September 2021 is a milestone in the cybersecurity world. It marks the 25th anniversary of the first DDoS attack.
On September 06 1996, New York’s oldest commercial internet provider, Panix, experienced the first known SYN flood DDoS attack. A quarter of a century later, Russian internet giant Yandex reported the largest volumetric DDoS attack in the history of the internet, with a monstrous 22 million requests per second.
DDoS attacks have become more prevalent, more extensive, and more harmful. Now is the time for a wake-up call.
What Has Not Changed in 25 years?
It’s amazing how little has changed with DDoS attacks. They are still one of the easiest and cheapest ways to cause damage to a business and that is why they’ve remained so relevant. The following are three examples of what hasn’t changed.
Standard Proven Attack Mechanisms
DDoS attack techniques are effective, cheap, easy, and highly scalable. Bot networks remain the primary attack delivery mechanism because they are so readily available and cheap to hire. The increase in the size of bot networks and their compute power has been the force multiplier for DDoS attacks, which has seen them grow ~20% year over year. Most DDoS protection is now cloud based to address these larger attacks.
Soft Laws and Penalties, Slow Judiciary Process, Very Few Convictions
While laws exist to punish those who perpetrate DDoS attacks, effective enforcement and punishment remains an issue. As per the US Federal Computer Fraud and Abuse Act, DDoS attacks carry penalties of up to 10 years in prison and a $500,000 fine. But this does not seem to be a significant deterrent when a DDoS bad actor can make so much money with DDoS ransom attacks and the chances of being caught and prosecuted remain negligible. In 2020, there were more than 10 million DDoS attacks, but fewer than 10 attackers were sentenced.
"DDoS attacks are still one of the easiest and cheapest ways to cause damage to a business"
CISOs’ Thoughts on DDoS Attacks – Tactical, Not Strategic
If you fight a war for decades and continue to fight, it becomes part of daily life. CISOs believe that we will never ‘end’ DDoS attacks. At this point, DDoS attacks are simply a cost of doing business and an inevitable issue for IT and security teams. The focus for IT has remained tactical--not strategic—and they deal with DDoS attacks as they occur. The impact of attacks has largely remained the same.
What Has Changed in 25 Years?
We have witnessed two frightening changes over the past 25 years:
Economic Gain is a Strong Motivation for Ransom DDoS Attacks
In the past, the motivations for DDoS attacks were varied and rarely included financial gain. Bad actors were simply looking to cause disruption in the name of hacktivism, to gain bragging rights, or to create a smokescreen while stealing company data. Now, however, we frequently see DDoS ransom attacks being carried out with the sole intent of monetary gain. Economic gain is a huge motivation!
For bad actors, the market size for DDoS ransom attacks is billions of dollars because there are so many businesses across the globe that are ill-equipped to defend against a massive DDoS attack. Companies are often willing to pay a ransom to avoid a potential DDoS attack as their business depends on the internet. Additionally, the growth of cryptocurrency has made ransom payments much easier and more difficult to trace the bad actors. DDoS attacks have become a very attractive business model for bad actors.
Orchestrating Attacks is Simple
DDoS attacks are no longer the sole domain of professionals. Even a high-school student can hire a DDoS attack-as-a-service or a bot network on the dark web with a few dollars. Furthermore, one can download a DDoS attack kit to start a DDoS attack. It’s that simple.
"One can download a DDoS attack kit to start a DDoS attack. It's that simple"
Many bad actors publish their source code free in the public domain for others to use, just like open source. This makes it difficult for law enforcement to trace a specific attack to any individual or group. Further, publishing code gives bad actors bragging rights and prestige in the dark web community.
What the Future Holds
So what will the next 25 years of DDoS look like? The biggest thing to be on the lookout for is the advent of 5G and hypergrowth of IoT devices.
With super high-speed 5G networks, attacks will become much bigger, especially since the number of IoT devices and their compute power will continue to explode. Many IoT devices continue to have security vulnerabilities, making them easier to target and recruit into a botnet. In 2021, there will be a projected 46 billion IoT devices.
DDoS attacks have become so commonplace and massive, and they are here to stay. IT will require newer, smarter, and more autonomous ways of DDoS mitigation. Power will continue to shift in favor of bad actors unless security industry best practices and the enforcement of laws quickly evolve.