Why DDoS Threat Actors Are Shifting Their Tactics

Written by

With a history spanning over 25 years, DDoS attacks are, at first glance, nothing new. However, under the surface, there is a rapidly evolving landscape with significant developments in recent years.

Attack methods have diversified, and attackers may go after individual targets such as servers or target entire networks at once. This ever-expanding toolbox has made DDoS attacks far more accessible, with attacks even available as-a-service to buy online. Consequently, it’s far more dangerous for companies and even more critical that they understand the risks and how to protect against them. 

Memcached Madness

According to a recent report, one of the most dramatic trends was the increase in memcached attacks – they were up a staggering 1464% in the first half of 2023 compared to the same time the year before.

Memcached DDoS attacks exploit a system (memcached) that websites use to speed up loading times by storing data in memory. These attacks trick the system into sending a large amount of data to a target website, overwhelming it and causing it to run slowly or entirely crash.

Websites can use either the User Data Protocol (UDP) or the Transmission Control Protocol (TCP) for network communication, and notably, it is UDP that is vulnerable to memcached DDoS attacks. However, due to the security protocol of TCP slowing down performance slightly, UDP is still more commonly used as it runs faster.    

The increase in the usage of memcached attacks is partly due to the number of vulnerable UDP servers. It’s a reasonably simple weakness to exploit, and the amplification factor is significant, making it an obvious target for threat actors.

The easiest way to prevent yourself from falling victim is to disable UDP support and switch to TCP on any memcached servers that you might be using. Alternatively, Memcached servers should be firewalled off from the internet, as it is safe to use UDP if your servers are not exposed.

There is also IP spoofing prevention. However, this can only be done by Internet Service Providers (ISPs), who must filter traffic to prevent packets from their network pretending to be from a different network.

Communication Troubles

Another advance in DDoS is the rise in ‘bits and pieces’ attacks targeting communications service providers (CSPs). These involve DDoS attack traffic being ‘hidden’ or spread across an entire network. The contaminated traffic clogs up the internet provider in question and can severely affect the quality of service provided. Attack methods like these come hand in hand with increased network traffic as 5G is implemented and data-hungry applications such as AI become a part of everyday life. Today's attackers can utilize trends like these to inform their targeted attacks better, making them even deadlier.

However, some steps can be taken to prevent specialized attacks, such as bits and pieces, but these involve widespread industry change. For example, defending against DDoS now falls mostly on ISPs, who are increasingly relied upon to incorporate DDoS protection into their services.

By filtering and blocking any malicious traffic on their networks, ISPs act as their customers' first line of defense. However, defending against DDoS attacks today is an extreme balancing act. ISPs must do enough to protect but not as much as to block legitimate traffic when filtering mistakenly.

AI becomes particularly handy in this scenario, allowing for an enhanced filtering system. It is also dangerous – of course, AI can be used on the other side to perpetrate DDoS attacks.

Smaller DDoS, Bigger Problems

Another fascinating evolution in DDoS is in the size of the attacks. A recent report showed that in the first half of 2023, the average attack size was down 183.3% on the same period last year, with a marked increase in smaller attacks. This contradicts widely held beliefs that attacks only get bigger, longer, and more complex.

While the maximum size of attacks is increasing, there is also an increasing frequency of smaller attacks. Now, while this doesn’t necessarily mean that attack sizes are getting smaller across the board, it reflects the massive increase in amplification attacks, with the same report showing a 176.88% increase in the first half of 2023 compared to the same period in 2022.

Across the first half of 2023, amplification attacks comprised 28.32% of total attacks, making it the attack method of choice. With amplification attacks, while the initial size of the attack is tiny, they have a high impact, with small requests generating a significantly larger response.

They’re a particularly efficient method for attackers to maximize the bandwidth they can target victims with. They represent the new accessibility of DDoS attacks, with such a small size making them far more accessible to use.

An essential step to preventing these smaller amplification attacks is to first disable any vulnerabilities that make them possible. For example, as discussed earlier, for memcached (a type of amplification) attack prevention you would first disable the UDP and switch to TCP instead. Other prevention methods include services such as source IP verification where the IP would be responsible for filtering their traffic to ensure no spoofed IP traffic passes through. 

With the changes in attack size, diversity, and the development of new methods, organizations must not become complacent. DDoS protection should be active and continually evolving to keep up with the ever-expanding toolbox that attackers have access to. It’s essential to keep up with DDoS attack trends and to constantly adjust defenses accordingly. While the diversity of DDoS attacks today makes them more complex to deal with, it has never been more important that organizations do so. 

What’s hot on Infosecurity Magazine?