The email was noticed but dismissed as a baseless threat. Unfortunately, it was not a joke— the attack started only a few minutes later, taking the company’s servers offline for hours. This cost the company sales, time, and money to fix, and severely damaged their reputation by leaving frustrated customers unable to use the company’s website.
This was certainly not the first email threat or cyberattack of this kind. In fact, many organizations have received similar Distributed Denial of Service (DDoS) ransom notifications, experienced DDoS attacks, or both. With easy access to “for hire” DDoS attackers, the likelihood of your business experiencing or being affected by a DDoS attack will continue to rise. Mindful businesses would be wise to be aware of the threats, know the vulnerabilities in their own systems, and have ready a plan of response.
Importantly, no business is immune. Even companies that have a significant online existence and devote massive resources to maintaining uptime are subject to these attacks, leading to events like the widespread banking attack in 2012, GitHub in 2018, and Google in 2020. Even nations are not immune. In late June 2022, several official Norwegian governmental websites were hit by what was thought to be pro-Russian actors.1 Even with professional web security experts on staff, these large organizations still suffered outages. Imagine how much more vulnerable a small business might be to organized cyberattacks.
In general, these attacks are fairly simple to coordinate and launch. There’s no special hacking needed, and, ransom money being the exception, there’s not necessarily any resulting theft of money or intellectual property. These attacks are essentially a form of espionage, designed to cause chaos by crippling servers. DDoS attacks work by coordinating and sending high volumes of web traffic to a company’s server(s) to slow down or disable the server operation.
Think of what would happen if the entire population of greater Chicago (approximately 12 million people) descended on a single small-town gas station to ask for directions, all at the same time. The number of requests would overwhelm the attendant, and the local folks (regular web traffic), would be unable to get what they need.
In addition to the immediate operational consequences and loss of business, DDoS attacks negatively impact a corporation’s reputation and erode market confidence in the business. Today’s consumers have many options, so if one company’s website is down, they will simply go elsewhere; therefore, this ultimately outweighs the immediate impacts.
The sheer numbers involved in one of these attacks can be overwhelming. Malicious attackers use bot networks to coordinate their strikes, and they can even route traffic through different nations, all with a focus on knocking out a specific server. In August 2021, a European user of Microsoft Azure became a victim of a massive DDoS attack, which peaked at a traffic rate of 2.4 terabytes (2.4 million megabytes) per second. Experts report that this is the largest attack on Azure in its existence. Even more recently, an attack lasting only 30 seconds saw 212 million requests sent from over 1,500 networks in 121 countries.2 The scope of these massive, coordinated attacks would be enough to shut down almost any unprepared host.
DDoS attacks can be divided into three broad groups, each with its own characteristics and mitigation techniques.
- Network-Level Attacks: These attacks are aimed at saturating an organization’s bandwidth.
- Protocol-Level Attacks: These attacks focus on hardware limitations or vulnerabilities in various protocols.
- Application-Level Attacks (Layer 7): These attacks are aimed at vulnerabilities in applications and operating systems, and they lead to the inoperability of any application or the operating system as a whole.
Bad actors are getting more creative and consistently finding more opportunities for attacks. As internet-connected devices (doorbell cams, connected refrigerators, smart lamps, etc.) become more commonplace, hackers have started using them as a tool for DDoS attacks.
A significant moment came in the September 2016 DDoS attack using the Mirai botnet. In this attack, hundreds of thousands of cameras and other devices from video surveillance systems were exploited and programmed to send coordinated requests to a server. The successful attack knocked out Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal, and other websites.3 To make matters worse, the code for Mirai botnet was posted online, and has been refined by malicious actors ever since. No one knows when the next exploitation or attack will occur.
While the Mirai botnet used connected cameras, any internet-connected device can be vulnerable, including personal computers and company servers. Sometimes organizations find themselves at the center of these attacks, even though they are not the target. These are known as indirect attacks and can result when vulnerable servers are “taken over” and used as the source of an attack, costing bandwidth, IT services, and other expenses—in addition to the shame of being the unwilling host to cyber warfare.