The Landscape of DDoS Attacks and Guidance to Prepare Your Defense for 2022’s Most Common DDoS Attacks

Posted on

Businesses of all sizes, in all industries, are vulnerable to DDoS attacks. This statement is as true today as it was when I first wrote about the state of DDoS attacks in 2016. Distributed denial-of-service (DDoS) attacks not only interrupt the availability of applications, but also distract security teams from greater attacks.  

A DDoS attack works by flooding a network server with traffic, overloading it to the point it becomes inoperable. Because the attack is coming in from different source points, it can be extremely difficult to block or resolve. DDoS attacks are disruptive and, in a matter of seconds, can bring business operations to a halt.  

The cybersecurity threat landscape has changed and become more sophisticated in the years since I last published on this topic, but one thing that has not changed is that DDoS attacks are still a preferred attack method used by cybercriminals to target organizations of all shapes and sizes.  

This blog will explore the updated DDoS threat landscape with data from 2022. Here’s a look at the DDoS attack landscape in 2022 and a guide to DDoS protection.  

What is a DDoS Attack? 

A DDoS attack is a type of cyberattack designed to prevent legitimate access to a website or application. As the name implies, cybercriminals controlling a DDoS attack use multiple devices distributed over the internet to mount the attack.  

A DDoS attack aims to flood the attacked service with so many requests and network traffic that the servers hosting the targeted website or application cannot respond — to the point it becomes inoperable. DDoS attacks are carried out from multiple devices spread over the internet.  

The DDoS Attack Landscape in 2022

Data from reports, surveys, and industry publications indicate an increase in the volume and size of DDoS attacks since we last published on the topic. A few that stood out:  

What is the Purpose of a DDoS Attack? 

DDoS attacks are carried out for a multitude of reasons, including financial gain, deflection, industrial espionage, ideological or political reasons, or state-sponsored attacks. If you seek more information on DDoS attacks, including the types of DDoS attacks and recommended protection against them, visit the Kemp glossary entry for DDoS attacks.  

Notable DDoS Attacks 

General statistics about the trends in DDoS attacks, as outlined above, are important and required to demonstrate the need for DDoS protection and mitigation measures. Taking it a step further, calling out notable DDoS attacks and their impacts helps drive the point home. Here are some notable DDoS attacks that have made headlines in the last few years.  

The Library of Congress – 2022 – The Library of Congress is a symbolic attack. On July 7, 2022, the Library of Congress’ website fell victim to a DDoS attack. Public access to the website was disrupted for two hours. KillNet, a pro-Russian cybercrime group, launched a series of DDoS attacks on targets around the world, including Congress.gov. A spokesperson said existing measures were used to mitigate the attack and minimize downtime.  

Amazon Web Services (AWS) – 2020 – Many of the services we rely on for business and entertainment are underpinned by Cloud services running on AWS, making the platform a major target for cybercriminals looking to disrupt services or extort money via attack vectors such as DDoS ransom attacks. In February 2020, AWS experienced the largest DDoS attack on record at the time. The attack targeted a client hosting their services on AWS and lasted for 3 days. It peaked at 2.3 TB traffic per second. Amazon discussed the attack in their Threat Landscape Report, published in 2020. Since 2020, both the size of attacks and the number of attacks deployed has increased significantly.  

GitHub – 2018 – GitHub is the de facto standard repository for developers to store, share, and version control code. Microsoft purchased GitHub in 2018, and a few months before the acquisition, a significant DDoS attack hit GitHub, taking the website offline for 5 minutes. The attack was notable because it exploited a bug in the website caching system called Memcached. Exploiting this bug allowed the traffic directed at GitHub from compromised devices on the web to be amplified by a factor of 51,2000. The attack used about 1,000 systems, but the amplification delivered the effects of 50,000. Though the traffic spikes were large and overwhelming, downtime was limited because of the DDoS protection GitHub had in place. This disruption of service shows there is more needed beyond standard protocols to protect against the ever-changing DDoS threat landscape.  

DDoS Attack Prevention 

What I suggested five years ago about DDoS attacks is still true today. DDoS attacks can cost upwards of $100,000 an hour in some of the worst-case scenarios — and since most DDoS attacks span several hours, losses add up quickly. Preventative action is necessary to thwart, impede, and stop these threats before damage can be done.  

How do you fight these multi-pronged attacks? To defend against DDoS attacks, companies need a multi-dimensional or layered defense approach to secure their network and applications. Attackers that get past a company’s first line of defense will be met with the next line of defense. In this way, the threat becomes minimized.  

Load balancers, like the Progress Kemp LoadMaster, are ideally suited for inclusion in a layered security model. Load balancers spread workloads across multiple servers to prevent overloading.  

Can I Use a Load Balancer for DDoS Protection?

Yes, a load balancer can be used to eliminate single points of failure and reroute traffic if a server should fall victim to a DDoS attack. Load balancers add resiliency by rerouting live traffic from one server to another if a server should fall prey to a DDoS attack or otherwise become unavailable. Not only that, but load balancers also reduce the attack surface and make it harder to exhaust resources and saturate links.  

It should be noted that the primary defense against DDoS attacks is provided by network providers or dedicated DDoS protection providers, like Cloudflare, Akamai, and Imperva. Both AWS and Microsoft Azure also provide DDoS protection services for Cloud platforms. But strategically placed load balancers can be used as part of a broader solution to mitigate the impacts of DDoS attacks.  

For example, a load balancer can be used to reroute traffic if a server is hit with a DDoS attack. This includes regional routing of traffic using Global Server Load Balancing (GSLB). Load balancers also reduce the attack surface visible to attackers.  

How LoadMaster can help mitigate DDoS attacks

  • LoadMaster load balancers can require all connection requests to a server to pass a CAPTCHA prompt. This can be applied to all connections, including unauthenticated ones. Using CAPTCHA prevents an attacker from directly overwhelming application or web servers with direct requests. The LoadMaster will intercept requests and drop the requests when the CAPTCHA fails.  
  • IP reputation information can be used by LoadMaster when evaluating connection requests. Many sources of IP address reputation data are available from reputable security providers. LoadMaster can ingest this data and reject any connection requests from sites known to be used by bad actors and from IP addresses used in DDoS attacks.  
  • Restricting the number of connections allowed and what they can do is also a method you can implement using the LoadMaster. This is known as rate limiting or quality of service (QoS). Rate limiting works on inbound activity and can protect against DDoS attacks and other volumetric attack types such as brute-force password-guessing attacks. Using rate limiting, you can configure restrictions via the methods listed below. Doing do prevents attackers from swamping the application delivery controller. The QoS settings are:  
    • Max connections 
    • Connections Per Second (CPS) rate 
    • Requests per second (RPS) rate 
    • Bandwidth Limits  
      • Global: Across all clients accessing a virtual service  
      • Client: For a single IP address or subnet accessing a virtual service 
      • Virtual Service: For any client accessing a specific Virtual Service or SubVS 

How LoadMaster Responds to a Suspect DDoS Attack 

When the LoadMaster detects a high volume of inbound connections, it utilizes a mechanism that protects the network from spoofed IP address connections. It prevents inbound queues from filling up with illegitimate traffic requests. Kemp 360 Vision, which is available to our Enterprise Support and Enterprise Plus Support customers, will not only identify but also notify the relevant administrator of a suspect attack.  

Who is Vulnerable to DDoS Attacks? 

DDoS cyberattacks are an unfortunate fact of life in the modern business landscape, and any company with an online presence, in theory, is vulnerable to such an attack. While the cost of dealing with DDoS attacks can be as steep as six figures, the negative impacts associated with a DDoS attack go beyond any financial loss.  

Early detection of DDoS attacks can make a quantifiable difference in having the least negative impact on your network and your business. Learn more about how to block illegitimate traffic and stay on top of rising threats with Progress Kemp.  

Secure Applications with LoadMaster

LoadMaster is the premier choice for organizations requiring load balancing. With more than 100,000 deployments, LoadMaster offers the most capable solutions for load balancing to ensure applications are secure, highly available, and running at peak performance.  

Talk with technical expert to learn how to protect your organization from a DDoS attack and outline protection steps and mitigation measures.  

Posted on

Maurice McMullin

Maurice McMullin is a Principal Product Marketing Manager in Kemp with too many years of experience in the development and marketing of networking and security products. He has worked in organizations of all sizes ranging from two person startups through to multinationals in roles as varied as programmer and CTO.