Fighting the Hydra of DDoS Attacks (Spoiler: They Got Worse)

There has never been a better or worse time to be online.

Humanity's endless ingenuity in digitizing more parts of our lives and finances has empowered and connected people and communities. It also made us helplessly dependent on our machines, so the act of losing or breaking your computer is more horrible than losing your wallet and keys at the same time.

Having your computer compromised by a hacker – that's some of the worst luck of all. We are all familiar with the global extortion ransomware attacks have inflicted on small to mid-sized businesses – but what about DDoS attacks? Are they still a concern?

Link11, a leading European IT security provider "in cyber-resilience," puts out a bi-annual report on DDoS Attacks. They recently released the .

TL;DR – DDoS attacks have gotten trickier, more powerful, more frequent and are often part of a more complex attack.

According to the report, attacks grew 40% YOY vs. 2020, there were many high volume attacks, and 71% of DDoS attacks were identified as multi-vector.

By multi-vector attack, they mean the hacker entity used multiple access paths, methods, and protocols making the DDoS attack. They compare this attack to a mythical hydra, which conveys the near hopelessness of fighting a diversified attack. Multi-vector DDoS attacks are more complex to run but far more challenging to catch and defend against. **
**

The report also showed an increase in carpet bombing -- a high-volume DDoS attack that runs a low volume of traffic from many IP addresses so they can avoid detection. Perhaps worst of all, DDoS attacks are being used as a smokescreen to hide more complex attacks. A mid-sized business' poor IT team will be wiping their brows having restored an online site or service, thinking they have been successful when they are , in fact, due for a ransomware attack a few months later.

We spoke with Ken MacIntyre, Sales Director and Marc Wilczek, COO of Link11, on the state of DDoS attacks.

Why are DDoS attacks such a big concern today?

"So straight after ransomware, your number two problem as an organization these days is DDoS. And what DDoS basically does is create a data tsunami that is unleashed and takes an organization offline for hours, potentially for days.

We're thinking about remote work at scale. Everyone is working from home… With a DDoS attack, the entire organization could be taken offline for hours, causing reputational damages, causing productivity losses, revenue losses, and more," Wilczek said.

Why the growth in DDoS attacks?

"I think there are at least two major driving forces – one is public cloud adoption. APIs are being compromised. The utility power and bandwidth of global providers is being misused or abused in order to produce massive amounts of DDoS attacks. And on the second part of that equation is the massive emergence of the Internet of Things with billions and billions of all these beautiful IoT devices. But unfortunately, to a large extent, they're not protected, and they can be put together to form a bot army to produce these attacks. All of that opens up and widens the attack surface… So you have a sort of a perfect storm. A perfect environment that lets DDoS attacks thrive and grow exponentially," Wilczek said.

What about the threat of state actors, like hacker groups in China, North Korea, and Russia? Do they pose a special threat?

"There's lots of attention on state-backed actors... But the fact of the matter is that 90%+of attacks are still financially driven. So, it's really financially-motivated cybercrime that is driving everyday attacks.

The state-backed actors contribute to the problem, but they tend to go after more prestigious targets such as the critical infrastructure providers. That said, some of these cyber-criminal gangs go after the big hosting companies, and domino effects can happen because if they're taken offline, it will trickle down... They represent a significant challenge today and in the future," Wilczek said.

What made Link11 focus specifically on DDoS?

"Originally, Link11 was a hosting company in the gaming industry and we were subject to an attack. Consequently, we pivoted from dealing with DDoS as a way of protecting our own business to a shift into becoming a leading DDoS mitigation company. That's how we began. And since then, the trend has been growing," Wilczek said.

How can you guard against a DDoS attack?

"The rules-based approach we've taken is to look at customers' profiles – what we call their fingerprints – and look at the shape of the data. And then any delta, any change from the norm, we'll look at a lot closer. If it's obviously a malicious attack, then we mitigate it. So the technology approach is an evolution from the traditional approaches many organizations take, which is manually looking at the attacks and trying to work out what's going on… We do it using machine learning and we're looking at it in real-time," Wilczek said.

What's the real danger around a DDoS attack beyond having your site or service down?

"DDoS attacks are often used to masquerade or camouflage other attacks. If somebody wanted to infiltrate a corporate network with ransomware, it's so easy to simply unleash a DDoS attack in order to keep the IT team busy, so they don't really notice what's happening... And unfortunately, it can take an organization months, if not years, to figure out that what appeared to be a DDoS attack was actually part of something much bigger…

We could be looking at what looks like a DDoS attack, and obviously, it's there, but it's masking something else. And that's a really high risk, because that could literally be the backdoor to try and take banking details, credit details, and things like that. And that's not uncommon, and obviously, it could also be the basis of a ransomware attack," Wilczek said.

Are there any industries that have struggled particularly with the issue?

"Banking has undergone a massive transition because it is no longer a retail conversation. It's no longer brick and mortar – it's about apps and mobile. It's digital, online, and 24/7. And every DDoS attack can cause major drama financially, but it also can erode trust. DDoS attacks are used to inflict chaos and possibly produce a bank run in the banks. And that's what DDoS can do, because it causes panic. If everything is offline, if you can no longer access your mobile apps, it causes a massive wave of chaos.

It's interesting because you will see sectors that are being attacked at the same time or groups of organizations being attacked at the same. Utilities, for example, in the last few months… It's very well structured. It's very well thought through. And the unfortunate ones who haven't the proper protection are brought down," Wilczek said.

Are DDoS attacks becoming more dangerous?

"The attacks are becoming a lot more sophisticated. And what can send an organization reeling is not just a large-scale frontal attack. There are more sophisticated forms of attacks. Think about Carpet Bombing, for example. Instead of having a massive wave of bandwidth, you actually end up with a tiny little spike in traffic per individual IP address, but because everything happens at once, it overwhelms the entire system and brings everything to a standstill. And unfortunately, less sophisticated tools really struggle to detect these traffic patterns because they look like or appear to be regular traffic," Wilczek said.

How do you protect companies against DDoS attacks?

"When our customers come in, we want to get a sense for their pattern of traffic. And that can be quite detailed. And then we do our work and machine learning does what it does in real-time, tracking those profiles. We check-in against algorithms, patterns of traffic from similar customers, according to industry, and so on. And once we're certain that we've detected a malicious attack, then we basically block the traffic for customers," MacIntyre said.

So if you had one piece of advice for companies that might be vulnerable, what would it be?

"First, identify your mission-critical IT assets. When was the last time that you audited or tested your defense? Often, companies procured a solution many, many years ago, and then they fail to run fire drills. They fail to practice. They fail to do audits, they fail to pentest, and they simply believe everything is perfectly up and running until there is an attack, and unfortunately, they learn the hard way. That is why I would strongly suggest asking, when did you audit it? When did you pentest it? When was your last fire drill, and it really needs practice, and practice, and practice, because otherwise, maybe there's a couple of months or half a year without any attack. You think you're in a good spot, and it all comes down in the middle of the night," MacIntyre said.

Image by from