A Distributed Denial of Service (DDoS) attack is very different than many of the cyber threats that organizations face. Other cyber threats take advantage of holes in an organization’s cybersecurity defenses, such as unpatched vulnerabilities or a failure to train employees to identify and protect themselves against phishing attacks. DDoS attacks only require a cybercriminal to have access to a number of Internet-connected computers.

Over time, the number of Internet-connected devices has been growing. The rise of the Internet of Things (IoT) has been of huge benefit to cybercriminals since these devices often have extremely poor security and rarely receive the attention required to secure them. As a result, the term “IoT botnet” has become almost synonymous with “DDoS botnet”.

However, IoT devices are not the only ones used by cybercriminals in DDoS botnets. Cybercriminals have been branching out to use different devices in their botnets, expanding their potential size and the impact of their attacks while driving down the price of building and operating a botnet. As a result, the threat of DDoS attacks are growing, making a DDoS mitigation solution an essential component of an organization’s cybersecurity strategy.

Not Just IoT Botnets

IoT devices are the most visible type of systems used in DDoS attacks. These devices generally have poor security, including heavy use of weak and default passwords, and rarely receive security updates, making it relatively easy for a cybercriminal to identify and exploit vulnerabilities in them.

However, while IoT devices are likely the most common device used in DDoS attacks, they are not the only ones. Cybercriminals have expanded their operations to use cloud-based botnets and mobile devices to perform their attacks.

  • Moving to the Cloud

In order to perform a DDoS attack, a cybercriminal only requires access to a large amount of Internet-connected computing power. The growth of cloud computing has made this easier and cheaper for cybercriminals to acquire. With the cloud, an aspiring botnet herder no longer needs to compromise vulnerable devices. Instead, they can simply lease cloud-based resources to build their botnet.

Using cloud-based resources for a botnet provides a variety of benefits to a DDoS attacker. One of these is the low cost and complexity of cloud-based computing. In fact, a cybercriminal recently released a list of over 500,000 IoT devices, IP addresses and login credentials, all that a potential DDoS attacker would need to gain access to these devices and add them to their botnet. The reason for this release was that the cybercriminal no longer needed the devices since they had transitioned to a cloud-based botnet.

Another advantage of cloud-based botnets is the fact that they use trusted infrastructure. Cloud-based resources use IP addresses and domain names associated with the cloud service provider. This makes it much more difficult for an organization to use IP-based blacklists to protect against DDoS attacks.

  • Going Mobile

In general, official mobile phone app stores, such as the Android Play Store and the Apple App Store, are well-regulated with applications undergoing inspection and testing before being allowed in. However, on multiple occasions, Google and Apple have publicly removed malicious apps that have made it into their stores.

In January 2020, ESET reported on a DDoS attack against their website that appeared to be perpetrated by Android phones. Investigation revealed that an app called “Updates for Android”, which promised news updates for Android users, was behind the attack.

The malicious app was previously benign but received an update that allowed it to download and execute JavaScript code from a cybercriminal-controlled web server. This new functionality is not necessarily malicious, which enabled it to evade Google’s testing efforts and be added to the Play Store. However, it was used by cybercriminals to add the devices that ran the updated app to a botnet and perform DDoS attacks.

This use of malicious apps on smartphones allows cybercriminals to further expand the devices included in their botnets. Launching DDoS attacks from these devices has the advantage that smartphones are increasingly the device of choice for accessing the Internet. By using them in attacks, a cybercriminal has additional noise in which to hide their malicious traffic.

Protecting Against DDoS Attacks

Over time, the threat of DDoS attacks has grown consistently. With the rise of the IoT and mobile devices, an increasing number of devices that lack the standard cybersecurity protections of traditional computers have been connected to the Internet, making it easier for a cybercriminal to exploit them and build botnets. With cloud computing, it is not even necessary for a potential DDoS attacker to exploit a device to use it in an attack; they can simply lease the computing and network resources that they require for a very reasonable fee.

As a result, the potential number and volume of DDoS attacks that can be performed continues to grow. As the cost of performing an attack decreases, it is also possible for a botnet operator to sell their services to third parties that wish to DDoS a target but lack the knowledge, resources, or desire to do it themselves. This “as a Service” model expands the range of potential DDoS targets and helps to cover the cost of maintaining and operating a DDoS botnet.

As potential botnet members grow more numerous and the range of potential targets increases, DDoS attacks pose a growing threat to the availability and accessibility of organizations’ websites to legitimate users. Protecting these sites with a DDoS mitigation solution is becoming a fundamental part of any organization’s cybersecurity strategy.