Botnets Are Shrinking While DDoS Attacks Grow in Power
The ever-evolving threat of DDoS attacks continues to wreak havoc on businesses and governmental organizations: in discussions of serious threat actors, companies and security methods have often focused on the large scope of DDoS attack vectors alone. Now, though, protection from DDoS will need to scale even further, as small but ultra-powerful botnets have begun breaking records – and uptime.
The Anatomy of a DDoS Attack
A DDoS attack is governed by a simple principle: to take its victim’s website offline by overconsuming site resources or occupying all available bandwidth. The goal of this attack can be varied, with cybercriminals launching this attack at individuals, companies and fellow malicious actors as they see fit. In today’s ever-online world, most individuals keep up to date with various organizations via the internet. This makes a DDoS attack the perfect option for uber-publicized cybercrime. From warfare to political activism, DDoS is never subtle.
To learn how DDoS attacks take down pieces of online architecture, a basic understanding of the Domain Name System (DNS) is required. The DNS forms the backbone of the internet, connecting the domain names we recognize and type in with the IP addresses of the site’s hosting server. After you’ve opened your browser and requested a site, your request is sent to the site’s DNS-identified hosting server. This server dedicates a small amount of processing power in handling your request, and the page is returned to your browser. For most large websites, this process occurs in under 100 milliseconds, for millions of users simultaneously.
This may sound like a lot, but the scale at which DDoS attacks operate is even larger. A typical DDoS attack weaponizes hundreds or thousands of Wi-Fi-connected devices. Each attacker-controlled device adds more weight to the victim’s online infrastructure, piling on top until something breaks, and the site tumbles into a state of unavailability. This is described as a volumetric DDoS attack.
The Big, Bad DDoS
The destructive capabilities of DDoS attacks have previously been dictated by one component: the more hijacked devices; the more resources can be consumed; the more damaging the attack.
The Mirai botnet set the trend for this philosophy. Mirai describes the weaponized control of millions of Internet of Things (IoT) devices. These include smart fridges, baby monitors, and wifi-connected appliances. These small gadgets are almost always shipped with incredibly lax security, which cybercriminals are more than willing to take advantage of. Mirai’s source code was leaked online by user Anna Senpai in 2016 – shortly after, the botnet was used to take down half of the internet in the Northeastern US and regions of Europe, as it sent over 1 terabit of traffic per second to global DNS provider Dyn. Impacted platforms included Spotify, Netflix, Amazon, Reddit, Twitter, and PayPal.
At the time, this accounted for the largest mitigated DDoS attack on record. After 3 short years of terrorizing government and private organizations alike, Mirai then saw a major evolution to Mozi. Mozi took an even more aggressive approach to recruiting vulnerable IoT devices; cybersecurity analysts soon noticed its rapid-fire attack patterns – between June 2019 to 2020, IoT attack volume increased 400%.
Mantis: Small But Mighty
The threat dialogue surrounding the recent spikes in DDoS attacks have centered around the quantity of controlled devices. Now, however, botnet sizes are decreasing whilst their associated traffic spirals upward. One botnet – with its paltry 5,000 bots – recently broke the record for the most requests per second (RPS) in a DDoS attack, clocking in at 26 million RPS in June 2022.
Thanks to its small size but incredibly powerful punch, this botnet has been called Mantis. It has also remained incredibly active, launching 3,000 DDoS attacks against almost a thousand targets within the first 30 days of analysis. Mantis’ sheer power is derived from the machines making up its botnet. Instead of relatively simple IoT devices, Mantis’ malware is installed on several thousand virtual machines and powerful servers. This also means that Mantis operates HTTPS DDoS attacks: every connection request is securely TLS encrypted, placing yet more pressure upon the victim server.
How to Manage the Shifting DDoS Threat
Analysts recently published a report that claimed, in the first quarter of 2022, DDoS attacks hit the highest occurrence rates on record. Compared to the same time last year, attacks are up by 42%; compared to the final quarter of 2021, rates had risen a staggering 81%. Kaspersky directly linked this meteoric rise in attack rates to the recent Russian invasion of Ukraine, pointing at the use of DDoS attacks as a critical component to warfare and activism.
DDoS attacks cannot be prevented. In mere seconds, attackers can bring your site and operations down, causing total disruption for hours. The resultant loss of business and brand image can severely damage organizations of any size. Instead of attempting outright prevention, DDoS mitigation focuses on both the recognition and extradition of malicious traffic.
A DDoS protection provider will first re-route your traffic via their network, acting as a secure proxy. This masks your server’s origin IP address, and enables the deployment of traffic filters and reporters. When an abnormal spike in traffic is detected, two events are triggered. First, you’re notified in real time. Then, rerouting via the Border Gateway Protocol takes over. Traffic spikes are redirected to high-capacity scrubbing centers, which sim to distinguish between malicious and legitimate traffic.
It’s vital that these centers quickly recognize human browsing behaviors, and reinforce site protection via Captcha or other input measures. This must also be done rapidly, without compromising your site’s load times or responsiveness. A good solution is almost completely transparent to site visitors. With high-quality scrubbing measures in place, your legitimate site users can be prevented from the frustration of site outages, whilst malicious actors are kept out of your daily operations.