How to Tell if Your Business is Suffering From a DDoS Attack

Two decades is an eternity on the internet. When a Canadian teenager launched one of the first distributed denial of service (DDoS) attack to target large corporations at the turn of the century, it was little more than a novelty. Previous attacks had been limited to academic institutions or small companies. Forrester estimates that these security threats accounted for 24% of external attacks on companies in 2019. Often, victims won’t know they’re being targeted until it’s too late, so it’s important to know how to spot the warning signs.

The DDoS attack landscape is evolving. Traditional, unannounced attacks are still prevalent, but we’ve also noticed a pronounced growth in ransom DDoS (RDDoS) attacks. Criminals launch these attacks for profit, threatening to take down a service for a sustained period unless its owner pays them a fee. Now, research from Lumen’S Black Lotus Labs shows that they’re growing in number.

The rise in cryptocurrency values has made extortion an attractive business model for criminal groups because it’s easier for them to collect payments anonymously. This is why the growth in RDDoS attacks is mirroring that of ransomware. Companies often rely more on digital resources for revenue than they did in the past, which makes denial of those services more of a business risk. RDDoS attacks are even easier to mount, because the perpetrators can launch them externally without going to the trouble of compromising a system and they often succeed without having to launch a full-scale attack; the actors simply send a ransom note and perhaps demonstrate their capabilities with a relatively small, short attack.

As we detailed in our New Cyber Arms Race report, overall DDoS attacks are rising in frequency and volume. Cisco predicts that the number of attacks will grow by 14% per year on average between 2018 and 2023. In recent years, we’ve seen them expand in retail beyond the holiday season, when they used to be most prevalent. They’re also growing in size, with Amazon Web Services experiencing a massive 2.3 Tbps attack, the largest yet, in Q1 2020.

The hidden nuances of DDoS attacks

Spotting a DDoS attack might seem easy, but a wide range of attack types and payloads make it deceptively difficult in many cases. Attackers often won’t announce themselves, leaving victims to spot the attacks themselves. You can detect some attacks by monitoring the level of incoming network traffic, watching for unexpected spikes that deviate from historical baselines.

Another option involves watching the number of requests sent to a protected IP address space. You can set a threshold to alert you when an IP receives more than a set number of requests in a given period. Analyze baseline historical data when setting those thresholds.

While useful in many cases, these detection techniques are better suited to volumetric attacks that flood network bandwidth with packets. Not all DDoS attacks follow this pattern. Many of them take a smarter approach, carefully manipulating traffic at the application layer to drain server resources without tying up much bandwidth at all.

In particular, industry watchers have noticed a rise in ‘low and slow’ attacks, which are far harder to spot. These attacks use the surgeon’s knife rather than the sledgehammer. Rather than hitting the victim hard with an all-consuming, show-stopping flood of traffic, they use a trickle of carefully crafted requests that are difficult to distinguish from regular traffic on the network and target a vulnerable service that can only process a limited number of requests.

Launched using tools like Slowloris, Sockstress, and R.U.D.Y, these attacks tie up web-facing server resources by making lots of inefficient requests that mimic legitimate user traffic. They act a little like the person ahead of you in the shopping line who insists on individually checking their discount coupons for each item in their basket.

Look for evidence of these attacks through their effects. You might find that an application is sluggish or unresponsive. Look for 503 errors from the server that indicate a service outage. You can set your server operating system to alert you when those HTTP responses start appearing.

Beware that these symptoms could also be caused by something other than a DDoS attack. For extra intelligence, dig deeper into application logs to see if the requests that it is receiving are consuming unusual processing time compared to normal.

In cloud hosting situations, including those where content delivery networks are hosting content regionally, you might find that DDoS attacks take out services in one geography but not another. Automate application health check requests from different parts of the world to determine if the application is performing as expected and is still available.

How a DDoS mitigation service can help

As DDoS attackers become more sophisticated, their attack techniques are evolving. As Black Lotus Labs research points out, some attacks now blend different DDoS techniques to increase their chances of success. For example, the Kadyrovtsky group used a botnet created from networks of hacked IoT routers as the basis for a range of attack techniques generating over 200 Gbps in malicious traffic.

Many criminal groups are now combining volumetric and application-layer attacks to confuse and distract operations teams, tying up IT resources so that they can execute their real mission. In addition to ransom, the real motive behind a DDoS attack might be to shield a network compromise for data exfiltration.

It is becoming harder to detect and mitigate these attacks in-house. In-band traffic analysis and mitigation techniques might be inappropriate as they do not see the entire attack, but rather what is received on the customer side of the connection. On the other hand, carrier-based systems can spot and absorb the attacks using out-of-band traffic flow analysis before the malicious packets ever reach the targeted service.

Combine these volumetric detection services with application layer security controls that can analyze traffic at higher levels of the TCP stack. These can help you spot telltale nuances in lower-volume application-layer traffic.

There’s little you can do to prevent a DDoS attack, but armed with the right tools, techniques and service provider partners, you can quickly mitigate them. Visit our website for more information about how Lumen DDoS Hyper can help you to defend yourself.

This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. This document represents Lumen’s products and offerings as of the date of issue. Services not available everywhere. Business customers only. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2021 Lumen Technologies. All Rights Reserved.