In Cybersecurity and Fashion, What's Old Is New Again

What a recent rise in DDoS attacks portends — and how to prepare for 2024.

Chaz Lever, Senior Director of Security Research, Devo

December 28, 2023

5 Min Read
Broken red padlock, indicating a cybersecurity incident, in a field of closed blue padlocks
Source: NicoElNino via Alamy Stock Photo

COMMENTARY

While distributed denial-of-service (DDoS) attacks and zero-day threats are nothing new in cybersecurity, they're still happening regularly for a simple reason: They work. In early November 2023, OpenAI blamed a DDoS attack for intermittent ChatGPT issues, and one of the largest known denial-of-service attacks hit major internet companies in October. The same group of bad actors — Anonymous Sudan — has taken credit for both the ChatGPT attack as well as the one that hit Cloudflare in October.

While DDoS attacks historically stemmed from vulnerabilities in Internet protocols (e.g., SYN flood, Smurf attack), the focus later shifted to Internet of Things (IoT) devices. These new kids on the block were easy to infect through some combination of misconfiguration and zero-day exploits, and unfortunately, they still are. It's time to take a closer look at why these attacks are back with a vengeance and how to make sure your organization's anti-DDoS strategy is well-bolstered.

History Repeats Itself

Mirai, one of the largest-scale DDoS attacks back in 2016 and 2017, heralded a shift in attack methods that continues today. Bad actors launch attacks on device vulnerabilities, infect them en masse, and then use them to execute DDoS attacks. A vulnerability in a device will arise and be widely infected, leading to the "patch, rinse, repeat" cycle. Industry reports suggest DDoS overall is on the rise. One infrastructure company reported a 200% increase from 2022 to 2023.

Correlated with this rise in DDoS, CISA officials have reported a surge in zero-day exploits in the past six months and, together with the FBI, recently warned about the latest vulnerabilities in Atlassian solutions — potentially resulting in lots of vulnerable Internet-facing devices. That's not to mention Cisco's disclosure of a Web UI-based critical zero-day that infected more than 40,000 devices. What's behind this surge? Unfortunately, new vulnerabilities will always crop up despite constant improvements. A lot of work goes into trying to make sure that doesn't happen, but developing new technologies is hard and prone to human error.

The IoT Pain Point

Vulnerable IoT will continue to contribute to the rise in DDoS attacks. The ecosystem remains relatively unregulated; there aren't yet minimum-security controls before a device can come online. There's more momentum for the concept of "security by design," but it's still early days. So, there's nothing that requires a device manufacturer to have good security hygiene.

Meanwhile, new tech vendors without experience in securing devices are entering the market — and their devices are coming online in waves. That means there will be more DDoS attacks targeting IoT devices. This is going to make security painful for a while.

The Dark Side of New Protocols

IoT threats aren't the only concern on the DDoS front. In efforts to upgrade existing Internet infrastructure, new network protocols have been developed to enhance the performance of aging protocols. HTTP/2 was developed to improve many of the shortcomings of the original HTTP protocol, but new flaws in this protocol have made many web servers vulnerable to a new "rapid reset" attack. This vulnerability will likely linger for years until vulnerable Web servers are patched or upgraded. This specific threat highlights the challenge of developing secure protocols, but this isn't unique to HTTP/2. Every time a new Internet protocol is introduced, security pros gradually find and address new vulnerabilities. As a result, issues in newly developed or older network protocols will continue to enable new denial-of-service attacks.

Staying Ahead of the Curve

With DDoS and zero-days on the rise, cybersecurity professionals must take stronger steps to protect their organizations. In 2024, there's an opportunity to take a closer look at your security policies and procedures, especially concerning the services and devices your organization uses.

The prevailing wisdom has moved beyond a castle-and-moat perspective to realizing that breaches are inevitable. The question is how quickly you can detect and deal with a breach once it happens. There have been cases where a breach has lasted a long time because companies didn't know what to do or had to take drastic measures and take their systems offline.

A robust strategy for stopping DDoS attacks should address the following aspects:

Implement Scalable Infrastructure and Redundancy

  • Use load balancers to distribute traffic evenly across multiple servers. In a DDoS attack, traffic can be distributed across multiple resources, making it harder for attackers to overwhelm a single point of failure.

  • Leverage cloud-based DDoS mitigation services from providers like Akamai, AWS, Azure, Cloudflare, or Google. These services can absorb and filter malicious traffic before it reaches your infrastructure.

  • Design your network and infrastructure with failover mechanisms and redundancy to enable business continuity during an attack. This can involve having backup servers, data centers or service providers.

Employ Traffic Monitoring and Anomaly Detection

  • Continuously monitor your network traffic for unusual patterns and spikes in volume. Use tools and software that can detect anomalies in real time.

  • Use behavioral analysis to identify abnormal user behavior, such as a sudden increase in login attempts or requests from a single IP address.

  • Implement flow monitoring tools like NetFlow or sFlow to gain visibility into traffic flows and identify potential DDoS attacks.

Deploy Network Security Measures

  • Deploy firewalls and intrusion detection and prevention service (IDPS) devices to filter incoming traffic and detect and block malicious traffic patterns.

  • Use a content delivery network (CDN) to distribute and serve your content from multiple geographically distributed servers. CDNs can absorb a significant portion of traffic during an attack.

  • Implement rate-limiting and traffic-shaping policies to throttle and control incoming traffic, preventing it from overwhelming your network.

As long as there is an Internet, bad actors will do everything they can to exploit its weaknesses. As 2024 approaches, businesses must take the uptick in DDoS and zero-day attacks seriously. If security leaders are tracking the risk, keeping an inventory of potentially vulnerable services and devices, and implementing the right security tooling and procedures outlined above, they stand a better fighting chance of mitigating the impact of DDoS and zero-days in the new year.

About the Author

Chaz Lever

Senior Director of Security Research, Devo

Chaz Lever is a security researcher with over a decade of experience. He is currently the Senior Director of Security Research at Devo. He received his B.S. in computer science from Duke University, M.S. in computer science from Wake Forest University, and PhD in computer science from the Georgia Institute of Technology. Dr. Lever’s research has focused on large-scale measurements and data analysis with a focus on network security applications, and his work has appeared at numerous top academic and industry security conferences. Beyond his academic work, Dr. Lever also has industry experience developing scalable, data-centric applications in the business intelligence, financial services, and government spaces. At Devo, his team is focused on building out modern, next-generation security solutions leveraging big data and data science.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights