Anatomy of a Data Breach, Part 3: Distributed Denial of Service (DDoS) Attacks

It’s nearly five in the afternoon. Beth, a 33-year-old systems analyst who monitors customer transactions at an online clothing outlet, thinks about dinner plans. But before she can ponder the possibilities of takeout, she notices a significant uptick in server activity that had been humming nicely at about 100 customers an hour. Thousands of orders are being received and processed in steady, unrelenting waves.

At the same time, the screens monitoring transaction activity are blank. Nothing is being sold online.

Two words cross her mind: “Zombie attack.”

In our previous posts in this Anatomy of a Data Breach series, we examined the continuing problems of ransomware and data theft. In this post, we look at Distributed Denial of Service (DDoS) attacks, a form of data-driven sabotage that has only increased in frequency and intensity since its forerunner, Denial of Service (DoS) attacks, were introduced decades ago.

What is a DDoS attack?

In a basic DoS attack, a target machine or network is flooded with multitudes of spurious requests designed to tie up bandwidth and frustrate normal operations. Over time, as security systems became more able to identify and block off sources of DoS attacks, cybercriminals migrated their efforts to DDoS attacks, employing the same basic idea but much greater traffic volume – and more victims.

Multiple compromised computer systems, often known as “zombies” or “bots,” are instructed to flood a target system with multiple requests. It might be a purchase order or a basic information ask. By themselves, none of these requests would raise a blip of notice or concern. But when these bots are directed by malware to act in concert, forming so-called “botnets” that tie down business systems with useless activity, the disruption to business operations can be severe.

The more demand grows, the more difficult it becomes for a targeted system to do what it is supposed to. Ultimately, bandwidth overload is achieved and the system is shut down for an indefinite period of time.

Since 2018, some of the most egregious data breaches reported have involved DDoS attacks. In some cases, a DDoS attack will be used as cover, distracting IT staff from detecting high-value data theft or ransomware infiltrations. More and more third-party networks are infiltrated and deployed as bots, used without the knowledge of their owners to attack other public and private entities alike. These can be attacks of mind-boggling intensity – one famous 2020 attack, employed a peak traffic volume of 2.3 billion terabits per second prior to its mitigation.

Unlike ransomware, the motive behind DDoS attacks is typically not payouts but pure malice. They remain popular with cybercriminals, both for the ease of their deployment and the level of havoc they create. A 60% rise was reported in DDoS attacks the first half of 2022 than occurred in the entirety of 2021. That growth showed no sign of slowing entering 2023, with predictions that attacks will “become even more prevalent and sophisticated, posing a significant threat to businesses and individuals worldwide.”

DDoS attacks take many forms

DDoS attacks are as unique from one another as the networks they target, but over the years several distinct categories have emerged. These include:

• Volumetric attacks - This is a DDoS attack in its most basic form, flooding networks with traffic to disrupt normal services. Sometimes, as with Beth’s “zombie” attack above, the focus is online sales engines. Other times, attacks are more superficially targeted but just as disruptive, impacting a network at its application layer where most communications occur. Because they are of simple design, these attacks are typically easy for cybercriminals to launch on a massive scale.
• Protocol attacks - This involves a more sophisticated, and potentially far more devastating data breach that targets a network’s core services. While volumetric attacks concentrate on the seventh, outermost layer, protocol attacks exploit vulnerabilities three or four layers below that. Examples of this include “smurf attacks,” bombardments of internet control message protocol (IP) packets to a single network, triggering automated responses which in turn compromise the entire system. Sometimes, the objective is not shutting down a system, but slowing it down to inflict increased network latency.
• Yo-yo attacks/Advanced Persistent attacks - While using the same principle of a volumetric attack, these concentrate on longer-term repercussions. In a Yo-yo attack, the attacker will suddenly stop and then restart the attack before the target can mount an effective defense. In an Advanced Persistent attack, attacks last many days, straining security protocols while wrecking systematic damage to the network.

Who are the perpetrators?

The increasing sophistication of DDoS attacks raises the stakes for security professionals and businesses that rely on them. For example, the enormous uptake of Internet of Things (IoT) technology has been weaponized by DDoS practitioners to further bulk up their botnet armies into ever-expanding hordes. This also creates more vectors to attack from, stretching out a defender’s perimeter.

Other, newer types of DDoS attacks are clever variations on older tricks. Reflection and amplification attacks take the basic idea of volumetric attacks and make them more subtle and corrosive by “spoofing” or falsely using targeted IP addresses to make the source of DDoS attacks harder to pinpoint and counter. 

Microsoft notes, “Every year, DDoS attacks are also becoming harder to protect against as new attack vectors emerge and cybercriminals leverage more advanced techniques, such as AI-based attacks.”

The average cost of a DDoS attack on a business has been estimated at over $200,000. This includes the cost of lost business, the drain on IT staff and disrupted services. Harder to measure is whatever trust has been lost by customers, clients and others impacted from a DDoS attack.

What can be done to prevent DDoS attacks?

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recommends steps to mitigate the damage of a DDoS attack. These include setting up dedicated firewalls, routers and SYN proxy mechanisms to detect and manage network use overages connected to a breach.

In their August 2021 report, “DDoS Mitigation Vendors Enhance Capabilities to Meet Growing Complexity of DDoS Attacks,” Frost & Sullivan recommends investment in DDoS mitigation systems not only to enhance security postures but augment revenues by improving visibility and accuracy across large networks.

Most critically, investment in a managed-services solution like DDoS Protection gives enterprise IT leaders the ability not only to automatically detect DDoS threats when they happen, but shut down attacks quickly and completely before destructive capabilities reach full potential.

After recovering from the attack above, Beth’s employer recognized the need for such a service enhancement to their existing infrastructure to mitigate future attacks, investing in both their network infrastructure as well as in overall peace of mind.

Guarding against sophisticated threats like DDoS attack requires not only a defense-first mentality but a defensive-minded partner. Learn how to secure your business from DDoS attacks and other cybercrime threats with Spectrum Enterprise managed solutions.