Distributed Denial of Service (DDoS) attacks hold the power to wreak serious destruction; each 15-minute attack can cause tens of millions in damages alone while empowering attackers to temporarily shut down organizations at will. DDoS attacks are not only increasing in magnitude, but also power: attackers are wrangling ever-greater botnets, and making use of increasingly powerful amplification techniques. A DDoS Protection service that works is now a necessity. This becomes more self-evident in every recent, record-breaking attack.
June 27, 2022
Unbeknownst to the victim, attackers had recently got their hands on a substantial number of infected IoT devices. Similar to the infamous Mirai botnet, this cluster of almost 170,000 wifi-connected devices included security cameras, Wifi routers, and servers. Based around the world, these were spread across 180 different countries, with clusters popping up in the US, Brazil and Indonesia. Embarrassingly, some of the infected servers were even hosted on cloud security service providers.
At roughly 7:51 am, the attackers sprung into action – the hundreds of thousands-strong botnet started making request after request to the site. Soon, the botnet reached its average rate of 1.8 million requests per second. The attack was sustained for four hours, clocking in at a total of over 25 billion site requests.
If the victim had not employed a high standard of DDoS mitigation, the reality is that they, too, would have risked losing millions. Without factoring in ransom costs, the average cost of a DDoS attack in the US is around $218k. The average DDoS attack, as of 2021, also weaponized botnets that could wield attacks of 4.31 GB per second. This is a far cry from the server-straining quantity of requests here.
How did such a relatively small botnet cause so much damage?
Receptionists on Smoke Break: The Mechanisms of the DDoS Attack
DDoS attacks take advantage of the core request-and-deliver mechanisms supporting every server. There are some types of connections that are particularly ripe for high-volume malicious activity, however.
The User Datagram Protocol (UDP) is a type of internet connection that handles particularly time-sensitive requests, such as when a browser asks for video playback. Before serving up a video through its uber-fast connection, however, the hosting server needs to check whether the UDP request matches with a valid program. If the server doesn’t find a program that’s open to receiving this type of connection, then it must inform the requesting user.
Note that this process still demands resources from the server, even though the request is unsuccessful. Attackers, looking to unleash carnage on their victim, can utilize this by flooding a server with unsuccessful UDP requests. Imagine an office receptionist routing calls to the right company. First, the receptionist receives a caller who asks to be forwarded through to Person A. Placing them on hold, the receptionist checks through their list of contacts, then clarifies whether the receiver is free to take a call at the moment. As Person A is currently on leave, they need to take the caller off hold, and let them know. A UDP flood would look like all the incoming phone lines lighting up, simultaneously. The receptionist simply cannot handle this and runs outside for a smoke break.
But the attackers went even further: not only did 170,000 requests suddenly descend upon this company server but they were further amplified by a unique, modern form of internet connectivity.
The Might of Multiplexing
If the UDP flood is each phone line being called simultaneously, then ‘multiplexing’ describes each individual call actually being a surprise conference call, with dozens of callers clamouring at the receptionist to make their connection.
However, in a DDoS attack, each wifi-connected bot is now capable of making 6 or more requests – already-sizable botnets can now enjoy wreaking tenfold devastation, whilst attackers can reap the benefits of increasingly better ROI on their rented botnets.
The Power of DDoS mitigation
Without the first-class mitigation provider in place, the attackers would have collapsed its network. Given that this victim was a telecom provider, the damage racked up in this process could have been catastrophic. The losses in customer trust and revenue would have been severe; mitigation solution provider Imperva acknowledged that without their protection in place, the attack could also have swelled to greater peaks than the tracked 3.9 million RPS.
High-quality DDoS mitigation works via a small change to an organization’s DNS records. All traffic is rerouted to flow through your solution provider’s high-capacity network. Once an unexpected quantity of traffic begins flowing in, DDoS mitigation kicks in within 3 seconds. Following this, all traffic is fed through scrubbing centers, where its legitimacy is evaluated. The best mitigation providers supply a network that can handle even mind-blowingly big attacks: industry leaders boast networks that can handle 65 billion attack packets per second. Alongside handling high-quantity attacks, this also completely nullifies the goals of a DDoS attacker. Furthermore, legitimate site users are allowed through, meaning your organization can weather the storm and continue to provide first-class service to the requests that matter.