Don’t sleep on DDoS: How the DNA of this cyberattack is evolving

26 Aug 2022

Marc Wilczek, COO, Link11. Image: Link11

Link11’s Marc Wilczek explains how DDoS attacks have changed in 2022, and what security leaders need to prepare for in future.

While the incidence of distributed denial-of-service (DDoS) attacks declined at the start of this year, it cannot be ignored that these attacks are changing their DNA. They are getting bigger and unleashing their massive potential for destruction more quickly.

IT decision-makers have less time to defuse ever more complex DDoS attacks before too much damage is done. Digital resilience has thus become an unavoidable alternative.

Why did DDoS attacks drop?

Between the first half of 2021 and 2022, the number of DDoS attacks monitored by the Link11 Security Operations Center (LSOC) temporarily fell by 80pc overall. The previous trend, with DDoS attack numbers growing constantly since 2020, was indeed dampened in the first half of 2022. However, rising numbers were already becoming evident again by July.

The drop in cases could well be attributed to the shutdown of international darknet marketplaces. The Hydra Market is the most prominent example.

This digital hub for hackers was shut down in a joint measure by the German Federal Criminal Police and US authorities in April 2022. Overnight, up to 19,000 sellers, in tandem with approximately 17m customer accounts, were no longer able to engage in illegal cyber activities. It is no longer possible to trade in digital bulk goods such as DDoS-as-a-service via Hydra.

The data also shows a declining number of extortion cases. In 2020 and 2021, these still formed a focal point of the quantitatively high number of DDoS attacks. The aim of the extortionists in these two years was to force targeted companies – especially critical infrastructure operators, financial service providers, e-commerce providers and hosting providers – to pay cryptocurrency ransoms by means of large-volume warning attacks of more than 50Gbps. The instigators of these attacks were primarily well-known names in the cyber industry such as Fancy Bear, Cozy Bear, Armada Collective and Lazarus Group.

In addition, the war in the Ukraine is shifting the international focus of cybercriminals. Whereas in previous years attacks on system-relevant platforms for work, education and life were carried out on a quantitatively high scale, the current waves are concentrated on targets that are directly related to the war in the Ukraine.

This also means that more attacks are coming from Russia, for example, and fewer from the US or China. This development, in turn, also calls new protagonists into play. The pro-Russian hacker group KillNet, for example, has declared digital war on the Baltic states and also identified Germany as a prioritised target, along with Norway, Poland and Italy.

Interfaces created by the pandemic, war and digitalisation thus remain an attractive point of contact for cybercriminals. The partial state support of hacker groups further increases the threat level.

Faster, more dangerous and more unpredictable

Despite all this, the DDoS threat situation is still critical for public and economic structures. Instead of multiple, indiscriminate attacks as in the past, hackers are now taking a more targeted approach and focusing on shorter, more intensive and more sophisticated assaults.

While the critical payload peaked after an average of 184 seconds in the same period last year, this stage is being achieved after only 55 seconds in 2022. In comparison, the point at which the respective attack reaches its maximum value after the transmission of the first bytes of a DDoS attack is being reached in a third of the time. In a worst case scenario, the attacks render networks completely incapable of action before any defensive measures can even register the danger.

What makes the DDoS attacks of the present at least as dangerous is the sharp increase in the bandwidth of the attacks. In the first half of 2022, the average maximum attack bandwidth has risen from 266Gbps in H1 2021 to 325Gbps. The largest measured offensive in the first six months of 2022 was 574Gbps. Overall, the intensity of the attacks increased by an average of almost 60Gbps in the first half of 2022.

Finally, the extreme change in the DNA of DDoS in the digital present can be seen in the average packet rate.

While ‘only’ 277,000 packets per second were sent to digital victims in the event of an attack in 2021, in the current half-year 1.5m packets have already been sent to disable and paralyse systems. This is a threat level more than five times greater.

Reacting to these new digital threats will thus be a seismograph for corporate development in the coming months and years. No security manager should misinterpret the extreme threat posed by DDoS.

By Marc Wilczek

Marc Wilczek is the COO of IT security provider Link11. He has more than two decades of leadership and management experience.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.