You know what’s worse than a sudden attack that comes out of nowhere? A sudden attack that comes out of nowhere and batters the victim into submission without letting up or giving them any time for recovery. This is, unfortunately, an aspect of modern DDoS (distributed denial of service) attacks. Not only are these cyberattacks increasingly common and larger than ever in terms of the size of the attack, but they can also go on for longer, too. That’s really bad news for those on the receiving end.
A DDoS attack, for those unfamiliar with them, is a cyberattack in which a victim’s website or online service is bombarded with fraudulent requests, such as connection requests, often from large numbers of infected computers or IoT (Internet of Things) devices in so-called botnet attacks. In many of these volumetric attacks, the threat comes from the sheer number of requests that prove so overwhelming that a server is rendered helpless by the increased traffic and unable to cope with legitimate requests.
In the case of these attacks, it’s understandable why a longer duration assault would be desirable for the attacker (if certainly not for the victim). That’s because they allow cyberattackers to bring down services for a longer period of time. This can be incredibly damaging to the owner of the service or website, resulting in (unwanted) downtime, which could cost them customers. Even short duration site outages may cause a loss of sales and erosion in customer loyalty. Those effects are exacerbated as attacks grow longer.
Meanwhile, as the longer DDoS attacks hurt a company or service provider’s reputation, it can also cause considerable problems internally, since extended DDoS attacks sap company resources spent fighting them. The greater the number of packets that a system has to do its best to process, the longer this will take, and the more resources and network infrastructure is needed.
Attacks are getting longer and more sophisticated
In 2019, a DDoS attack lasted a massive 509 hours, measured based on the commands received by bots from command control servers. This attack — which equates to around 21 days of continuous attack — was significantly longer than the previous record for such a cyberattack. That was a 329-hour barrage that took place at the end of 2018.
These attacks might be on the high end in terms of their record-breaking length, but they nonetheless reflect a clear trend. DDoS attacks are getting more frequent, larger, more sophisticated — and longer. In May this year, there were seven major application DDoS attacks over the course of the month, with two of them lasting 5-6 days, surpassing 150,000 requests per second (RPS) by the attackers, and originating from 3,000 unique IP addresses in one instance and an astonishingly huge 28,000 in the case of the other.
One element driving the increased length of modern DDoS attacks is the size of some botnets. A sustained attack, as even the most entry level military strategist knows, requires one thing: lots of troops. Attackers launching sustained DDoS attacks can build and call into action enormous networks of infected computers. These machines can be infected through malicious software spread via emails, social media, and websites. After they have been infected (often without the owners’ knowledge that this has taken place), the infected machines may be utilized much like an army to launch wave after wave of attacks. Botnets can consist of thousands — or even millions — of infected computers.
DDoS attacks-for-hire
Unfortunately, DDoS attacks have also become more accessible. Underground markets allow customers to pay as little as $150 (or less) for a week-long DDoS attack on a victim. This means that launching sustained attacks does not come at a particularly big financial cost to the attacker. A longer attack will cost them only marginally more than an attack of brief duration, but will take a markedly bigger financial toll on its target.
Longer attacks serve an additional purpose, too. As noted, a big army can be used to carry out a sustained attack. However, it may also simply serve to intimidate would-be enemies. DDoS attacks are regularly tied to ransoms, in which a low-level attack is dispatched at first, alongside financial demands, usually asking to be paid in cryptocurrency. Cybercriminals attempting to pull off such a heist may then threaten that a worse DDoS attack will take place in the event that the demanded ransom isn’t paid.
As DDoS attacks have become a regular (if extremely unpleasant) aspect of life for websites or online services, some companies may simply decide to take the loss of a short-duration attack, and make better provisions in the future. Because attackers now have the capability to launch longer haul attacks (and occasionally demonstrate as much), companies are far less likely to simply decide to avoid paying a ransom due to knowing an attack will last only a short time.
Weaponizing time
Facing these kinds of growing threats, companies must defend more proactively against DDoS attacks. Deploying robust DDoS protection measures that intelligently monitor and block suspicious user requests and absorb multi-gigabyte DDoS attacks can — and will — save time, money, and reputation. The cyberattackers who launch multi-day DDoS attacks are banking on the fact that, while they can weaponize time by launching long duration assaults, businesses don’t have the same luxury of time to waste.
That’s why it’s important to act before this becomes a problem. No time like the present.