Cyber Insurance: DDoS attacks explained
A distributed denial-of-service (DDoS) cyber-attack occurs when a cyber-criminal attempts to interrupt an online service by flooding it with fake traffic. This can be achieved by overwhelming various aspects of an organisation’s system, such as servers, devices, networks and applications. During a DDoS attack, cyber-criminals send a deluge of requests to a victim’s server, intending to exceed the capacity limits of their websites, servers and networks, resulting in a halt to services. These attacks can cause minor annoyances or result in entire websites, networks or businesses being taken offline.
DDoS attacks rely on multiple machines operating together to target a single victim organisation. To increase the size of these attacks, DDoS attackers frequently hijack groups of interconnected devices, also known as botnets. Botnets consist of millions of computers that can be located anywhere and belong to anyone. The devices that make up botnets may be infected with malware or rented out for attacks. In both cases, these hijacked computers are used to flood victim organisations with more connection requests than they can handle.
This article details how DDoS attacks work, explains why these cyber-attacks are on the rise and outlines prevention measures for businesses to consider.
How do DDoS Attacks Work?
DDoS cyber-attacks can originate from various sources, including disgruntled employees, business competitors or nation-state actors. Attackers may be seeking to enact revenge, cause chaos or gain a competitive advantage. The purpose of these attacks is to cause server outages and monetary losses for targeted businesses. These cyber-attacks can also involve extortion, in which perpetrators install ransomware on servers and demand payment to reverse the damages.
How to identify a DDoS Attack
DDoS attacks are designed to mimic legitimate traffic from real users, which can make them difficult to identify. Sometimes, DDoS attacks can be mistaken for commonplace technological issues. Therefore, it’s important for organisations to be aware of the warning signs that could indicate a DDoS attack. Any of the following signs should raise concern:
- A surge in traffic stemming from similar devices from the same geographic location or browser
- One or more specific IP addresses making several consecutive requests over a short period of time
- The server timing out while being tested for pinging service
- The server responding with a 503 HTTP error, indicating the server is overloaded or down for maintenance
- A traffic analysis displaying a strong and consistent spike in traffic
- Traffic logs showing spikes at unusual times, in unusual sequences, or to a single endpoint or website
Identifying the signs of these attacks can also help determine which type of DDoS attack is taking place.
Types of DDoS Attacks
There are three main types of DDoS attacks. These attacks are primarily distinguished by the type of traffic being sent to a victim organisation’s systems.
Volumetric attacks - The goal of volumetric attacks is to saturate the bandwidth of victim sites through a flood of illegitimate requests. Attack methods include floods of UDP, ICMP and other types of spoofed packets. Volumetric attacks are measured in bits per second.
Protocol attacks - These attacks target the networking layer of victim systems with the purpose of overwhelming firewalls, tablespaces of core networking systems or load balancers. In these attacks, hackers may use SYN floods, fragmented packet attacks, Ping of Death and Smurf of DDoS. Protocol attacks are measured in packages per second.
Application attacks - Such attacks are designed to capitalise on the vulnerabilities of specific applications. Application attacks may include low-and-slow attacks, GET/POST floods and attacks that target vulnerabilities in Apache, Windows, OpenBSD or other applications. The size of these attacks is measured in requests per second.
Why DDoS Attacks Are on the Rise
The Financial Conduct Authority (FCA) recently revealed that there has been an uptick in DDoS attacks. Specifically, 25% of cyber-incidents submitted to the FCA during the first half of 2022 involved DDoS, compared to just 4% in 2021. Some factors contributing to this trend include:
Internet of Things (IoT) devices—IoT devices are especially vulnerable because they rarely have built-in firmware or security controls. The number of IoT devices is rising rapidly. In 2021, the number of active endpoints globally rose 8% to 12.2 billion. By 2030, this number is expected to surpass 25.4 billion. But as the number of connected devices grows, so does the number of available devices for hackers to turn into botnets. The increasing number of IoT devices will allow hackers to create more extensive networks of computers, strengthening the size of the attacks they can level against their victims.
Application programming interfaces (APIs)—APIs are small pieces of code that allow systems to share data publicly. Public APIs may have a number of vulnerabilities, including weak authentication checks, lack of robust encryption and flawed business logic. In a DDoS attack, APIs can be attacked on both ends of the service. This means an API may be attacked from the server and from the API server at the same time, greatly increasing the strength of an attack.
Cyber-warfare—War and international tensions can lead to an increase in hacktivist-driven cyber-attacks. The term “hacktivist” is used to describe cyber-criminals who are ethically, politically or socially motivated. Hacktivists may use DDoS attacks for reasons such as to make a statement or retaliate against people, governments or organisations they don’t agree with.
Ransomware/extortion—Cyber-criminals are increasingly partnering DDoS attacks with ransomware/extortion demands. DDoS attacks can increase the pressure on victim companies and bring them back to the negotiation table following a refusal to pay a ransom by crippling their network with the promise to stop for the right price.
To protect vital network functions from DDoS attacks, it’s important for all organisations to have a prevention plan in place before a DDoS attack is suspected.
Steps Businesses Can Take
- Organisations should consider the following steps to avoid and mitigate DDoS attacks:
- Use a virtual private network (VPN). VPNs mask and encrypt IP addresses and other identifiable network elements.
- Install antivirus software. Antivirus software can identify and block the types of malware used by DDoS attackers. Once installed, ensure antivirus software is well-maintained.
- Enrol in a denial-of-service (DoS) program. DoS protection services are designed to identify abnormal traffic and direct it away from company networks. These services filter out DoS traffic while permitting clean traffic to continue to the proper site.
- Evaluate security practices. Keep good security practices. Such practices include limiting the number of people with access to important information and managing unwanted traffic. Educate employees on improving password security, choosing secure networks, keeping electronic device software current and being suspicious of unexpected emails.
- Create a recovery plan. Have a plan to be prepared for successful and efficient communication, mitigation and recovery in the event of a cyber-attack.
- Secure insurance cover. It’s critical to explore the available cyber-insurance options and determine how they may help an organisation respond and recover from a DDoS attack. Consult a trusted insurance professional to discuss specific cover needs.
DDoS attacks are a rising threat to organisations. By understanding these attacks and implementing proper prevention strategies, businesses can protect themselves against this cyber-threat. Contact our cyber-insurance specialists today.