46 million requests per second. Like other vendors, Google has observed an increase in the frequency and complexity of DDoS attacks in recent years as more organizations shift their workloads and applications to the cloud.
There are several factors contributing to the increasing danger of DDoS attacks. Steve Winterfeld, advisory CISO at Akamai, identified three primary sources: the compromised systems that become part of botnet armies, the availability of DDoS tools and infrastructure-as-a-service, and the involvement of nation-state threat groups with geopolitical goals.
Geopolitical motives have played a significant role in the uptick of DDoS attacks, with threat actors leveraging DDoS attacks to attain political goals. Cybersecurity vendor Radware observed a 150% increase in the number of DDoS attacks between 2021 and 2022. One attack between February and April generated 15 billion requests in aggregate. Radware traced the origins of the new wave of attacks to the Russian invasion of Ukraine, with state-sponsored groups like Killnet and NoName building more powerful botnets.
The shift to Layer 7 DDoS attacks, particularly HTTP/S DDoS attacks, has introduced a new level of complexity and enabled attackers to launch more devastating attacks. These attacks are high in requests per second and sophisticated in behavior, masquerading as legitimate traffic and going unnoticed upon decryption. This makes it harder for mitigation services to detect malicious requests.
Current mitigation efforts have proven less effective against these sophisticated attacks. Many traditional DDoS mitigations rely on static signatures of known attacks and brute-force techniques, which are ineffective against the new generation of attack tools that use evasion techniques. Additionally, the encryption of web traffic under HTTPS further complicates the detection of malicious requests.
Layer 7 DDoS attacks are typically less powerful but harder to mitigate because they specifically target legitimate application processes. Threat actors can use multiple approaches to cause prolonged disruptions. Security teams must assess a wider set of resources to understand the attack and determine how to remediate.
In conclusion, the threat landscape for DDoS attacks is rapidly evolving, with attackers employing new techniques and exploiting vulnerabilities in internet architecture protocols. These attacks are becoming more frequent, faster, and more complex, putting organizations of all sizes at risk. Mitigation strategies must be revamped to address the shift to Layer 7 attacks and the increasing sophistication of the attackers. Otherwise, organizations will continue to suffer from disruptive and devastating DDoS attacks.