If a couple of years ago Distributed Denial of Service attacks (DDoS) were just a nuisance for businesses, today they constitute serious, costly cybercrime. Equally, if not more alarming, is the use of cybercriminals as surrogates in state-to-state political conflicts. The tools for launching these attacks are easily available online. They are so simple and cheap to use that even amateur citizen fraudsters and kids can commit a financial crime. At the same time, the consequences for businesses and financial institutions can be devastating.
A report from NETSCOUT showed that in the first half of 2021, threat actors launched 5.4 million DDoS attacks. More than 50% of those were DDoS extortion attacks in the financial industry. In the last quarter of 2021, the total number of Denial of Service attacks increased 52%, compared to Q3, and reached a record-high number ― 4.5 times higher than in Q4 of 2020, according to Kaspersky.
Businesses and organizations whose revenue depends heavily on their online presence face continual threats from attackers. The most common victims of DDoS attacks are enterprises in financial services, (video) games, gambling, merchants and internet service providers. Industrial and manufacturing facilities, as well as health care companies, are also prime targets.
The True Cost of DDoS Attacks
For those of you who might be new to the exciting world of cybersecurity, a Distributed Denial of Service (DDoS) attack is a cyberattack that aims to affect the availability of a service or a network, by overwhelming it with fake traffic. Criminals generate large volumes of packets or connection requests that cause the system to crash or slow down.
A DDoS attack stops a business’ ability to operate until it is either blocked by the company’s IT team or the criminals achieve what they wanted and stop it. For victimized companies, revenue costs can range from $20,000 to $40,000 USD per hour. In some severe cases, an enterprise can lose several million dollars to an attack. By contrast, a criminal can launch an hour-long DDoS attack for the price of a latte.
When a DDoS attack hit VoIP service provider Bandwidth.com in 2021, it caused service outages for days. The company lost between $9 to $12 million USD. In the same year, an extensive DDoS attack was launched against commercial and government targets in New Zealand. The New Zealand stock exchange was suspended for two full days, while consumers were unable to access their funds for essential purchases.
DDoS assaults such as DDoS ransom attacks have become tools for larger criminal operations. Hackers can bring down a website or a network to compel ransomware payment from victims, or use the attack to distract a company’s IT resources while they commit other cybercrimes.
In February 2022, prior to its invasion of Ukraine, Russia used DDoS attacks to weaken Ukraine’s defense capabilities by attacking its defense department and a major Ukrainian bank.
Even though most DDoS attacks in Q4 2021 originated from China, a new trend shows that cybercrimes of this type can also be home-grown, where the criminals target businesses or organizations in their own country.
What Makes It Hard to Detect and Block DDoS Attacks?
There are a wide variety of cybersecurity tools and services available. So why is it hard to detect and block DDoS attacks?
“Early solutions included packet filters, deep packet inspection firewalls, and intrusion detection, but they all had limits,” explains Stephen Lazenby, INETCO’s VP, Product Management. “This is where application layer firewalls were touted to cover the gap. Today’s existing firewalls can detect external application-layer attacks, but they can only block traffic at the network level (IP address and port). Blocking malicious transactions at this level also blocks legitimate transactions coming through the same IP address and port. As a result, legitimate customers are stopped from transacting or purchasing online. The impacts are lost revenue, brand damage, and angry customers. A decision not to block an attack can seriously degrade network performance or bring down the entire network for days. Either way, companies are left to deal with the same impacts―lost revenue, brand damage, and angry customers.”
In September 2021, INETCO introduced its new solution to help bridge the gap – INETCO BullzAI® Cybersecurity for Enterprise. It performs the heavy lifting and pre-screening of transactions before they get to the transaction switch or web application server.
“Existing firewalls operate at the packet level, so they cannot see the bigger picture at the message level. They only see transactions at a single point in the network,” says Stephen Lazenby. “INETCO BullzAI® Cybersecurity for Enterprise is different. It sees transactions at every point across the network. It uses sensors to capture traffic directly off the network at various Policy Information Points (PIP) along the transaction journey. Transactions are decrypted and decoded in milliseconds, making every field of every message, as well as timing and duration, available to a central Policy Decision Point (PDP) where the decision on a specific transaction is made. This decision on whether to allow a specific transaction is based on a combination of rules and machine learning, both supervised and unsupervised, which is extensively leveraged to detect anomalies in expected behavior.”
DDoS Attack Detection and Blocking
Let’s take a look at a recent DDoS attack.
In 2020, a major US financial institution (FI) network was brought down for three days as the result of a set of bots that continuously created new accounts. Industry-leading firewalls (network, web application firewalls, and API gateways) were installed both within the FI and the upstream service provider. However, they were not able to identify the attack early enough, and when they eventually did, they were unable to stop the attack quickly. As all transactions had come through an intermediary, the FI could not identify the source IP address. Even if they could have identified the source IP address, blocking at the IP address and port would have blocked all legitimate transactions coming in from the intermediary.
INETCO BullzAI can automatically identify the originating IP address, as it is contained in the message payload, as well as the machine fingerprints of the systems executing the bot attack. Because the INETCO BullzAI application firewall can block at the field level, it can block only the transactions coming from the offending IP addresses/machine fingerprints, without any impact to real customers.
Over the years, cybercriminals have gained access to tools that make it easier and cheaper to launch cyber attacks. They continually improve their skills and are annoyingly creative. As businesses and financial institutions evolve their online services and grow their online presence, it’s essential to have a cybersecurity strategy in place that includes an automated solution that can detect and block DDoS attacks in real-time, without human intervention. Customers expect that their online interaction with a brand should be free of disruption. Even an hour-long service outage or downtime due to cybercrime can cause a business to lose revenue and damage its reputation.
To learn more about INETCO BullzAI Cybersecurity for Enterprise, schedule a call with one of our experts.