The State of DDoS Attacks: Evolving Tactics and Targets Businesses Must Be Aware Of

By Ivan Shefrin, Executive Director, Managed Security Services, Comcast Business

The rise of DDoS attacks is old news. Now, these attacks are becoming more dangerous, targeted, and detrimental as they evolve. As DDoS attacks become more sophisticated, adversaries are able to hone in on the most vulnerable targets, ranging from small- and medium-sized businesses to the world’s largest enterprises.

The 2023 Cybersecurity Threat Report suggests that DDoS attacks are still an important part of the cybersecurity threat landscape. Out of 23.5 billion overall cybersecurity attacks detected last year, the report found a staggering 210 million attempts to use DDoS attacks to affect business operations by shutting down critical application servers and network resources.

In short, DDoS attacks are here to stay. Knowing how their tactics are changing and who is most at risk is crucial in defending against them, regardless of business size.

Ease of executing DDoS attacks

2022 saw a continuing evolution of sophisticated DDoS activities, with greater concentration occurring in certain industries and a change in the manner of attacks. While certain industries are at higher risk, all sectors remain vulnerable.

As they’ve evolved, these attacks have remained prevalent for several reasons. For one, they are quick and sudden. For instance, short-burst attacks under 10 minutes long were the most common in 2022. These attacks are harder to detect, especially if organizations try using firewall rate-limiting policies to stop them, rather than carrier-grade services. Multiple short-duration attacks exhaust IT resources because the next one starts before the organization can deal with the last one. What’s more, short-duration attacks are much harder to detect. While IT remains in an endless loop of dealing with multiple attacks, adversaries can use the distraction as a smokescreen to execute more insidious attacks elsewhere. The short and abrupt nature of the attacks creates ideal circumstances for hackers.

DDoS attacks are also incredibly easy and cheap to create. Tools like botnets or other devices can be bought or rented online to carry out DDoS attacks for low prices. The cost of a 100 Gbps attack on the dark web is just around $20. And, carrying out a DDoS attack requires little to no technical knowledge, unlike a few years ago when a determined attacker needed to assemble their own botnet. All the attacker needs to know is the target IP address or range of IP addresses they want to attack. The ease with which these attacks can be carried out makes them a popular choice for adversaries.

The most targeted and susceptible businesses

All businesses, regardless of industry, are targets of DDoS attacks. However, we found that certain verticals are more targeted. It’s also important to note that attackers do not discriminate based on the size of an enterprise. Risks typically ebb and flow for each industry. However, there are several industries that have remained most vulnerable.

Education is one of the most commonly targeted verticals for DDoS attacks, accounting for 46% of attacks in 2022. In addition to the accessibility of DDoS attacks, the volume of technology used in schools and free WiFi make them easy targets. Computers and tablets are essential for students now, and as schools embrace these technologies, they don’t always account for the risks they bring. There have even been reports of students boasting about disrupting their school’s internet to avoid work. If the internet goes down at a school, the majority of work stops. Today, grading, projects, homework, and exams are all hosted in Software-as-a-Service (SaaS) applications in schools everywhere. With so much work and data hosted in one place, an attack can be detrimental.

Another highly targeted vertical is the IT and Technical Services sector, which accounted for 25% of attacks in 2022. This industry offers a variety of opportunities for hackers to infiltrate, with attackers’ main goal being to look for sensitive information or to gain access to an end user.

During 2023, we’ve seen a large increase of DDoS attacks against finance and healthcare, which in 2022 accounted for 14% and 13% of attacks, respectively. While no industry is safe, those with unique vulnerabilities are at an even greater risk.

A growing vulnerability landscape

DDoS attacks are created using botnets, which are large networks of compromised computers repurposed to launch cyberattacks. In 2022 there was a significant increase in application and infrastructure-related vulnerabilities. In fact, over 26,000 new application and infrastructure vulnerabilities were added to the National Vulnerability Database last year. What this means for DDoS attacks is an expansion in the size of botnets used to create them.

There are numerous ways to target application and infrastructure-related vulnerabilities. For example, stolen credentials easily allow attackers to authenticate applications, bypass security, elevate privileges, and conduct malicious activities. Pre-packaged exploit kits and services sold on the dark web allow even unskilled adversaries to exploit targeted software vulnerabilities in client applications and browsers to execute code remotely. These exploits introduce multiple threat vectors for adversaries to enter the business behind traditional security controls.

This ease of access is paired with ongoing vulnerabilities and the challenge of patch management, which is the process of updating software to correct errors and protect against vulnerabilities. These factors make it difficult to secure applications and infrastructures in business environments.

Take action now to bolster defenses for the future

Mitigating DDoS attacks requires a multifaceted approach. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommends working with your ISP to defend against DDoS attacks. That’s because even if you implement local solutions like rate-limiting firewalls, only your ISP can mitigate upstream bandwidth saturation issues resulting from a DDoS.

One key technique ISPs use involves BGP Flowspec, a powerful traffic filtering mechanism to dynamically distribute filtering rules across their network infrastructure. This enables immediate and precise mitigation of DDoS attack traffic without disrupting legitimate data flow.

Additionally, security providers use distributed scrubbing centers that can handle high volumes of malicious traffic, diverting it away from the targeted infrastructure to specialized facilities. To enhance responses to this traffic, ask if your ISP tunes your DDoS mitigation to reflect actual application traffic based on peace-time traffic and legitimate applications, enabling better identification and isolation of anomalous traffic during an attack while minimizing false positives.

Ensuring that this malicious traffic is blocked at the entry point to a network is vital. For further protection, businesses can consider utilizing comprehensive monitoring and controls that can provide reporting and alerting. By learning about the makeup and characteristics of each DDoS attack, businesses can proactively adapt their defenses, effectively mitigate future threats, and configure notification alerts.

Businesses of all sizes and industries are now at risk for DDoS attacks, especially as they continuously evolve. Learning about the growing vulnerability landscape and sophisticated tactics hackers use is crucial in not only defending against them, but saving time and resources in the long run.

About the Author

Ivan Shefrin is the executive director for Comcast Business Managed Security Services. He is a hands-on cybersecurity leader with 25 years of experience partnering with enterprise and communication service providers to anticipate and capitalize on disruptive technology trends, transform IT architectures, and generate new forms of value from the convergence of cloud and network security, data analytics, and automated threat response. His work at Comcast Business includes Distributed Denial of Service Mitigation, Managed Detection and Response, and hosted security services.