DDoS Attacks Over the Last Three Years: Emerging Trends and Defensive Approaches

Spamhaus.org is an organization that tracks spammers and has largely prevented spam. The organization faced the largest known DDoS attack in 2013 with an attack volume of 300 Gbps. The attack was very damaging to the organization and rendered their site unusable. The category of attack for the organization was a layer 3 DNS reflection attack. Although the DNS reflection attack is not a new attack category, it is a remarkable attack as it generated a high amount of bandwidth pressure on the organization and on the internet as a whole. The attack volume against the organization was remarkable in that all the other attacks against organizations in the same year had attack volumes of 100 Gbps or more, but none of them reached the level of the 300 Gbps attack. The attack can be attributed to the lack of ingress filters and the availability of open DNS resolvers. The organization was able to mitigate the attack with a third-party organization which used the ‘Anycast’ tool to mitigate the attack [1]. In the same way, attacks from 2014 and 2015 of DDoS were mainly focused on gaming sites and the software and technology industry respectively. The attack tools were largely NTP amplification in 2014, whereas the attack tools in 2015 were primarily botnets, DNS reflection and UDP fragmentation for the attack. The attack in 2015 was also a larger attack in comparison to the attack in 2013 on Spamhaus and the attack volume was reported at 309 Gbps, in contrast to the attack on Spamhaus. What was also observed in a large spike in attack packet size in 2015 to 202 Mpps from a packet size of 50 Mpps in 2013 [2]. Trends over the years suggest a DDoS attack is maturing with respect to both the attack size and an evolution of the attack mechanisms. Some of the attack tools being used to conduct DDoS attacks include LOIC, HOIC, Slowloris, and RUDY. The tools used to execute DDoS attack mechanisms has evolved tremendously from Trinoo and Stacheldraht that were two of the original DDoS attack tools [3]. This also calls for an evolution from a mitigation standpoint as well. Although there are numerous mitigation strategies, the most suitable methods of mitigating the attack would be to use Access Control Lists (ACLs) and Intelligent DDoS Mitigation Systems (IDMS) [1]. However, not all attack types can be addressed using these two tools. In some instances, additional tools will be necessary for mitigation and in some, it may take the combination of the two tools to be effective. However, the critical point is that organizations must understand that there is a risk for DDoS attacks, which so many organizations fail to acknowledge, not do they realize the significance until the attacks happen. So, the first step for organizations is to comprehend the risk of DDoS attacks, and the ways in which they can set up the organization to have robust defensive mechanisms that will be essential for them to look out for a potential attack. Recognizing a DDoS attack is highly impactful by deploying mitigation strategies that are prompted because of DDoS detection which can greatly decrease the overall impact of DDoS attacks. Even though it will not be possible for an organization to mitigate DDoS attacks completely on their own, the in-house personnel could be an incredibly helpful resource for detecting the attack. After an attack is identified, the organization can either try to remediate it themselves or hire a third party, which is typically what happens. For example, consider the three high-profile attacks discussed that occurred from 2013-2015 and the organization could not remediate the attacks, and they retained a third party; this is an example of an organization that needed outside help and could not remediate the attack themselves.