As more companies become reliant upon online services like cloud computing and take steps to improve their network security accordingly, distributed detail of service (DDoS) attacks have become a more attractive strategy for hackers looking to create chaos and disruption. Easy to organize and execute, recent DDoS attacks have become more sophisticated and intense over the last decade and show little sign of slowing. Although organizations and data centers have ramped up their cybersecurity efforts to mitigate the impact of these attacks, they can still be quite damaging for both the companies targeted and the customers who rely upon their services to do business.
Although recent DDoS attacks declined slightly in 2018, the first quarter of 2019 saw an 84 percent increase over the previous year. Both the size and frequency of those attacks increased, with the largest growth coming in attacks lasting over an hour. Not only did these attacks double in quantity, their average length also increased by 487 percent. As attacks increasingly utilize multiple attack vectors, cybersecurity experts are turning to artificial intelligence and machine learning to identify attack patterns and bolster their DDoS mitigation.
Distributed denial of service attacks are a type of cyberattack designed to overload servers or disrupt network services by overwhelming them with access requests. The specific method of these attacks may vary from one to the next, but frequently feature the use of botnets.
What’s a botnet? It’s a virtualized “army” of compromised computers and servers that are used to target a specific system. The hacker behind the DDoS attack sends malware to numerous systems and, if successfully installed, can use that malware to remotely take over some (or all) of the compromised system’s processes to carry out the attack.
What does a DDoS attack do and how does it work? That depends on the specific type of DDoS attack being carried out. There are many different types of DDoS attacks, such as:
Volumetric Attacks. These attacks seek to consume all available bandwidth on a network so no legitimate requests can be processed. A volumetric DDoS attack example would be a DNS amplification attack.
TCP Handshake/SYN Floods. A series of incomplete “TCP Handshake” protocol requests for an initial connection are sent to the target system, but never completed—typically using spoofed IP addresses. This is an example of a “protocol attack.” Here, legitimate site users trying to visit the webpage may further contribute to the problem as they hit “refresh” on their browsers to get the page to load (though this is usually only a tiny percentage of the load compared to the actual attack).
Application Layer Attacks. Also known as “Layer 7 DDoS Attacks,” these attacks basically keep pinging the server with HTTP requests—something that’s low-impact for senders, but resource-intensive for the server that has to load all of the files and database queries the website needs to display properly.
Multi-Vector DDoS Attacks. Sometimes, an attacker may combine several DDoS attack methods to make their attack more effective and difficult to counter. Targeting multiple layers of the network can be extremely effective at increasing disruption.
What makes preventing DDoS attacks difficult is that there are so many types of them, and some are harder to separate from legitimate traffic requests than others.
7 of the Most Famous Recent DDoS Attacks
Amazon Web Services (AWS) (February 2020)
According to an article by ZDNet, in February of 2020, “Amazon said its AWS Shield service mitigated the largest DDoS attack ever recorded, stopping a 2.3 Tbps attack.” Prior to this attack, the world record for largest recorded DDoS attack was 1.7 Tbps (Terabits per second), which itself supplanted the record set by the GitHub attack that will be mentioned below.
The ZDNet article doesn’t name the AWS customer, but it did mention that “the attack was carried out using hijacked CLDAP web servers and caused three days of ‘elevated threat’ for [Amazon’s] AWS Shield staff.” CLDAP stands for Connection-less Lightweight Directory Access Protocol, which is a protocol for connecting, searching, and modifying shared directories on the internet.
It is also, according to ZDNet, a protocol that “has been abused for DDoS attacks since late 2016” and that “CLDAP servers are known to amplify DDoS traffic by 56 to 70 times its initial size.”
GitHub (February, 2018)
A popular online code management service used by millions of developers, GitHub is used to high traffic and usage. What it wasn’t prepared for was the then record-breaking 1.3 Tbps of traffic that flooded its servers with 126.9 million packets of data each second. The attack was the biggest recorded DDoS attack at that time, but the onslaught only took GitHub’s systems down for about 20 minutes. This was largely due to the fact that GitHub utilized a DDoS mitigation service that detected the attack and quickly took steps to minimize the impact.
Unlike many recent DDoS attacks, the GitHub attack didn’t involve botnets. Instead, the DDoS attackers used a strategy known as memcaching, in which a spoofed request is delivered to a vulnerable server that then floods a targeted victim with amplified traffic. Memcached databases are commonly used to help speed up websites and networks, but have recently been weaponized by DDoS attackers.
Undisclosed NETSCOUT Client (March 2018)
Not long after the 1.3 Tbps DDoS attack against GitHub, NETSCOUT reported that one of their customers was targeted by a 1.7 Tbps DDoS attack. This particular attack was described by NETSCOUT as being “based on the same memcached reflection/amplification attack vector that mad up the Github attack.”
However, despite the massive size of the attack, “no outages were reported because of this,” according to NETSCOUT. This can serve as an example of how being prepared for a specific type of attack can make a major difference in the impact of that attack.
Dyn (October, 2016)
As a major DNS provider, Dyn was crucial to the network infrastructure of several major companies, including Netflix, PayPal, Visa, Amazon, and The New York Times. Using a malware called Mirai, unidentified hackers created a massive botnet incorporating internet of things (IoT) devices to launch what was at the time the largest recorded DDoS attack. The assault had massive trickle-down effects, as many of Dyn’s customers found their websites crippled by DNS errors when Dyn’s servers went down. Although the problems were sorted out and service restored by the end of the day, it was a frightening reminder of the fragility of network infrastructure.
BBC (December, 2015)
On the last day of 2015, a group called “New World Hacking” launched a 600 Gbps attack using its BangStresser application tool. The attack took the BBC’s sites, including its iPlayer on-demand service, down for about three hours. Aside from its sheer size, which was the biggest DDoS attack on record at that time, the most noteworthy aspect of the BBC attack was the fact that the tool used to launch it actually utilized cloud computing resources from two Amazon AWS servers. For IT security professionals who had long trusted Amazon’s reputation for security, the notion that DDoS attackers had found a way to leverage the bandwidth of a public cloud computing service to power their assault was particularly troubling.
Spamhaus (March, 2013)
In 2013, Spamhaus was an industry-leading spam filtering organization, removing as much as 80% of spam emails. This made them an attractive target for scammers, who ultimately hired a teenage hacker in Britain to launch a massive offensive to take down Spamhaus’s systems. Clocking in at 300 Gbps, this assault was the biggest DDoS attack recorded at that time. When Spamhaus responded to the threat by turning to a DDoS mitigation service, the attacker shifted focus to try to bring it down as well, which caused network disruptions throughout Britain as other companies were caught in the crossfire.
Bank of America/JP Morgan Chase/US Bancorp/Citigroup/PNC Bank (December, 2012)
In September and October of 2012, a group identifying itself as “Izz ad-Din al-Qassam Cyber Fighters” launched several DDoS attacks against US banks, allegedly in response to a controversial film trailer on YouTube. Later that year, the group promised to expand the scope of its attacks. In December, it followed through by hitting six prominent banks over the course of three days, disrupting services and causing severe slowdown. While the attack was larger than those from a few months prior, the earlier wave left cybersecurity experts better prepared to deal with the botnet tactics the group deployed. At its peak, the attacks reached 63.3 Gbps.
As recent DDoS attacks continue to evolve, cybersecurity experts are working hard to counter their effects and diminish their impact. While a DDoS attack is still something every company should be concerned about, there are many ways to safeguard operations against them, from DDoS mitigation services to data center options like blended ISP connectivity. These efforts may not be able to make DDoS attacks a thing of the past, but they’re making them a less effective strategy for disrupting operations and services.
About Blair Felter
As the Marketing Director at vXchnge, Blair is responsible for managing every aspect of the growth marketing objective and inbound strategy to grow the brand. Her passion is to find the topics that generate the most conversations.