In 2023, DDoS attacks continue to grow in intensity, frequency, and sophistication, forcing companies to look for solutions and strategies to help them combat this type of threat. This is reinforced by the fact that Google delivers over 17 million answers to the question “How to mitigate a DDoS attack”. To save you the effort of searching and sorting, we’ve put together a mini guide with up-to-date information on the evolution and type of the most common attacks, as well as practical recommendations for measures and solutions to protect against them.
How DDoS attacks have evolved
Distributed Denial of Service (DDoS) attacks have seen a substantial increase in the last year, estimated at 46%. According to statistics, in 2022 the average number of attacks recorded daily was over 1,400, reaching almost one attack per minute. The highest frequency was reached in September when the peak was 2,215 attacks/day, and the highest attack was recorded in May, with a size of 3.25 Tbps.
In terms of typology, the most common attacks were TCP attacks (TCP SYN, TCP ACK, TCP floods, etc.), which accounted for almost two-thirds (63%) of all traffic attacks. The second highest was UDP attacks (UDP flood and UDP amplification attacks), with 22%, and Packet anomaly attacks, which accounted for 15% of all DDoS attacks counted in 2022.
In the last year, DDoS attacks have also become more frequent in Romania, with a sustained increase in 2022, fueled by the context of the war in Ukraine. The situation is no better this year, with the latest target being the Ministry of Development, which suffered a DDoS attack in mid-April.
The most common categories of attacks
Currently, in terms of frequency, the most common DDoS attacks are those on infrastructure, targeting vulnerabilities or weaknesses at Layer 3 (network) or Layer 4 (transport) level. Most DDoS attacks fall into this category, including SYN flood, Ping of Death (PoD), ICMP flood and UDP flood attacks. Volumetric attacks are the most common type of DDoS attack and use the method of flooding the server (or bandwidth) with false requests to make it unable to accept legitimate traffic.
Another category of attacks with an increased incidence is Layer 7 application attacks that target weaknesses in certain solutions. Attacks most often use the HTTP protocol and, less frequently, FTP, NTP, SMTP or DNS to render the targeted application unable to communicate or deliver content. Unlike volumetric attacks, application attacks can achieve the desired impact with a relatively low volume of requests, making them difficult to detect.
Another trend that became increasingly evident last year was the shortening duration of DDoS attacks – 89% lasted less than an hour, and almost a quarter (26%) less than two minutes. Short attacks require fewer resources from attackers, who can then use them repeatedly over several hours against a target. Because of this, they are even more difficult to mitigate with traditional DDoS protection methods.
Standard elements for detecting a DDoS attack
How to mitigate a DDoS attack is not a simple task and you will find that there are many recommended techniques for identifying and monitoring this type of threat.
To reduce the documentation effort, M247 specialists have put together a summary of the most used recommendations, which we present below in a simple two-step format:
1. Confirm the DDoS attack
As mentioned, DDoS attacks have different durations, but the main indicators used to detect this type of threat are:
- Network latency and/or unusually low network performance when opening files and/or accessing websites.
- Poor application performance.
- High CPU and server memory usage.
- Abnormally high network traffic.
- Unavailability or inaccessibility of websites.
If you are experiencing these “symptoms”, the recommended action is to contact your Internet Service Provider (ISP) to determine if there is an interruption in their service or if their network is the target of the attack and your company is an indirect victim.
2. Obtaining information about the nature of the attack
To take appropriate remedial action, several specific pieces of information are required, obtained by:
- Identifying the types of IP addresses used to propagate the attack.
- Detecting the running services targeted by the attacks.
- Correlation of server CPU/memory utilization levels with network traffic logs and application availability levels.
- Perform packet captures (PCAP) of DDoS activity to verify that the firewall is blocking malicious traffic and allowing legitimate traffic through.
How to mitigate a DDoS attack
One of the standard answers to this question is to use the services of your ISP. However, the effectiveness of such an approach depends on the ISP’s technical capacity, skills, and experience in handling such a situation. In many cases, the solution adopted is to block the entire flow of traffic from outside, including legitimate traffic, which can cause you substantial damage.
Another option is to use your own infrastructure and in-house expertise to block the attack. The usual techniques recommended in this case are IP address filtering, to block access to services from individual IP addresses, or geo-blocking, which can block access from entire geographical regions. (IP filtering is most effective for blocking specific, known traffic locations, while geo-blocking is most effective for blocking all traffic if specific locations are unknown.)
If effective blocking doesn’t work, you can opt to redirect legitimate traffic to a new IP address and change the DNS so that targets are no longer visible to attackers. Although a temporary solution, migrating traffic can stop small-scale DDoS attacks and buy time to apply other defensive measures. At the same time, it is also recommended to change firewall configurations, implementing new specific rules to block attacks.
In extreme cases, you can completely stop targeted services and/or applications to prevent immediate damage. Such a measure (similar to the one applied by ISP providers) blocks attacks but also generates a substantial loss of customers and profit. Damage caused by a DDoS attack can be much more extensive and long-lasting, and the company’s image can be seriously damaged.
What is the optimal solution for DDoS protection
Before you decide, there’s one more important factor to consider – and that’s that DDoS attacks are often used as a cover to disguise other, more damaging, attacker schemes. Such as, for example, infiltrating a company’s IT infrastructure and exfiltrating data or installing malware that is difficult to detect. This means that when IT security specialists are confronted with DDoS attacks, they must be on the alert for other types of attacks as well, which puts additional pressure on already limited internal resources.
To overcome these challenges, more and more companies are turning to an anti-DDoS service provider. DDoS protection service providers can detect attacks at early stages and have the bandwidth to absorb large-scale traffic, as well as the scalable resources needed for effective mitigation. By opting for such a solution, companies can be assured that they are protected against a broad spectrum of DDoS attacks, both across their entire in-house infrastructure and in cloud, multi-cloud, or hybrid environments. Mitigation and blocking times, as well as application and service uptime, are contractually guaranteed, and companies are continuously notified of attack progress and targeted targets and receive auditing services.
M247 offers customized DDoS protection services, designed and configured to your company’s specific needs. We provide comprehensive technical monitoring and auditing services to ensure optimal performance levels for services and applications, as well as attack detection and mitigation, and proactive management.
M247 has an extensive offer of anti-DDoS services, contact us for more information!
