8 Biggest DDoS Attacks Today And What You Can Learn From Them

DDoS Disasters

A distributed denial-of-service (DDoS) attack occurs when a bad actor seeks to make it impossible for a service to be delivered. DDoS attacks generally work by drowning a system with requests for data, overwhelming internet bandwidth, CPU or RAM capacity through an excessive volume or web server or database queries.

The impact of a DDoS attack can range anywhere from a minor service disruption or entire websites, applications or even businesses being taken offline. From a size perspective, DDoS attacks have grown from averaging just over 1 GBps in the 2000s to 100 GBps in 2010 to more than 800 GBps in 2016, according to Darren Anstee, CTO of Westford, Mass.-based Netscout Arbor.

Two of the largest recent DDoS attacks included the October 2016 strike against Dyn DNS – which peaked at 1.2 TBps – and February's attack on GitHub, which peaked at 1.35 TBps. As part of CRN's Cybersecurity Week 2018, here's a look at eight of the largest DDoS attacks today and what users can do to protect themselves from new and emerging threat vectors.

Application Layer Attacks

Application layer DDoS attacks can be difficult to spot since the traffic doesn't look much different than what a genuine user would be doing, according to Netscout's Anstee. The attacker and botnet involved in application layer attacks look like normal user activity, Anstee said, and consume far less bandwidth than other types of DDoS attacks.

Application layer attacks have become more prevalent since 2010, Anstee said, with military branches, government entities, and financial organizations alike realizing that relying on service providers to monitor their network at a fairly high level of granularity wouldn't provide proactive protection against application layer activity.

For this reason, Anstee encouraged companies to adopt a hybrid or layered approach to DDoS defense that includes a perimeter or enterprise data center component that has a more focused view of the traffic and can react more stealthily.

Botnet-Driven Attacks

DDoS attackers are able to create a larger pool of attack resources by loading malware onto devices such as IP cameras or DVRs, according to Robert Hamilton, director of product marketing at Redwood Shores, Calif.-based Imperva.

These botnets have emerged since the devices being taken advantage of have lousy security, Hamilton said, with default or factory-set passwords that are easy to guess. Attackers have realized that it's far more difficult to load malware onto a Windows XP PC that's protected by a firewall and running anti-virus software than it is to break into a DVR or baby monitor that's running on a basic operating system.

DDoS attacks rely on strength, Hamilton said, with the likelihood of bringing a server down increasing as the number of devices sending a web request to a particular server rises. By sending commands from 10,000 or more internet-connected devices, Hamilton said botnets can build a more powerful attack force.

Multivector Attacks

Multivector attacks are the most sophisticated type of DDoS activity, according to Netscout's Anstee. The percentage of enterprises having witnessed multivector attacks has increased by 20 percent, with 48 percent of organizations reporting having seen these highly sophisticated attacks.

The increase in multivector activities ties back to the monetization of this activity through DDoS for hire and botnet services, Anstee said. In fact, Anstee said DDoS attack sizes actually decreased in 2017 from the year before as bad actors increasingly go after the same targets using multiple techniques such as application layer attacks.

Botnet for hire infrastructure has made it far easier for bad actors to launch complex, multivector attacks, according to Anstee. Big IoT botnets have refocused their efforts on sophisticated, multivector attacks to better fly under the radar, Anstee said, since law enforcement officials and internet service providers have become pretty focused on stopping higher-volume DDoS attacks.

Pulse Wave Attacks

Pulse wave attacks have a specific structure to them that's designed to evade traditional detection methods, according to Logan Kipp, technical architect at Scottsdale, Ariz.-based SiteLock. Instead of one big, sustained attack over an hour, a pulse wave event takes these DDoS attack resources and spreads them out to many more clients, sending 60 one-minute attacks to 60 people, said Imperva's Hamilton.

Most providers require 10 minutes of data to put an effective DDoS mitigation strategy in place, Kipp said, so by cutting the traffic off early, the provider doesn't get enough data.

Only 45 seconds to 120 seconds of a 400-GBps attack are necessary to crash services and force initiation of a failover, Kipp said. However, many SMBs and even some midsize companies don't have a failover process in place, according to Kipp, which results in service actually being denied to legitimate users.

Businesses suffering a pulse wave incur a number of hidden expenses, Kipp said, including bandwidth costs, lost revenue, and the cost to investigate and deal with the postmortem recovery.

Reflection Amplification

Nearly all of the largest DDoS attacks in recent years have relied on a technique called reflection amplification, which leverages infrastructure out on the internet to magnify the amount of traffic that can be generated, according to Netscout's Anstee. Specifically, Anstee said the attacks are made much larger by bouncing the traffic off other pieces of infrastructure.

A whole host of different protocols can be used to magnify traffic, Anstee said, including some factors that can amplify by a magnitude of several thousands.

Reflection amplification can be stopped proactively by service providers through orchestration mitigation at the edge of the network, Anstee said. Alternatively, Anstee said organizations can detect reflection amplification attacks using the same platform, divert the traffic to clean infrastructure for inspection and cleaning, and permit only the good activity to proceed.

State-Exhaustion Attacks

State-exhaustion attacks target state tables in pieces of infrastructure such as the firewall, load balancer or the server itself, according to Netscout's Anstee. Although state-exhaustion attacks are still visible from the network perspective, Anstee said they are stealthier than many other types of DDoS activity and no less effective.

Load balancers and firewalls tend to have deeper content since they sit behind the middleware, Anstee said. As a result, Anstee said a successful state-exhaustion attack can lead to the middleware space becoming dead, resulting in a longer service recovery time for enterprises.

State-exhaustion attacks are being driven by the same factors as application layer attacks, Anstee said, and are focused on exhausting resources in different places.

Targeted Attacks

Targeted DDoS attacks are focused on taking down a specific site or application in a more traditional way by exploiting gaps that exist within the architecture or security of a legacy protocol, according to Jen Taylor, head of products at San Francisco-based Cloudflare.

Although legacy protocols around technologies such as ports are very broadly deployed, Taylor said they typically weren't built with the idea of defending against targeted attacks. Bad actors looking to carry out a targeted attack need to profile an application to understand who they're targeting and marshal resources effectively, according to Taylor.

Attackers often opt to take over and leverage capacity-related gaps that exist in areas like IoT devices to take over a specific site or application, Taylor said. Organizations can best defend themselves by getting onto a big network, locking down all nonessential ports, and profiling their applications before an attacker does, according to Taylor.

Volumetric Attacks

Volumetric attacks remain the most common form of DDoS activity, with 7.5 million such events taking place in 2017, according to Anstee. Volumetric attacks consist of huge bursts of traffic to saturate internet activity, Anstee said, and often target smaller businesses and organizations or occur among gamers looking to gain an unfair advantage.

Volumetric activities were more powerful earlier on in the internet era when it was easier to consume sufficient capacity to result in a broader shutdown, according to Cloudflare's Taylor. But given the scope and size of networks today as well as the volume of activity that's currently taking place, Taylor said it's hard to generate sufficient traffic to take down the internet altogether.

Although successful large-scale volumetric operations are few and far between, Taylor said the stories are interesting because the numbers are so big.