DDoS Unveiled: The Silent Menace in Cyber Warfare

Mayur Nagarsheth
Mayur Nagarsheth

1 Introduction and Definitions

In our contemporary world, digitization, automation, and connectivity have become integral to the core of every organization, business, infrastructure, state, and nation. Digital Transformation plays a pivotal role in the economic and industrial progress of countries, with digital infrastructure emerging as a crucial pillar for a scalable economy. For major global economies, digital infrastructure serves as a lifeline, representing the primary means for sustaining populations and fostering economic prosperity.

The advent of the next industrial revolution, often referred to as Digital Transformation or Industry 4.0, is underway, reshaping the daily lives of citizens and businesses in a highly structured manner. The overarching goal is to achieve well-defined applications of digitization for critical aspects of both citizen and business life. The United States is at the forefront of this transformative change, anticipating trillions of dollars in economic growth. Sectors such as healthcare, emergency response systems, critical infrastructure, mass manufacturing, autonomous robotics, and defense systems are undergoing significant changes in the pursuit of future scalability and efficiency.

The foundation of Digital Transformation lies in the widespread proliferation of Cloud infrastructure and IoT-based mechanization, driving the industrial revolution. The United States, along with other progressive nations, is engaged in intense competition to establish superiority in these sectors, aiming to reap the benefits of being the most advanced economy. Any setback in the growth of digital infrastructure could result in substantial losses for a country or impact its overall standing. While the world engages in this economic battle for digital transformation, aspiring nations must address multiple security issues associated with the digitized world.

Digital transformation promises positive changes in our lives; however, it is also susceptible to critical vulnerabilities within systems. One of the most significant threats to Digital Transformation in the United States is the occurrence of Denial of Service attacks (DoS) or Distributed Denial of Service Attacks (DDoS). The impact of these attacks can be likened to that of Weapons of Mass Destruction (WMDs), leading us to term them as digital weapons. To comprehend these threats better, let's begin by exploring the fundamentals of DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks. The magnitude of a large-scale attack is often measured in bandwidth, expressed in Terabits per second (Tbps or approximately a trillion bits per second).

2 Security Threats to Digital Transformation

Threats to Digital Transformation can be mainly categorized into three high-level categories:

  1. Threat to Digital Data

  2. Threat to Compute and Control Systems

  3. Denial of Service Attacks Against Infrastructure and Control Systems

These categories can be subdivided further, but that is not the scope and intent of this discussion.

2.1 Threat to Digital Data

At the core of Digital Transformation lies data, serving as its fundamental foundation. However, this very data can be exploited for malicious purposes, particularly for illicit financial gains. To successfully navigate the landscape of digital transformation, robust security measures for data protection are imperative, necessitating deterministic and highly effective controls.

Data faces two primary forms of attacks—data theft and ransomware. Both have witnessed a significant surge perpetrated by international actors targeting businesses and the United States Government. A looming and substantial threat to data security is the potential occurrence of massive Distributed Denial of Service (DDoS) attacks on data systems. Such attacks have the potential to severely cripple businesses and government operations due to the unavailability of crucial data (Based on findings from the Verizon Report on Data Breaches).

2.2 Threat to Compute and Control Systems

Large-scale financial computation and business control compute systems represent prime targets for attackers and hackers. The motivation behind these attacks extends beyond mere financial gains; they can inflict substantial damage on financial enterprises and erode confidence in the systems themselves. Threats to control systems predominantly center on seizing command of critically important systems with the intention of causing disruption. Such attacks have the potential to result in significant financial or strategic harm to both systems and businesses.

By infiltrating and taking control of financial institutions or crucial banking systems, an attacker has the capability to unleash considerable financial chaos within the United States. Conversely, strategic attacks may involve the hijacking of control systems governing emergency response systems, major power grids, power generation stations, air traffic control, or even critical defense systems and strategic controls. DDoS attacks directed at these vital systems translate to rendering them inoperable. Even a brief interruption of mere seconds in these systems can equate to substantial damage to the overall economy.

2.3 Denial of Service Attacks Against Infrastructure and Control Systems

Introduction

A Denial of Service (DoS) attack is a method wherein the targeted system is intentionally flooded with fake tasks, rendering the target entity unable to perform its intended functions. This incapacitates the target entity, preventing it from delivering some or all of its designated services or functions. In its severe form, a DoS attack can render the target entity entirely non-functional, hence the term "Denial of Service." These attacks are strategically crafted to disrupt the control elements of large critical systems, rendering the entire critical system inoperable. What exacerbates the threat is the unfortunate reality that DoS attacks are inherently challenging to solve. A single system or a coordinated set of systems can overwhelm a critical system with finite bandwidth and capacity within minutes. Consequently, regardless of the bandwidth and capacity provided to a business or control system, the possibility of being outsmarted always exists.

This problem is most acute for all network-connected entities due to their exposure and visibility on the internet. Even within protected networks, DoS attacks can be initiated by insider threats or other vulnerable devices.

DDoS attack bandwidth and packet count levels
DDoS attack bandwidth and packet count levels

As per the analysis, there has been a rise in the number of DDoS attacks of sub-terabits per second bandwidth. Usually, they last for a short time. As per Verizon's security report of 2018, in one year alone, a total of 21,409 DDoS attacks were counted with certainty. Significant consideration should be provided to the mathematics of simultaneous attacks from a large number of sources. For example, a simultaneous attack by a billion mobile devices on a single target can be as disastrous as an attack by a single supercomputer of one petaflop computing bandwidth.

A Distributed Denial of Service (DDoS) attack is an assault on a server or network orchestrated by overwhelming traffic generated from multiple compromised computer systems. Instead of originating from a single location, the target is simultaneously assaulted from numerous locations. DDoS provides several advantages to the attacker:

  • The attacker can harness a vast volume of machines and computing resources to execute a significantly disruptive attack.

  • The challenge of thwarting an attack becomes exponentially greater when dealing with multiple machines rather than a solitary one.

  • Detecting the attacking party is intricate as they are concealed behind numerous compromised systems.

This form of attack leads to a slowdown or complete unresponsiveness to legitimate requests, potentially causing a system shutdown. The key question is how an attacker manages to enlist multiple sources for the attack. The answer lies in malicious software, which the attacker disseminates over the internet through channels like email attachments and websites. When users inadvertently click or open such malware-infected channels, the malicious software installs itself on their computers without their awareness. These infected computers, along with many others, form a collective force to carry out a DDoS attack, collectively referred to as a Botnet. This is not a small-scale operation; we are talking about hundreds or thousands of computers distributed globally. All these infected computers are under the central control of the main attacker, executing actions as directed by the controller. In many instances, the attacker can schedule a specific date and time for the DDoS attack to occur. This orchestrated action by the Botnet is also termed a Synchronized Denial of Service attack, with the duration ranging from minutes to hours or even days, entirely dependent on the attacker's discretion.

Why DDoS?

The generation of DDoS attacks stands out as one of the most cost-effective endeavors in terms of resource requirements, with numerous forms of these attacks already automated. DDoS is rapidly evolving into a weapons-grade threat, driven by factors such as increased bandwidth, prolonged attack durations, and heightened difficulty in mitigation.

Detecting and mitigating DDoS attacks pose significant challenges for several reasons:

  • Attackers exploit a multitude of machines and computing resources to orchestrate massive disruptive attacks.

  • The substantial bandwidth associated with DDoS attacks can overwhelm monitoring systems.

  • Controlling or halting multiple machines engaged in the attack is exceedingly complex.

  • Identifying the attacking party proves challenging as they adeptly conceal themselves behind compromised systems.

The pivotal question arises: How does one gain control of numerous systems to execute simultaneous attacks? The fundamental approach involves infiltrating malicious software, appearing benign, onto these systems. This task can be executed through various methods, and once infected, the systems become subject to direct or indirect control by the attacker.

Simultaneous synchronous DDoS attacks not only amplify the attack's bandwidth but also exponentially magnify the potential damage inflicted. Consequently, weaponizing DDoS in diverse forms resembles derivatives of Weapons of Mass Destruction (WMDs). However, DDoS holds a distinct advantage in precision over WMDs, allowing for more targeted harm to economies.

In addition to its cost-effectiveness in bandwidth multiplication and devastation, DDoS manifests in various forms. Some are challenging to identify due to effective camouflage, while others pose difficulties in mitigation. At its smallest scale, delivery systems may utilize mobile devices, easily multiplying through a large number of end users. In its most intricate form, DDoS could be delivered by hijacking satellite bandwidth in upstream or downstream transponders. It is not improbable that certain satellite systems are already compromised or equipped with malware, transforming them into massive-scale DDoS delivery systems.

Cybercriminals launched approximately 7.9 million Distributed Denial of Service (DDoS) attacks in the first half of 2023, representing a 31% year-over-year increase. As 5G adoption gains momentum, the problem will get far worse, requiring more sophisticated DDoS detection/mitigation mechanisms, according to Anand Dutta, Head of Cyber Security Solutions & Presales at Tech Mahindra.

Examples:

Let's look at some of the most eye-opening attacks in recent history. It is public knowledge that there have been massive DDoS attacks in the last few years. These attacks targeted various important business and government sectors and industries. As per the Verizon Enterprise Services security report of 2019, LDAP is used for user authentication, DNS is used to resolve the names of websites, and NTP is used for clock synchronization across the globe. These are the three most attacked services by DDoS due to the nature of impact they can create on major critical services.

On 21st October 2016, Dyn—a company that provides Domain Name System (DNS) services—was a victim of two complex and well-planned DDoS attacks. This was considered to be one of the biggest attacks planned to disrupt the global internet service. The attack was planned to take down data centers all over the globe. Dyn's service takes human-readable internet URL addresses such as www.amazon.com and resolves them into associated IP addresses. Imagine the impact of such a complex DDoS attack on Dyn, which prevented customers from reaching 1200 domains like Amazon, Twitter, New York Times, etc. Now, let's look at some details of the attacks. The attack was noticed by the initial bandwidth elevation on Dyn's managed platform in several regions of Asia Pacific, the United States, and Europe. The attack vector soon changed to a huge volume flood of TCP and UDP packets. These were destined for port 53, originating from a large source of IP addresses. It was later analyzed that 100,000 malicious endpoints were included in the attack. These endpoint devices were IOT devices like Cameras, DVRs, and other unknown devices that were part of botnets—a significant volume of traffic originated from Mirai-based botnets. These botnets consist of Internet of Things (IoT) devices. What is Mirai? Mirai is a piece of malware that infects and exploits the network devices on the internet; in most cases, IoT devices like Printers, Cameras, Scanner, etc., can be used as a botnet in large-scale network attacks. Analysts noted a magnitude of 1.2Tbps range for the Dyn attack. This Dyn attack surely opened up an important issue around device vulnerability and internet threats.

"With the trend toward weaponizing vulnerable IOT devices there is a noticeable change in the attack landscape. Attackers no longer rely solely on IP spoofing for large scale attacks as they now have millions of potential weapons that are extremely well connected with fully capable network stacks," according to Rajkumar Jalan, former Chief Technology Officer at A10 Networks.

An anonymous group, later known as the New World Hacking group, launched a DDoS attack against the business and presidential campaign sites of President Donald Trump on April 1, 2016. The attackers sought to damage Trump's brand by taking down the billionaire's website for his hotel chain, email servers, and presidential campaign. [Ref 6.15]

On November 8th, 2017, Boston Globe suffered a DDoS attack. This prevented many of its employees from doing their work and rendered its website inaccessible. It also affected its newspaper's telephones and editorial systems. [Ref 6.16]

Figure 1 ZDNet statistics on DDoS attacks [Ref – 6.1]
Figure 1 ZDNet statistics on DDoS attacks [Ref – 6.1]

It is important to note how much loss a business has to incur when hit by a DDoS attack. Below is an average peak hourly revenue loss for a DDoS victim.

Average Peak Hourly Revenue Loss
Figure 2 [Ref – 6.2]

3 Growth and Trajectory

Verizon’s 2019 Data Breach Investigations Report
Verizon’s 2019 Data Breach Investigations Report

As per Verizon's 2019 Data Breach Investigations Report, an examination of threats and threat actions or types of threats revealed that DDoS is at the top of the attack types or varieties associated with security incidents.

"Protecting data is now a top priority to most organizations. DDoS, by far, has been the most dangerous attack as its bandwidth and impact could go beyond expectation. Nearly two-thirds of the attacks are targeted towards communication service providers. DDoS is a big threat to the telecom industry and can break down a country's communication network in mere minutes, which can bring an entire nation and its emergency response systems to its knees," says Mr. Keshav Kamble, Chief Executive Officer of Avocado Systems. "Multiplication of attacks including derivatives of Mirai attack can lead to Weapons grade DDoS. Our nation needs to be proactive and take appropriate measures towards protecting our society and citizens from this deadly weapon—DDoS," cautions Mr. Kamble.

4 Weapons Grade DDoS, Effects

The purpose of this article is not to assess the capabilities of an outcome but to explore the readiness for catastrophic events. The perspective also emphasizes that, in contrast to the traditional weapons' cost and capabilities ratio, DDoS weapons significantly outperform. According to RAND (1994, pp. 101-132), the military capabilities of any country can be intellectually compared based on several factors:

  • Defense Budget: Total size and percentage of GNP (Gross National Profit), distribution per service.

  • Combat RTD&E (Research, Test, Development, and Evaluation): Number and distribution by type and service, quality relative to peers.

  • Manpower: Absolute size of the pool, educational and technical proficiency by rank.

  • Defense Industrial Base: Total number of facilities, sufficiency relative to service need.

  • Military Infrastructure: Total number of facilities, distribution by category, and service need.

  • Inventory and Support: Size and structure of inventory, holdings of high-leverage systems, sufficiency of logistics.

Some estimates suggest that the storage and maintenance of modern nuclear weapons cost the United States Department of Defense about $20 billion per year. While this figure may vary among countries, it is undoubtedly a substantial cost.

When comparing traditional military capabilities, making them effective and maintaining them poses a significant challenge for most developed countries. Additionally, it has consistently been a perpetual challenge without a definitive resolution. These factors underscore the notion that, for military superiority, DDoS weapons offer the best combination of low cost, high scalability, difficulty in traceability, minimal manpower requirement, easy development, and maintenance capabilities. Countries with highly developed digital infrastructures, such as the United States, are both the most vulnerable and, simultaneously, best positioned for developing capabilities.

In a study conducted at Avocado Systems labs, it was discovered that a considerable number of attacks on their IT infrastructure originated from remote or rural areas of countries not initially suspected. This indicates that those endpoints were likely portable devices or mobile phones networked by attackers for coordinated attacks.

For DDoS to reach weapons-grade status, sufficient bandwidth is necessary. This bandwidth can be the aggregate of all individual sources used in the process. Consequently, a large number of mobile or portable computer devices can be employed for bandwidth aggregation. Alternatively, hacking into substantial bandwidth sources, such as telecommunication gateways, satellite systems, and intercontinental oceanic fiber optic cable relays, enables the assembly of a very high aggregate bandwidth.

5 Conclusion

Clearly, Distributed Denial of Service (DDoS) attacks can be highly destructive, posing significant risks to businesses and infrastructure. Below, we present some general recommendations for DDoS mitigation aimed at alleviating the impact of potential attacks:

Constantly Monitor DNS and Use Resilient Infrastructure:

  • Implement continuous monitoring of DNS activities.

  • Utilize infrastructure with resilience to enhance robustness against potential attacks.

Understanding Critical Assets and Services:

  • Identify and prioritize critical assets and services to focus mitigation efforts effectively.

Understanding User Network Connections:

  • Gain insights into how users connect to the network to anticipate potential attack vectors better.

Following DDoS Protection Best Practices:

  • Adhere to established best practices for DDoS protection to fortify defenses.

Building an Organization-Wide Business Continuity Plan Against DDoS:

  • Develop a comprehensive business continuity plan at the organizational level to respond to DDoS incidents effectively.

In the context of leveraging Artificial Intelligence (AI) for DDoS mitigation, several strategies can be employed:

Traffic Anomaly Detection:

  • Utilize AI-based systems for continuous monitoring of network traffic.

  • Identify patterns and anomalies to trigger alerts and take preventive actions against sudden surges.

Behavior Analysis:

  • Employ AI to analyze network traffic behavior, distinguishing between legitimate and malicious activity based on learned patterns.

Real-Time Mitigation:

  • Enable AI to respond in real-time by automatically adjusting network configurations, redirecting traffic, or implementing rate limiting during DDoS attacks.

Machine Learning Models:

  • Train machine learning models on historical DDoS attack data for predicting and recognizing new attack patterns.

Botnet Detection:

  • Leverage AI to detect and block botnet traffic by analyzing device behavior on the network.

Cloud-Based DDoS Protection:

  • Explore AI-driven DDoS protection services offered by cloud providers to absorb and mitigate large-scale attacks.

User and Device Authentication:

  • Implement AI-assisted authentication to ensure authorized access, preventing unauthorized entry that could lead to DDoS attacks.

Predictive Analytics:

  • Use AI for predictive analytics, analyzing historical data, and monitoring emerging threat trends to anticipate potential DDoS attacks.

Intelligent Filtering:

  • Apply AI for intelligent filtering of incoming traffic based on source, behavior, and other attributes.

DNS Filtering:

  • Employ AI-driven DNS filtering to prevent DNS amplification attacks by identifying and blocking requests exhibiting attack characteristics.

It's crucial to emphasize that while AI enhances security and response capabilities, it should not be considered a sole solution. DDoS mitigation should be integrated into a comprehensive cybersecurity strategy, incorporating measures like network architecture design, intrusion prevention systems, load balancing, and incident response plans. AI should complement these efforts for an effective overall security posture.

6 References

6.1 https://www.zdnet.com/article/the-average-ddos-attack-cost-for-businesses-rises-to-over-2-5m/

6.2 https://www.netcraft.com/blog/bbc-websites-still-suffering-after-ddos-attack/

6.3 https://www.nist.gov/programs-projects/advanced-ddos-mitigation-techniques

6.4 https://www.teskalabs.com/blog/how-ddos-can-sink-your-business

6.5 https://www.cisa.gov/cybersecurity-toolkit-and-resources-protect-elections

6.6 https://www.cisecurity.org/insights/white-papers/ms-isac-guide-to-ddos-attacks

6.7 https://www.nti.org/analysis/articles/us-nuclear-weapons-budget-overview/

6.8 https://fas.org/rlg/wmd-2018.pdf

6.9 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-189.pdf

6.10 https://www.brookings.edu/opinions/maintaining-our-nuclear-arsenal-is-expensive

6.11 https://www.rand.org/content/dam/rand/pubs/monograph_reports/MR1110/MR1110.ch7.pdf

6.12 https://csrc.nist.gov/csrc/media/projects/mobile-security-and-forensics/documents/mobile_agents/computernetworkids.pdf

6.13 https://www.dhs.gov/science-and-technology/ddosd

6.14 https://www.netscout.com/blog/ddos-attacks-against-governments-are-rise

6.15 https://www.reuters.com/article/us-usa-election-trump-cyber-exclusive/exclusive-hackers-test-defenses-of-trump-campaign-websites-ahead-of-u-s-election-security-staff-warn-idUSKBN25S4SF/

6.16 https://www.studypool.com/documents/11753694/boston-globe-attack

6.17 Verizon Security Report 2018, 2019.

Join the Discussion

Recommended Stories

Real Time Analytics