The threat posed by DDoS attacks
In the past, DDoS attacks were often regarded as a nuisance, but not especially dangerous. Today things have changed, as modern DDoS tactics often work in conjunction with other techniques, such as disguising the infiltration of malware or, increasingly, being used as the basis of ransomware attacks, where the hackers promise to continue launching DDoS botnets unless the company pays them.
According to the Neustar International Security Council, for instance, 70% of organizations hit by ransom-focused DDoS were targeted multiple times, and 36% admitted they paid up.
These attacks can therefore be hugely disruptive and costly. For instance, figures from Corero indicate the average cost of a DDoS attack in the US is around $218,000 before expenses such as ransomware payments, but for bigger attacks aimed at large enterprises, this can be far higher. For example, VoIP firm Bandwidth.com reported in 2021 that a DDoS attack on its servers is expected to cost as much as $12 million in total.
DDoS attacks can be highly destructive, so before you can worry about investigating and tracing attacks, mitigation and recovery must be your top priority. However, once this has been achieved, businesses should work with professional cyber security experts and law enforcement to trace attacks and prevent any further incident.
Can a DDoS attack be traced?
One of the biggest challenges of DDoS attack investigation is that it can be very difficult to trace them back to the source. This also makes them especially attractive to attackers, as they can often feel comfortable they can operate with a minimum of risk.
A major reason for this is the distributed nature of these attacks. Traffic aimed at servers originates from thousands of bots that can be all over the world, and the controller of these has no direct contact with the machines themselves. Hackers have also developed increasingly effective methods of screening their origins, using techniques such as onion routing, peer-to-peer (P2P) networks and obfuscation.
The types of DDoS attack to be aware of
A vital initial step in any efforts to trace a DDoS incident must be to understand the type of attack, which may allow you to reverse-engineer it back to the source. There are a couple of common methods for launching these.
The first is a centralized or client-server attack, where the controller gives instructions to central 'handlers', which in turn distribute them to the botnet. This is the simplest way of initiating an attack, but it does have its weaknesses. For instance, it means there is a single point of failure for the system, so if the handlers can be identified and shut down, this will take a large portion of the botnet offline with it.
However, more DDoS attacks are now turning to distributed botnets to solve these weaknesses. These use P2P communications to make every bot on the network its own command and control server. As these use digital signatures to prevent anyone else gaining control, only the person with the right key can control the botnet, making these types of attacks very hard to stop, let alone trace.
Using forensics to identify DDoS origins
This doesn't mean there's nothing you can do to track DDoS attacks, however. Once you've stopped the attack using trusted mitigation methods, you can try to turn the tables.
For starters, you can use IP tracebacks on the packets of data entering your network. This can give you information such as the bots' IPs and operating system, their geolocation, and their backbone network providers. You may even be able to communicate directly with them to shut them down, though this is far from a guarantee.
The problem is that while this is feasible for small numbers of bots, you can't scale it across an entire botnet. What's more, even if you can contact them, breaking the encryption hackers use to communicate with bots will be very challenging for most businesses.
Another tactic is to use digital forensics to try and identify controllers. Often, this will involve looking for any mistakes they have made when creating their botnets. Things to look out for include.
- Can you see any signs of their motivation - for instance are they just looking to cause trouble or are there financial goals?
- Where are they getting their resources? For example, did they use a DDoS Booter or a Botnet-as-a-Service?
- Is there a payment trail?
- Can you determine what type of tools they're using?
This intelligence can be highly useful to law enforcement investigators. Even with this information, DDoS attacks remain notoriously difficult to track down, but by using effective mitigation tools, ensuring you don't pay any ransoms and having an effective backup and recovery strategy, you can keep your risks as minimal as possible. And with effective forensic analytics tools, you might just be able to block them long-term by helping track down and put a stop to perpetrators.
- Endpoint Hardening: How Thinking Like a Hacker Can Reinforce Your Cyber Defenses
- Can a CDN Really Protect You Against DDoS Attacks?
- How to Create a Successful Cybersecurity Plan
Access the latest business knowledge in IT
Join the conversation...