DDoS attacks have become an indispensable weapon to paralyze network systems in cyber warfare. Emerging DDoS attacks, such as HTTP/2 Rapid Reset and SLP reflection amplification attacks, are constantly emerging. Both attackers and defenders are struggling to upgrade their technology in order to discover new offensive and defensive strategies. DDoS attacks are no longer limited to traditional network layer attacks, but extend to application layer attacks and reflection attacks. Attackers use new media such as IoT devices and virtual private servers to increase the complexity of attacks, making detection and response increasingly difficult. With the commercialization and SaaS-delivery mode of attack tools, it becomes easier to obtain them without even requiring skills from attackers.
Looking at the cyberspace battle of the Israeli-Palestinian conflict in 2023, the hacker groups that initiated DDoS did not always act independently. Organizations with common interests interact to rapidly form “wartime” coalition. These groups operate separately in peacetime, but they quickly join forces for shared interests to increase their offensive power in the face of conflict. Examples include the Cyber Operations Alliance (C.O.A Agency), Killnet and Anonymous Sudan and other hacker groups in the Israeli-Palestinian conflict. In addition, some hacker groups will also temporarily form and participate in attacks due to their own interest demands.
DDoS attack mode changes from straightforward resource exhaustion to intelligent strategy attack. Intelligent strategic attack means that the attacker can adaptively select or predefine the strategy path according to the environment of the attack target, and intelligently adjust its own attack mode and behavior. Different from early attack tools, intelligent strategy-based attacks not only execute the attack steps in a predetermined sequence, but also dynamically adjust the strategy according to the real-time situation, so as to save attack resources and circumvent traditional detection and defense mechanisms, and finally maximize the attack effect.
Pulse (short-burst) attacks, as evidenced since 2018, generate extremely high traffic peaks for a short period of time, then stop suddenly and re-initiate after a certain interval to circumvent the automatic defense mechanisms triggered by protective equipment. By 2021, carpet-bombing attacks appeared. DDoS attacks were carried out on a large number of IP addresses. Although the attack traffic borne by a single target IP address was small, it should not be underestimated in total. Such attacks bypassed the scrubbing policy of the DDoS defense system and had an impact on the user business of the entire IP segment. By 2023, new testing types of DDoS attacks are emerging that will allow attackers to scope targets, gauge defense strength, and assess follow-on efforts. In this case, the initial DDoS attack may serve as a reconnaissance attack to conserve attack resources and set the stage for subsequent more accurate attacks.
After using real hosts, botnets and reflective nodes, attackers gradually prefer to purchase dedicated cloud servers – Virtual Private Servers (VPS) as the attack source. For a long time, large botnets mainly rely on IoT devices such as routers, printers and cameras to carry out attacks. However, these devices have limited processing power and typically require the traffic generated by hundreds of thousands or millions of units to damage a target. Nowadays, attackers are no longer limited to IoT devices but use VPS provided by cloud service providers. The VPS offered by cloud providers was originally designed to enable small business start-ups to create high-performance applications at a lower cost. These VPS networks have more powerful computing performance and network bandwidth. Attackers can purchase or invade multiple VPS to build a new botnet for attack activities.
In addition, there are clues that DDoS is gradually becoming the forward of advanced persistent threats and ransomware attacks. Increasingly, DDoS attacks attempt to distract incident response teams from larger security incidents. DDoS attacks themselves may be just smoke bombs. The purpose of the attack is no longer just simple network disruption but also to confuse and divert the attention of defense personnel toward the surface, thus creating conditions for more secretive and targeted penetration activities behind the scenes and launching APT attacks with greater harm.
For a deeper dive into cybersecurity insights and forecasts, explore the report 10 Cybersecurity Trends for 2024.