Every 3 Seconds: The Evolution of DDoS Attacks

5 ways attackers have altered DDoS tactics and what it means for enterprise network security.

Blurred people walking in dark server room

While there’s some disagreement over what constitutes the first distributed denial of service (DDoS) attack, experts tend to agree that such attacks first took place around the turn of the 21st century. The subsequent 22 years have witnessed unprecedented growth in the number of DDoS attacks, with almost 10 million DDoS attacks monitored by NETSCOUT in 2021—that's one every three seconds.

Attackers have spent the past two decades innovating and improving DDoS techniques. As such, the 9.7 million attacks that took place last year constitute a number of different methods and strategies employed by those who are determined to disrupt networks and deny availability worldwide.

In 2021, we identified at least five new ways threat actors are launching or using DDoS attacks for monetary gain.

1. Increases in DDoS extortion. In DDoS extortion, cybercriminals threaten enterprises with a DDoS attack unless an extortion demand is paid. Some start with a small demonstrative DDoS attack to prove the threat is real, followed by an extortion demand that threatens a larger attack if payment is not made. Others first send an extortion note that outlines the threat and sets the extortion demand, payment form and deadline.

Three high-profile DDoS extortion campaigns took place in 2021. In just one of those attacks, a voice over internet protocol (VoIP) wholesaler indicated the total cost of the DDoS attack was over $10 million, according to an estimate filed with the U.S. Securities and Exchange Commission. In 2021, we also saw more ransomware gangs add DDoS attacks to their arsenal as they triple extorted their targets with data theft, ransomware and DDoS attacks.

2. Server-class botnets launching attacks. Attackers have long made use of botnets, which are a network of compromised devices, like computers or Internet of Things (IoT) devices, remotely controlled by an attacker. The growth of IoT devices has provided attackers with a massive number of devices to launch such DDoS attacks. The malware on these low-powered bots exploit many different protocols, often using reflection-amplification and spoofed IP addresses to target victims. A reflection-amplification attack both magnifies the amount of malicious traffic generated and obscures the sources of the attack traffic.

This type of DDoS attack overwhelms the target, causing disruption or outage of systems and services. IP address spoofing occurs when a device forges its source address for the purpose of impersonating another device. Spoofing the source IP address forces an unwilling service to send its replies to the victim under attack.

In 2021, cybercriminals increased the number of IoT botnets in use, but they also conscripted high-powered servers and high-capacity network devices into their botnets on a massive scale. In just the second half of 2021, server-class botnets were used in two direct-path flooding DDoS attacks of more than 2.5 terabits per second each. By contrast, the average size of a DDoS attack is 150 megabits per second. Unlike the low-powered IoT bots, these server-class, high-powered bots execute direct-path flooding attacks that directly target victims, bypassing protections that prevent spoofed traffic from reaching the victim.

3. DDoS for hire. Law enforcement often warns about the dangers of the dark web, where all manner of illegal items and services are sold. DDoS attacks have become one of those services. Unfortunately, cybercriminals now use the dark web to sell DDoS platforms and botnets, which can be used for everything from free tests to high-powered multivector attacks. The ATLAS Security Engineering & Response Team at NETSCOUT researched the top DDoS-for-hire services in the second half of 2021, revealing a wide range of pricing models, types and sizes of DDoS attacks that can be purchased on the dark web for little to no money. This means anyone, even those without any technical skills or knowledge, can simply use a DDoS-for-hire service to launch a fairly sophisticated DDoS attack for many different reasons (e.g. extortion, geopolitical protest, competition).

4. Encryption used by attackers. The past decade has seen a massive push to implement strong encryption for websites, applications and online services. Unfortunately, the burden falls to enterprises to process encrypted communications at large scale, requiring more resources from already overburdened security infrastructure. Attackers exploit this by launching DDoS attacks against encrypted applications and services using compromised resources that cost them little to nothing.

5. Carpet bombing. Our Threat Intelligence Report identified a massive increase in carpet bombing DDoS attacks in 2021. Carpet bombing is used by attackers to target multiple IP addresses in one attack. Instead of focusing on a single IP address, threat actors attack blocks of IP addresses—sometimes as many as hundreds or thousands at once. The very nature of these attacks makes them more difficult to defend against because there are multiple points to protect. They can also cause collateral damage to other organizations not specifically targeted by the attack.

As attackers continue to develop new and evolve existing DDoS attack methods, it’s vital for enterprises to understand what to expect and how to best protect against it. These and other DDoS attack trends are explained in more detail in the NETSCOUT Threat Intelligence Report.

Security teams can explore a real-time and historical view of global attack activity from our Arbor DDoS experts on NETSCOUT’s Threat Horizon portal and view additional resources on NETSCOUT’s Omnis AED page.