The Evolution of DDoS Attacks: Trends and Countermeasures

The UK’s National Crime Agency has identified two key cyberthreats to business – ransomware and DDoS attacks. But how do we find ourselves in this situation? And what can be done to better protect your organisation?

From bedroom to boardroom

Up until 2007, DDoS attacks were mostly carried out by hackers looking to create mischief. Generally these attacks were borne out of a desire to disrupt rather than destroy.

This changed in 2007 when the Estonian government and several key organisations were targeted by DDoS attacks. Post attack analysis suggested that foreign agencies may have been involved, marking the first publicly acknowledged example of cyber warfare.

DDoS as a tool for extortion

Given that responsive IT is essential to modern data-driven operations, any kind of outage is disruptive and costly. So the threat of an impending DDoS attack is a very effective way of extracting cryptocurrency ransom payments from a potential target.

To prove they are serious, the extortionists will often launch a small-scale attack to prove their capability – and the potentially devastating consequences of a larger DDoS strike. Evidence suggests that the technique is effective too as the number of ransoms being paid continue to increase year-on-year.


As legitimate businesses move towards subscription-based software and services, so too has cybercrime. Hackers have developed ways to commoditise their DDoS botnets, making them available for hire in almost the same way you would sign up for an Office 365 subscription.

This means that sophisticated DDoS attacks no longer require any technical knowledge or expertise – just a credit card. Importantly, the relative cost is extremely low, allowing anyone to attack any organisation for any reason.

Amplification and multi-vector attacks

Volume is key to a successful DDoS attack, so criminals have developed new ways to increase – amplify – traffic. The most famous example is the Mirai botnet which uses a vast network of compromised Internet of Things (IoT) devices for staging. From a central console, hackers can produce over 1.3Tbps of attack traffic.

At the same time, detection techniques are getting smarter, able to spot large volumes of suspicious traffic. This led to the development of multi-vector attacks, where traffic is generated and directed in several directions to hide its malicious intent. Because several different infrastructure components are attacked simultaneously, overall volumes of traffic tend to be lower – but the results are no less devastating.

Increased botnet power

The Mirai network is an example of relatively low-power devices being used to create significant disruption. But generating massive amounts of traffic requires a large number of compromised devices. 

As DDoS mitigation techniques improve, attackers need to generate greater quantities of traffic. To do this, criminals are now using enterprise grade servers and devices to maximise potential power of their botnets. Coupled with IP address spoofing and reflection-amplification techniques, these server grade attacks can generate enormous amounts of traffic – as much as 2.5 terabits per second. Each.

Carpet bombing attacks

As defences have evolved, traditional DDoS attacks are relatively easy to identify and mitigate. So cybercriminals have adapted their methods once more, leading to the development of new techniques like carpet bombing.

Using botnets, hackers attack a range of addresses and subnets simultaneously. This approach mimics natural traffic, making it harder to detect. And it can quickly overwhelm DDoS mitigation systems. By affecting multiple resources, or organisations, Carpet bomb DDoS attacks are also used to obfuscate the intended target.

So how have DDoS countermeasures evolved?

Initially, DDoS attack mitigation revolved around blacklists. Suspicious IP addresses would be added to a ban list, allowing perimeter network devices to drop traffic from known sources. But as botnets have grown in size, managing these lists, even automatically, is too slow.

Blacklists were followed by traffic scrubbing services. Incoming traffic is routed via a third party service for analysis and ‘scrubbing’, ensuring that only legitimate packets are forwarded to the target network. Although very effective, these services are relatively expensive. More problematically still, a well-designed attack may be able to overload target infrastructure before it can redirect incoming traffic to the scrubbing centre.

The solution? Smarter perimeter detection systems that can spot multi-vector attacks and suspicious activity faster. FastNetMon is capable of detecting and mitigating DDoS attacks in as little as two seconds. Which means that even sneaky new attacks like carpet bombing can be identified and dealt with before infrastructure becomes overwhelmed.

To learn more about FastNetMon and how the product develops to meet evolving DDoS challenges, please contact us to arrange a free 30-day demo.

24/7 Tech Support

Email Us