DDoS attacks: evolving threats need evolved responses

If you’ve been the victim of a Distributed Denial of Service (DDoS) attack, you’ll know what a threat it can be. It can cause financial losses, brand damage, and even lost customers. Like many cyber-attacks, DDoS is evolving, becoming more sophisticated and dangerous. Real-time threat intelligence is key to protecting your assets and customers.

In the second half of 2023 there were over 7 million DDoS attacks, a 15% increase on the first half of the year, according to NETSCOUT. DDoS attacks are typically used to extort money from targets or for political hacktivism. The types of companies attacked vary, with telcos, governments, and cloud providers o

ften to the fore, but high-traffic industries like gaming and gambling are also being increasingly targeted.

Most DDoS attacks tend to be volumetric, which sends massive amounts of traffic to targeted servers and causes network congestion, packet loss, and service disruptions. The biggest attack by bandwidth in 2023 reached a huge 1.096Tbps, but attacks are evolving: in H2 2023, 52% of DDoS attacks included more than one attack vector, making them more difficult to deal with. Experts note that the most damaging attacks typically combine a volumetric attack designed to attract attention with smaller, less detectable attacks to uncover network vulnerabilities or steal sensitive information.

Hackers are evolving too

Today, most attacks are generated by a few well-organized and technically-savvy hacktivists and politically motivated groups. The days of the lone hacker are over. Individuals can also express their political demands by letting their PCs be used as a part of botnets. Attacks are therefore spread across many more sources, making them more difficult to counter.

Applicative DDos attacks are on the rise

Applicative attacks aren’t a new type of DDoS attack, but are growing in frequency. These attacks are highly targeted, and are generally aimed at a specific application on a specific customer site. They are low-volume and highly personalized, making them particularly difficult to detect, but no less damaging.

Targets that don’t have advanced DDoS defense systems find it hard to differentiate the incoming attack traffic from legitimate outbound web browsing and other common end-user activities. A relatively small volume of traffic can have a snowball impact on the initial target along with other services. This causes a collective overload of servers and infrastructures.

Threat Intelligence to identify weak signals

Operators now have many safeguards in place, so spoofing - changing the source IP address to disguise an attacker's origin IP - is rarely possible. Hackers must therefore use real IP addresses and tend to use the same ones.

Real-time threat intelligence solutions proactively identify and prioritize suspicious botnets. They dissect trends and attack methodologies, and provide actionable recommendations on necessary defense steps. So, attacks can be blocked extremely quickly, reducing the burden on clean-up equipment, minimizing downtime and preventing greater damage. These solutions transform defense strategies from reactive to predictive.

How Orange Wholesale International is addressing the issue

We’ve recognized the evolution of DDoS threats and have put robust solutions in place to deal with these attacks:

1. Traffic visualization. We use advanced tools to analyze regular traffic versus unusual or “attack” traffic, which enables us to rapidly identify anomalies and spikes that indicate malicious actors.
2. Traffic blocking at the edge. We use BGP Flowspec technology to deploy access lists on network access equipment. Flowspec lets routers apply dynamic rules to specific types of traffic, based on criteria such as source, destination, protocol, or port. In practice, it means that any traffic from a specific entry point to a DNS server that reaches an abnormal volume is immediately identified and blocked at the edge. And while it can mean a small amount of genuine traffic being blocked, it gives a rapid response that minimizes any impact of DDoS attacks.
3. Traffic blocking at the core. The part of attack traffic that is not blocked at the edge is then redirected to cleaning centers at the heart of our network. Only the machines under attack are redirected to the cleaning center closest to the point of entry into our network. The customer then has access to over 1Tbs of cleaning capacity.
4. Collaboration with customers. We work closely with our customers to define, test, and fine-tune defenses against all types of attacks, including applicative ones, and give customers access to our platform to keep them as informed as possible. Customers with in-house cybersecurity resources have the maximum information and increased agility to make quick, accurate decisions about defensive actions. 
5. Investing in cutting-edge DDoS protection and intelligence. We’re testing a new service designed to analyze traffic sent to our scrubbing centers. Using data analytics and AI, we perform behavioral analysis that can differentiate even the smallest suspicious attacks from regular traffic. This approach lets us identify which traffic to block, limiting the impact on genuine traffic. The result is significantly reduced false positives, which gives us the power to set aggressive thresholds for attack detection.

DDoS attacks can be complex and difficult to manage, but Orange Wholesale International is taking proactive steps to keep our customers safe with the latest detection and protection tools. As attacks evolve, they jeopardize service availability and can compromise trust and business continuity – it’s crucial to keep ahead of the threats with enhanced security.