As the digital landscape rapidly evolves, so too do the tactics and technologies employed by cyber attackers. Building upon the comprehensive insights of the 2023 NSFOCUS Global DDoS Landscape report just released, we delve into the anticipated trends for 2024.
(Download the 2023 Global DDoS Attack Landscape Report)
1. DDoS Attacks Often Serve as a Smokescreen for Covert Attack Intentions
DDoS attacks are frequently used to distract from the true objectives of an attack. A significant number of infrastructures and endpoints lack awareness of DDoS protection, leading to chaos when an attack occurs. They tend to prioritize addressing the blockages and service disruptions caused by DDoS attacks, aiming to restore business operations. However, while they are preoccupied with these issues, attackers may be conducting more covert actions such as APT (Advanced Persistent Threat) attacks, data theft, or malware injection. Therefore, it is crucial to establish coordinated DDoS defense both on-premises and in the cloud before an attack occurs. Employing on-premises defense equipment and cloud-based defense services to form the first line of defense against network attacks is essential.
Tips: Critical infrastructures such as government, finance, transportation, energy, and private cloud facilities are particularly vulnerable to these types of attacks. Under the cover of a DDoS attack, attackers can infiltrate, conduct APT attacks, and cause sustained damage to critical infrastructures.
2. Geopolitical Conflicts Continue to Make Critical Infrastructures a Prime Target for DDoS Attacks
Tensions and conflicts in the geopolitical sphere often spill over into the digital world, with attackers using the opportunity to launch DDoS attacks. These attacks aim to confuse, disrupt, or outright destroy an opponent’s critical infrastructure for military, political, or economic gain. We have observed an increase in DDoS attack activities against critical infrastructures in conflicts such as the Russia-Ukraine conflict, tensions in the Balkans, Finland and Sweden’s accession to NATO, and the Israeli-Palestinian conflict. It is imperative to enhance the DDoS attack protection capabilities of critical infrastructures to safeguard their normal operations.
Tips: Geopolitical conflicts often lead to the initiation of DDoS attacks, which are used to confuse, disrupt, or directly destroy an opponent’s network infrastructure for military, political, or economic objectives. There are two primary needs in response to this threat: 1) It is essential to increase the emphasis on defense against DDoS attacks. 2) Strengthening intelligence, preemptive defense, and coordinated capabilities between on-premises and cloud-based defense capabilities is essential.
3. Complex application-layer attacks are still prominent, with the intensity of offensive and defensive confrontations escalating
HTTP2 Rapid Reset refreshed the maximum application-layer attack scale with a rate of 3.98 billion RPS (requests per second). Meanwhile, more destructive application-layer attacks are becoming easier to execute. As the Internet continues to evolve, the variety of internet applications increases, and business operations become more complex. Mobile internet and API services have also become significant targets for attacks, posing greater protection challenges compared to traditional PC-based services.
Additionally, multiple botnet families have derived variants, combining spoofed source attacks, session attacks, and application-layer attacks to launch multi-vector, hybrid attacks, escalating the intensity of offensive and defensive confrontations.
Tips: With the rapid development of the Internet and cloud technologies, the trend of businesses moving to the cloud and online is inevitable. Attacks targeting the application layer are unceasing and prominent, necessitating robust defenses against a variety of application-layer DDoS attacks. NSFOCUS ADS (Anti-DDoS System) is at the forefront of the industry in terms of various application-layer defense algorithms and mechanisms.
4. High-Performance Botnets Are Emerging, Requiring a Shift in Defense Strategies
In the past, botnets relied on vulnerable IoT (Internet of Things) devices, which had low individual performance, requiring a vast number of botnet hosts to launch a large-scale attack. Nowadays, botnets leverage the high performance of virtual machines or VPS (Virtual Private Servers), allowing a smaller number of botnet hosts to initiate attacks of significant scale. In the current network defense and offense confrontations, we have also detected attacks originating from well-known cloud service providers. For these types of attack sources, a shift in defense strategy is necessary. Typically, the attacked service interacts with humans rather than machines, allowing for the direct blocking of related traffic based on intelligence classification (such as IP addresses of cloud service providers).
Tips: In addition to effectively defending against on-premises traffic attacks, it is also necessary to integrate threat intelligence to identify botnet host information and achieve effective pre-emptive defense proactively.
5. Attack Frequencies Are Increasing Year by Year, with Tb-Level Attacks Remaining High
As 5G, IoT (Internet of Things), and cloud technologies continue to develop, the bot resources are becoming richer, and the scale of attacks is being refreshed every year. For DDoS protection vendors, it is not only necessary to offer higher traffic cleaning capabilities (such as high-performance single devices and cluster solutions based on the collaboration of hardware and software) but also to provide more flexible traffic scheduling or collaboration solutions between the on-premises and in the cloud.
Tips: A coordinated defense plan is indispensable; it can not only defend against high-intensity attacks but also serve as a cloud proxy barrier to effectively protect the customer’s real IP address.
6. Pulse Attack Detection Is Challenging, and an Always-On Approach Is Essential
Detection based on Flow Information indeed has a lag, and apart from the router on-path detection currently being explored, some sites have adopted an always-on approach, which means protection without detection, with traffic always passing through cleaning nodes. A dual-layer cleaning solution is also employed, with the first layer having a larger protection threshold, mainly for large traffic cleaning, and the second layer being on-premises cleaning, primarily responsible for cleaning attacks within the local link bandwidth. Since the traffic is always passing through cleaning equipment, there are high stability requirements for both single devices and cluster solutions. It is also necessary to develop relevant algorithms to improve precision and meet the needs of dual-layer cleaning.
Tips: Detection is of utmost importance. The use of NTA (Network Traffic Analyzer) DPI (Deep Packet Inspection) monitoring in an out-of-the-path mode with an Always-On approach ensures rapid detection and cleaning of short-duration, high-intensity attacks.
7. IP Range Scanning Attacks Remain Persistent and No Longer Limited to ISPs
Traditionally, it was believed that ISPs (Internet Service Providers) were the most susceptible to the IP range scanning attack. However, with the growth of businesses, such as the financial industry, where the number of IP addresses provided to external customers has increased to hundreds or even thousands, they are also prone to such attacks. Current detection for such attacks is mostly based on threshold detection by network segment, which can lead to certain misjudgments. Due to the different nature of the business across multiple IPs, a single algorithm can easily result in false positives. A combined solution is needed, integrating false source algorithms and real source algorithms for coordinated defense.
Tips: Traditional detection of IP range scanning attacks relies on overall traffic monitoring of all targets, with a coarse detection granularity that cannot accurately identify such attacks, leading to potential false positives and accidental blockages. The patented NSFOCUS IP range scanning defense technique enhances detection rates to identify such attacks accurately.
8. Random Subdomain Attacks Are a Long-standing Issue, and Traditional Solutions Are Difficult to Implement
Due to the common practice of deploying in an out-of-the-path mode or cleaning on demand, DDoS cleaning equipment cannot obtain the normal business traffic from DNS (Domain Name System) authoritative servers. Especially for cleaning services from telecom operators, they must wait until an attack begins before starting to intercept traffic. With traditional CNAME and other algorithms becoming ineffective, it is not possible to automatically distinguish between normal and attack traffic based on traffic characteristics. Current protection can only be achieved through rate limiting. The traditional defense approach is still to compensate on the solution side, using mirror traffic to learn the normal domain name baseline for cleaning. However, due to deployment and scenario limitations, implementation is difficult. In the future, a large-scale domain name whitelist can be provided, which can be protected based on self-learning, user-provided information, or DNS intelligence. At the same time, machine learning algorithms can also be explored for the characteristics of random subdomain attacks.
Tips: Random subdomain attacks are a long-standing issue for financial customers. NSFOCUS ADS has a unique defense approach to effectively protecting against these attacks. Financial industry customers typically deploy authoritative servers locally and deploy NSFOCUS ADS on the side of the customer’s authoritative server. ADS filters illegal recursive queries for random subdomains through strategies such as “CNAME algorithm,” “IP behavior control,” and “pattern matching.”
9. New Types of DDoS Attacks Emerge Continuously, and Adaptability and Programmability Are the Future Trends
Currently, reflection and amplification attacks remain the mainstay of new DDoS attacks. However, attacks utilizing encapsulation protocols, such as those based on GRE (Generic Routing Encapsulation) and ESP (Encapsulating Security Payload) protocols, are beginning to emerge. With the gradual proliferation of UDP applications like HTTP3.0 and OpenVPN (UDP), it is necessary to identify whether it is a reflection attack or normal application traffic. Traditional solutions that rely on manual operations and a limited set of rules cannot cope with new types of DDoS attacks. There is a need for adaptive anti-DDoS solutions and programmable countermeasure rules to protect against new types of DDoS attacks quickly and flexibly. It is necessary to achieve defense automation, automatic policy fine-tuning, and the ability to automatically identify attack characteristics and form rules for application, reducing the harm of new types of DDoS attacks to the target with an enhanced effectiveness of defense in a timely manner.
Tips: New attacks are continuously emerging, and grasping their characteristics is the key. NSFOCUS ADS can provide adaptive and programmable defense, which is crucial for staying ahead in the ever-evolving landscape of cyber threats.
Download the 2023 Global DDoS Attack Landscape Report to get more information.