Over the weekend, video game developer and publisher Blizzard Entertainment had a lot of angry gamers on its hands. The frustration stemmed from the fact the servers that usually would allow players to login to their accounts and play Blizzard titles online were inaccessible for hours.

At cause of the disruption was a distributed denial of service (DDoS) attack, in which a malicious actor floods a target with traffic in order to make a service unreachable and unusable for others. DDoS attacks have fallen out of the headlines in recent years but they shouldn’t fall out of the purview of organizations trying to protect against potential threats.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

While data breaches have taken over in the minds of consumers as the top risk posed by hackers and other threat actors, DDoS attacks pose their own, considerable threat—especially as they become easier to carry out and require less resources than they once did to deliver a major punch to a targeted organization.

A recent report published by internet security firm Verisign found the average peak size of DDoS attacks have been increasing. The attacks at their biggest—about 10 Gigabits per second— were 26 percent larger than they were the year prior.

A study from cybersecurity firm Kaspersky published earlier this month found long-lasting DDoS attacks were also on the rise, including one the company tracked that lasted 277 hours—more than 11 days.

That news did not come as a surprise to Ryan Jeffs, Senior Product Manager for Security Products at content delivery network Limelight Networks. He told International Business Times the types of attacks his company sees on a regular basis are “very evenly split” between denial of service attacks and data breaches.

“Data breaches tend to get more press, especially because those data breaches are affecting such large numbers of end users,” he said. “It hits home to people a little bit more when they hear their credit card numbers or other things may have been stolen."

But DDoS attacks haven’t disappeared. If anything, the attacks loom larger than ever before. The resources exist for just about anyone with an internet connection to download the tools needed to overwhelm and disrupt a service with a flood of illegitimate traffic.

Know Your Attacker

Jeffs said most denial of service attacks are carried out by one of two types of attackers. The first are the well-educated and well-equipped, the experienced attackers who know what they are doing.

“They tend to be highly focused on one particular industry or target," Jeffs said, suggesting they may carry out sustained attacks against a particular victim. “They have their knowledge they can use as well as a whole host of tools that are out there that they've written."

The second and more common kind of attacker behind DDoS attacks is the less sophisticated threat actor. It’s a person or people who are tech-savvy enough to find and execute toolkits published online that allow them to launch a DDoS attack without much experience.

Jeffs said the tools available online vary in their complexity and difficulty of use but share a commonality that likely brings little comfort to organizations that may fall victim to an attacker making use of such tools: “[these tools] are out there, they are online, they are freely available. You have access to them whether you are a researcher and a good guy or a nefarious character and a bad guy," he said.

According to Jeffs, the “vast majority” of denial of service attacks seen online today come from the less sophisticated attackers. In many cases, those attackers can launch a toolkit and be handed the keys to huge collections of devices that can drive target at a target.

“It’s very easy for them to be successful at a denial of service attack against an unprotected or poorly protected website,” Jeffs said. "I wouldn't say that it's difficult for someone to make attempts at a denial of service attack today."

Defending Every Layer

DDoS attacks seem relatively straightforward, but there are variations that organizations should be aware of and ready to defend against should they find sudden, massive influxes of traffic suddenly slamming their systems.

The type of DDoS attacks most people are used to hearing about—the massive ones that knock services offline, like the Christmas day attacks that took down online services for Microsoft and Sony’s gaming platforms in 2014—are generally layer three or layer four attacks.

The refers to the Open Systems Interconnection model that makes up a network stack. Essentially, there are seven layers that handle different tasks. At layer three is the network layer, where data packets are transferred from a host to an end user. Layer four is the transport layer, where host-to-host communications happen.

Disruptions at either of these levels prevent an end user from being able to communicate with a service. “Their ultimate goal is to either starve a network device or network bandwidth itself in such a way that you have filled up the pipes and made it impossible for anybody with legitimate traffic to get to the end website,” Jeffs said.

The growing threat with DDoS attacks don’t happen at these layers but rather at layer seven, the application layer. These attacks are less reliant on huge amounts of traffic the way attacks at the third and fourth layers are.

"Layer seven attacks are less focused on trying to get a pipe filled up with bandwidth and more focused on looking for ways they can starve the resources of the device that is delivering the content to those end users in order to prevent new connections from happening," Jeffs explained.

He also noted that layer seven attacks aren’t just limited to denial of service attempts. The application layer can also be a target of those trying to breach a network with the intention of stealing valuable information and data, so its protection is essential.

Attackers Are Motivated To Act

Attacks at any layer can happen for any number of reasons. While it likely doesn’t matter much in the moment why an attacker picked the target they did, it’s important for organizations to understand the varying motivations for attacks so they understand their risk levels.

"There are as many motivations as there are people who want to attack a site," Jeffs said, meaning each individual attacker has their own driving force behind an attack.

It’s not uncommon to see DDoS attacks used in ransom efforts for financial gains for the attackers. In these cases, the threat actor launches a denial of service effort against a target and extorts the victim, demanding money in exchange for calling off the attack and restoring the site’s standard operations.

Financial motivation was the driving force behind a huge uptick in DDoS activity earlier this year that knocked gaming and gambling sites offline in Hong Kong. Those attacks are especially harmful to an organization as down time means fewer users and fewer payments for services the site provides.

Jeffs noted DDoSing is also a tactic used by attackers trying to make a political statement. The online activist group Anonymous has been linked to denial of service attacks against what it deemed to be oppressive regimes or targets guilty of a moral crime. The Islamic State also used DDoS attacks in attempts to knock out online services used in Western countries. Fittingly, Anonymous has also targeted the Islamic State with denial of service attacks.

Jeffs suggested motivations for a denial of service attack could be as simple as a high school kid trying to avoid taking a test, in which case the kid could download an online tool or pay for an attacker to target a school’s computer systems.

"If you are online, you are not immune to DDoS attacks,” Jeffs said. “Every industry is a juicy target for somebody."

How To Defend Against An Attack

Because of the accessibility of tools needed to carry out an attack and the myriad of motivations for launching one, DDoS attacks aren’t going away.

The Internet of Things has ensured that as well. Huge numbers of internet-connected machines are being brought online all the time, most of which with easily accessible default passwords that a user will never bother to change. Such devices are easy to hijack and can be turned into zombie devices, ready to do the bidding of an attacker who has manipulated them.

The lack of security protocols in IoT devices led to the Mirai botnet, a massive collection of unsecure internet-connected machines that attackers used to launch a denial of service attack against domain name system provider Dyn. The attack knocked major web services including Twitter, Spotify, Pinterest, Imgur, Reddit, CNN and others offline.

Luckily, there are steps organizations can take to fend off such attacks—if not stopping them, then at least mitigating the damage that can be done by them.

"When we talk about internet security, we think the right approach is a defense in-depth solution. There is no one solution that is the best solution that is going to protect you from everything,” Jeffs said. “What you do is you layer your defensive solutions in order to try to break up attacks as they come through with multiple tools."

Jeffs advised organizations to use a content delivery network (CDN) to act as a buffer between the origin of content and the backend infrastructure that can be vulnerable to an attack. He also advised utilizing tools to block traffic that can be identified as malicious, including geoblocking and whitelisting and blacklisting certain traffic origins.

He also advised using services that can push traffic off remove bad requests and suggested implementing firewalls to protect web applications from attacks.

"The more layers you can add, the better,” he said. “The more things you can put between your infrastructure and the bad guys in the realm of security, the better off you're going to be."