DDoS attacks: Something old, now new and wretchedly improved

More blog content and case studies

Patric Balmer, Spark's Managed Security Service Provider lead, explains how one of the oldest types of cyber attack is changing and becoming more difficult to combat.

Distributed denial-of-service (DDoS) attacks have been the stock-and-trade of cyber criminals for decades.

In fact, the first known DDoS attack was in 1996, when an internet service provider known as Panix was swamped by a SYN flood. It's a type of attack that aims to make a server unavailable to legitimate traffic by consuming all available server resources.

So why am I flagging DDoS attacks now?

Because the nature of attacks is changing. There has been a significant shift in DDoS attack targets, from the network layer to the application (Layer 7). Attack infrastructure has also evolved, progressing from IoT botnets to more agile and powerful cloud services.

These trends are laid bare in Spark partner Radware’s 2023 H1 Global Threat Analysis Report. The report details a pattern of DDoS attacks targeting not just online applications and their APIs, but also essential infrastructure, such as the Domain Name System (DNS).

Radware’s report notes a considerable surge in DNS query floods, and more sophisticated Web DDoS attacks. These attacks use high Request Per Second (RPS) traffic and randomised requests to create seemingly legitimate traffic. It's a tactic popular among hacktivist groups, including Anonymous Sudan and NoName057(16).

Their payloads can be brutal, unleashing prolific numbers of requests per second (known as hyper-volumetric DDoS attacks, which orchestrate upwards of 70 requests per second).

Crowdsourced attacks

Network-layer attacks are better understood and arguably easier to detect and manage than these new generation attacks, which are broadly defined as an HTTP or HTTPS flood. The effectiveness of these attacks is further assisted by 'patriotic volunteers' who, furnished with custom attack tools and tutorials, can join in crowdsourced botnets.

And just as businesses are using cloud technologies to transform their operations, malicious actors are switching from compromised IoT devices to cloud services. From here they can orchestrate a small number of powerful nodes. These control their servers and run a lower risk of detection thanks to hosting and proxy services that rotate residential IP addresses.

Spark is on the job

The current wave of DDoS attacks is mostly politically motivated, including state-level sponsorship. In this context, New Zealand businesses have not been immune to these threats, which is why it's crucial for us to remain vigilant and prepared. We have seen the damage these types of attacks can do to large New Zealand organisations in the past two years alone.

This is one of the reasons why Spark has formed a deeper partnership with Radware. Read more about Spark and Radware's partnership

In short, we are reselling Radware’s portfolio of application and network security solutions. This includes Radware’s Cloud Application Protection Services, Cloud DDoS Protection Service and DefensePro® DDoS Protection.

We have also incorporated these technologies into Spark's suite of managed security services. These provide an overlay to help you detect DDoS attacks at early stages and invoke “scrubbing”, where traffic is rerouted to a filtering site where it is scrubbed clean. The service comes standard with Spark internet circuits.

Now with a Radware POP in our data centre network, we have direct access to a worldwide network of 19 scrubbing centres with approximately 12Tbps of capacity.

The benefits are twofold: we can arrest DDoS attacks close to the point of origin to stop traffic from contaminating local networks and software; and we can cope with the largest volumetric attacks.

As DDoS attackers use more creative ways to disrupt services, security teams must defend against a compounding catalogue of threats.

Learn how Spark’s Cyber Security Practice brings the hammer down on today’s more sophisticated DDoS attacks.