• Technologies
    • Networking
    • Cybersecurity
    • Collaboration
    • Edge Cloud
    • Managed & Professional Services
    • SASE
  • Customer Stories
  • Insights
    • Business Continuity & Disaster Recovery (BCDR)
    • Customer Experience
    • Data-Driven Business
    • Operational Efficiency
    • Tech Trends
  • Industries
    • Financial Services
    • Gaming
    • Healthcare
    • Manufacturing
    • Media & Entertainment
    • Public Sector
    • Higher Education
    • Retail
    • Technology
  • About Lumen
    • Black Lotus Labs
    • Leadership Perspectives
    • Newsroom
    • News Spotlights
  • Technologies
    • Networking
    • Cybersecurity
    • Collaboration
    • Edge Cloud
    • Managed & Professional Services
    • SASE
  • Customer Stories
  • Insights
    • Business Continuity & Disaster Recovery (BCDR)
    • Customer Experience
    • Data-Driven Business
    • Operational Efficiency
    • Tech Trends
  • Industries
    • Financial Services
    • Gaming
    • Healthcare
    • Manufacturing
    • Media & Entertainment
    • Public Sector
    • Higher Education
    • Retail
    • Technology
  • About Lumen
    • Black Lotus Labs
    • Leadership Perspectives
    • Newsroom
    • News Spotlights

How to Tell if Your Business is Suffering From a DDoS Attack

Lumen Posted On April 19, 2021
0
18.6K Views


0
Shares
  • Share On Facebook
  • Tweet It

Red alert message on a screen displaying code

Two decades is an eternity on the internet. When a Canadian teenager launched one of the first distributed denial of service (DDoS) attack to target large corporations at the turn of the century, it was little more than a novelty. Previous attacks had been limited to academic institutions or small companies. Forrester estimates that these security threats accounted for 24% of external attacks on companies in 2019. Often, victims won’t know they’re being targeted until it’s too late, so it’s important to know how to spot the warning signs.

The DDoS attack landscape is evolving. Traditional, unannounced attacks are still prevalent, but we’ve also noticed a pronounced growth in ransom DDoS (RDDoS) attacks. Criminals launch these attacks for profit, threatening to take down a service for a sustained period unless its owner pays them a fee. Now, research from Lumen’S Black Lotus Labs shows that they’re growing in number.

The rise in cryptocurrency values has made extortion an attractive business model for criminal groups because it’s easier for them to collect payments anonymously. This is why the growth in RDDoS attacks is mirroring that of ransomware. Companies often rely more on digital resources for revenue than they did in the past, which makes denial of those services more of a business risk. RDDoS attacks are even easier to mount, because the perpetrators can launch them externally without going to the trouble of compromising a system and they often succeed without having to launch a full-scale attack; the actors simply send a ransom note and perhaps demonstrate their capabilities with a relatively small, short attack.

As we detailed in our New Cyber Arms Race report, overall DDoS attacks are rising in frequency and volume. Cisco predicts that the number of attacks will grow by 14% per year on average between 2018 and 2023. In recent years, we’ve seen them expand in retail beyond the holiday season, when they used to be most prevalent. They’re also growing in size, with Amazon Web Services experiencing a massive 2.3 Tbps attack, the largest yet, in Q1 2020.

The hidden nuances of DDoS attacks

Spotting a DDoS attack might seem easy, but a wide range of attack types and payloads make it deceptively difficult in many cases. Attackers often won’t announce themselves, leaving victims to spot the attacks themselves. You can detect some attacks by monitoring the level of incoming network traffic, watching for unexpected spikes that deviate from historical baselines.

Another option involves watching the number of requests sent to a protected IP address space. You can set a threshold to alert you when an IP receives more than a set number of requests in a given period. Analyze baseline historical data when setting those thresholds.

While useful in many cases, these detection techniques are better suited to volumetric attacks that flood network bandwidth with packets. Not all DDoS attacks follow this pattern. Many of them take a smarter approach, carefully manipulating traffic at the application layer to drain server resources without tying up much bandwidth at all.

In particular, industry watchers have noticed a rise in ‘low and slow’ attacks, which are far harder to spot. These attacks use the surgeon’s knife rather than the sledgehammer. Rather than hitting the victim hard with an all-consuming, show-stopping flood of traffic, they use a trickle of carefully crafted requests that are difficult to distinguish from regular traffic on the network and target a vulnerable service that can only process a limited number of requests.

Launched using tools like Slowloris, Sockstress, and R.U.D.Y, these attacks tie up web-facing server resources by making lots of inefficient requests that mimic legitimate user traffic. They act a little like the person ahead of you in the shopping line who insists on individually checking their discount coupons for each item in their basket.

Look for evidence of these attacks through their effects. You might find that an application is sluggish or unresponsive. Look for 503 errors from the server that indicate a service outage. You can set your server operating system to alert you when those HTTP responses start appearing.

Beware that these symptoms could also be caused by something other than a DDoS attack. For extra intelligence, dig deeper into application logs to see if the requests that it is receiving are consuming unusual processing time compared to normal.

In cloud hosting situations, including those where content delivery networks are hosting content regionally, you might find that DDoS attacks take out services in one geography but not another. Automate application health check requests from different parts of the world to determine if the application is performing as expected and is still available.

How a DDoS mitigation service can help

As DDoS attackers become more sophisticated, their attack techniques are evolving. As Black Lotus Labs research points out, some attacks now blend different DDoS techniques to increase their chances of success. For example, the Kadyrovtsky group used a botnet created from networks of hacked IoT routers as the basis for a range of attack techniques generating over 200 Gbps in malicious traffic.

Many criminal groups are now combining volumetric and application-layer attacks to confuse and distract operations teams, tying up IT resources so that they can execute their real mission. In addition to ransom, the real motive behind a DDoS attack might be to shield a network compromise for data exfiltration.

It is becoming harder to detect and mitigate these attacks in-house. In-band traffic analysis and mitigation techniques might be inappropriate as they do not see the entire attack, but rather what is received on the customer side of the connection. On the other hand, carrier-based systems can spot and absorb the attacks using out-of-band traffic flow analysis before the malicious packets ever reach the targeted service.

Combine these volumetric detection services with application layer security controls that can analyze traffic at higher levels of the TCP stack. These can help you spot telltale nuances in lower-volume application-layer traffic.

There’s little you can do to prevent a DDoS attack, but armed with the right tools, techniques and service provider partners, you can quickly mitigate them. Visit our website for more information about how Lumen DDoS Hyper can help you to defend yourself.

Learn More

This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. This document represents Lumen’s products and offerings as of the date of issue. Services not available everywhere. Business customers only. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2021 Lumen Technologies. All Rights Reserved.

Post Views: 18,619

Related posts:

  1. Q1 2021 Lumen DDoS Quarterly Report
  2. Q3 2021 Lumen DDoS Quarterly Report
  3. Trust: It’s not complicated, just ask my dogs
  4. Q1 2023 Lumen DDoS & Application Threat Report
0
Shares
  • Share On Facebook
  • Tweet It


BotnetCyberthreatsDDoS Protection


Author

Lumen

Lumen is a global communications services provider that ignites business growth by connecting people, data and apps—quickly, securely and effortlessly. Our networking, edge cloud, collaboration and cybersecurity solutions and managed services are designed to elevate your business and deliver the most user‑friendly, intuitive and productive technology environments.

Trending Now
Beyond the Finish Line: How Churchill Downs Racetrack Harnesses Advanced Network Solutions for Seamless Kentucky Derby® Operations
Lumen Customer Stories Team April 23, 2025
Announcing the Lumen strategic partnership with Google Cloud: Transforming the future of cloud and network solutions
Lumen April 9, 2025
You may also like
Bridging the Cybersecurity Communication Gap Between IT Directors and Business Leaders
March 19, 2025
From Security Scares To Network Nirvana: How Micro Center Supercharged Its Cybersecurity
February 26, 2025
Empowering Digital Transformation: Part 4 – Secure Your Future With A Sound Cloud and Edge Data Protection Strategy
February 19, 2025
Edge computing innovations to meet federal government missions
Read Next

Edge computing innovations to meet federal government missions

  • Categories

    Adaptive Networking

    Connected Security

    Hybrid Cloud

    Communications and Collaboration

    Edge Computing

    SASE


  • Lumen is unleashing the world’s digital potential. We ignite business growth by connecting people, data, and applications – quickly, securely, and effortlessly. As the trusted network for AI, Lumen uses the scale of our network to help companies realize AI’s full potential. From metro connectivity to long-haul data transport to our edge cloud, security, managed service, and digital platform capabilities, we meet our customers’ needs today and as they build for tomorrow.

Services not available everywhere. ©2025 Lumen Technologies. All Rights Reserved.
Press enter/return to begin your search