The holiday season is an exciting time for many people as they get to relax, connect with friends and family, and celebrate traditions. Organizations also have much to rejoice about during the holidays (for example, more sales for retailers and more players for gaming companies). Unfortunately, cyber attackers also look forward to this time of year to celebrate an emerging holiday tradition—distributed denial-of-service (DDoS) attacks.
While DDoS attacks happen all year round, the holidays are one of the most popular times and where some of the most high-profile attacks occur. Last October in India, there was a 30-fold increase in DDoS attacks targeting services frequently used during the festive season, including media streaming, internet phone services, and online gaming1. Last October through December, Microsoft mitigated several large-scale DDoS attacks, including one of the largest attacks in history from approximately 10,000 sources spanning multiple countries2.
While retail and gaming companies are the most targeted during the holidays, organizations of all sizes and types are vulnerable to DDoS attacks. It’s easier than ever to conduct an attack. For only $500, anyone can pay for a DDoS subscription service to launch a DDoS attack. Every year, DDoS attacks are also becoming harder to protect against as new attack vectors emerge and cybercriminals leverage more advanced techniques, such as AI-based attacks.
With the holidays coming up, we’ve prepared this guide to provide you with an overview of DDoS attacks, trends we are seeing, and tips to help you protect against DDoS attacks.
What is a DDoS attack and how does it work?
A DDoS attack targets websites and servers by disrupting network services and attempts to overwhelm an application’s resources. Attackers will flood a site or server with large amounts of traffic, resulting in poor website functionality or knocking it offline altogether. DDoS attacks are carried out by individual devices (bots) or network of devices (botnet) that have been infected with malware and used to flood websites or services with high volumes of traffic. DDoS attacks can last a few hours, or even days.
What are the motives for DDoS attacks?
There is a wide range of motives behind DDoS attacks, including financial, competitive advantage, or political. Attackers will hold a site’s functionality hostage demanding payment to stop the attacks and get sites and serves back online. We’re seeing a rise in cybercriminals combining DDoS attacks with other extortion attacks like ransomware (known as triple extortion ransomware) to extort more pressure and command higher payouts. Politically motivated attacks, also known as “hacktivism”, are becoming more commonly used to disrupt political processes. At the start of the war in Ukraine earlier in 2022, the Ukrainian government reported the worst DDoS attack in history as attackers aimed to take down bank and government websites4. Also, cybercriminals will often use DDoS attacks as a distraction for more sophisticated targeted attacks, including malware insertion and data exfiltration.
Why are DDoS attacks so common during the holidays?
Organizations typically have reduced resources dedicated to monitoring their networks and applications—providing easier opportunities for threat actors to execute an attack. Traffic volume is at an all-time high, especially for e-commerce websites and gaming providers, making it harder for IT staff to distinguish between legitimate and illegitimate traffic. For attackers seeking financial gain, the opportunity for more lucrative payouts can be higher during the holidays as revenues are at the highest and service uptime is critical. Organizations are more willing to pay to stop an attack to minimize loss of sales, customer dissatisfaction, or damage to their reputation.
Why protect yourself from DDoS attacks?
Any website or server downtime during the peak holiday season can result in lost sales and customers, high recovery costs, or damage to your reputation. The impact is even more significant for smaller organizations as it is harder for them to recover from an attack. Beyond the holidays when traffic is traditionally the highest, ongoing protection is also important. In 2021, the day with the most recorded attacks was August 10, indicating that there could be a shift toward year-round attacks2.
Tips for protecting and responding against DDoS attacks
Don’t wait until after an attack to protect yourself. While you cannot completely avoid being a target of a DDoS attack, proactive planning and preparation can help you more effectively defend against an attack.
Identify the applications within your organization that are exposed to the public internet and evaluate potential risks and vulnerabilities.
It’s important that you understand the normal behavior of your application so that you’re prepared to act if the application is not behaving as expected. Azure provides monitoring services and best practices to help you gain insights on the health of your application and diagnose issues.
We recommend running attack simulations to test how your services will respond to an attack. You can simulate a DDoS attack on your Azure environment with services from our testing partners—BreakingPoint Cloud and RedButton.
Make sure you’re protected. With DDoS attacks at an all-time high during the holidays, you need a DDoS protection service with advanced mitigation capabilities that can handle attacks at any scale.
We recommend enabling Azure DDoS Protection, which provides always-on traffic monitoring to automatically mitigate an attack when detected, adaptive real time tuning that compares your actual traffic against predefined thresholds, and full visibility on DDoS attacks with real-time telemetry, monitoring, and alerts.
Azure DDoS Protection should be enabled for virtual networks with applications exposed over the public internet. Resources in a virtual network that require protection against DDoS attacks include Azure Application Gateway, Azure Load Balancer, Azure Virtual Machines, and Azure Firewall.
For comprehensive protection against different types of DDoS attacks, set up a multi-layered defense by deploying Azure DDoS Protection with Azure Web Application Firewall (WAF). Azure DDoS Protection protects the network layer (Layer 3 and 4), and Azure WAF protects the application layer (Layer 7). You receive a discount on Azure WAF when deploying DDoS Network Protection along with Azure WAF, helping to reduce costs.
Azure DDoS Protection identifies and mitigates DDoS attacks without any user intervention. To get notified when there’s an active mitigation for a protected public IP resource, you can configure alerts.
Create a DDoS response strategy. Having a response strategy is critical to help you identify, mitigate, and quickly recover from DDoS attacks. A key part of the strategy is a DDoS response team with clearly defined roles and responsibilities. This DDoS response team should understand how to identify, mitigate, and monitor an attack and be able to coordinate with internal stakeholders and customers. We recommend using simulation testing to identify any gaps in your response strategy.
Reach out for help during an attack. If you think you are experiencing an attack, you should reach out to the appropriate technical professionals for help. Azure DDoS Protection customers have access to the DDoS Rapid Response (DRR) team, who can help with attack investigation during an attack as well as post-attack analysis. Check out this guide for more details on when and how to engage with the DRR team during an active attack.
Learn and adapt after an attack. While you’ll likely want to move on as quickly as possible if you’ve experienced an attack, it’s important to continue to monitor your resources and conduct a retrospective after an attack. You should apply any learnings to improve your DDoS response strategy.
Azure offers cloud native, Zero Trust based network security solutions to protect your valuable resources from evolving threats. Azure DDoS Protection provides advanced, cloud-scale protection to defend against the largest and most sophisticated DDoS attacks.
Don’t let DDoS attacks ruin your holidays! Prepare for the upcoming holiday season with this guide and make sure Azure DDoS Protection is at the top of your holiday shopping list.
Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for many organizations across multiple industries.
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a zero-day remote code execution vulnerability exploited via Microsoft Word documents.
Business email operators seek to exploit the daily sea of email traffic to lure victims into providing financial and other sensitive business information.
In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society.