A couple of years ago, research agencies and information security service providers already started reporting decrease the number of DDoS attacks. But by the 1st quarter of 2019, the same researchers reported their stunning growth by 84%. And then everything went on increasing. Even the pandemic did not contribute to the atmosphere of the world - on the contrary, cybercriminals and spammers considered this a great signal to attack, and the volume of DDoS grew double .


We are sure that the time for simple and easily detectable DDoS attacks (and simple tools that can prevent them) is over. Cybercriminals have learned to better hide these attacks and conduct them more and more sophisticatedly. The dark industry has moved from brute force to application-level attacks. She receives serious orders for the destruction of business processes, including quite offline ones.

Breaking Into Reality

In 2017, a series of DDoS attacks targeting Sweden’s transport services resulted in lengthy train delays . In 2019, the national railway operator of Denmark Danske Statsbaner disconnected sales systems. In As a result, ticket vending machines and automatic gates did not work at the stations, and more than 15 thousand passengers could not leave anywhere. In the same 2019th, a powerful cyber attack caused a power outage in Venezuela .

The consequences of DDoS attacks are now experienced not only by online users, but also people, as they say, IRL (in real life). Although historically attackers aimed only at online services, now often their task is to disrupt any business operations. According to our estimates, today more than 60% of attacks have such a goal - for extortion or unscrupulous competition. Transactions and logistics are particularly vulnerable to this.

Smarter and more expensive

DDoS continues to be considered one of the most common and fastest growing types of cybercrime. According to experts, from 2020 their number will only grow. This is associated with various reasons - and with the even greater transition of the business to the online because of the pandemic, and with the development of the shadow industry of cybercrimes, and even with 5G distribution .

DDoS attacks became “popular” at the time because of their ease of deployment and low cost: a couple of years ago they could be initiated for $ 50 per day. Today, both goals and attack methods have changed, which has led to an increase in their complexity and, as a result, cost. No, prices from $ 5 per hour are still in the prices (yes, cybercriminals have prices and tariff networks), but for a site with protection they already require from $ 400 per day, and the cost of “individual” orders for large companies reaches several thousand dollars.

Now there are two main types of DDoS attacks. The first goal is to make the online resource inaccessible for a certain period of time. Attackers charge for them during the attack itself. In this case, the DDoS operator does not care about any specific result, and the client actually makes a prepayment for the start of the attack. Such methods are quite cheap.

The second type is attacks that are paid only when a certain result is achieved. It’s more interesting with them. They are much more difficult to execute and therefore much more expensive, since attackers have to choose the most effective methods to achieve their goals. In Variti, we sometimes spend entire chess games with cybercriminals, in which they instantly change tactics and tools and try to break through several vulnerabilities at several levels at once.These are clearly team attacks, in which hackers are well aware of how to react and counteract the actions of defenders. Fighting them is not only difficult, but also very costly for companies. For example, one of our customers, a large network retailer, has been hosting a team of 30 people for almost three years, whose task was to deal with DDoS attacks.

According to Variti, simple DDoS attacks made solely due to boredom, trolling or dissatisfaction with a certain company currently account for less than 10% of all DDoS attacks (of course, insecure resources may have different statistics, we look at our customers' data ) Everything else is the work of professional teams. At the same time, three quarters of all “bad” bots are complex bots that are difficult to detect with the help of most modern market solutions. They mimic the behavior of real users or browsers and implement patterns that complicate the distinction between “good” and “bad” requests. This makes attacks less noticeable and therefore more effective.

Data from GlobalDots

New DDoS Goals

The Bad Bot Report report from GlobalDots analysts says that bots now generate 50% of all web traffic, and 17.5% of them are precisely malicious bots.

Bots are able to spoil the life of companies in different ways: plus the fact that they “put” sites, they are now engaged in increasing the cost of advertising, clicking on advertisements, parsing prices to make them a penny less and luring customers, and steal content for various bad purposes (for example, we recently wrote about sites with stolen content that force users to solve other people's captcha). Bots greatly distort various business statistics, and as a result, decisions are made based on incorrect data. A DDoS attack is often a smoke screen for even more serious crimes such as hacking and data theft. And now we see that a whole new class of cyber threats has been added - this is a disruption to certain business processes of the company, often offline (since nowadays nothing can be completely “off-line”). Especially often we see that logistics processes and communications with customers break.

“Not delivered”

Logistic business processes are key for most companies, so they are often attacked. Here are some attack scenarios that might be involved.

Out of stock

If you work in the field of online commerce, then you are probably familiar with the problem of fake orders. In case of attacks, bots overload logistic resources and make goods inaccessible to other buyers. To do this, they place a huge number of fake orders equal to the maximum number of goods in stock. These goods are then not paid and after some time they return to the site. But the thing has already been done: they were marked as “out of stock”, and some buyers have already gone to the competitors. This tactic is well known in the airline industry, where sometimes bots instantly “buy up” all tickets almost immediately after they appear. For example, one of our customers - a large airline - suffered from such an attack organized by Chinese competitors. In just two hours, their bots ordered 100% of tickets to certain destinations.

Sneakers bots

The next popular scenario: bots instantly buy the entire line of products, and their owners sell them later at an inflated price (on average, the margin is 200%). Such bots are called sneakers bots, because they are well acquainted with this problem in the industry of fashionable sneakers, especially in limited collections. In almost minutes, bots bought up new lines that had just appeared, while blocking the resource so that real users could not break into it. This is a rare case when bots were written about in glossy fashion magazines. Although, in general, resellers of tickets to cool events such as football games use the same scenario.

Other Scenarios

But that is not all. There is an even more complicated version of attacks on logistics, which threatens with serious losses.This can be done if the service has the option “Payment upon receipt of goods”. Bots leave fake orders for such goods, indicating fake, or even real addresses of unsuspecting people. And companies bear huge costs for shipping, storage, finding out the details. At this time, the goods are not available to other customers, and even occupy a place in the warehouse.

What else? Bots leave massive fake bad reviews about products, block the “refund” function, blocking transactions, stealing customer data, spamming real customers - there are many options. A good example is the recent attack on DHL, Hermes, AldiTalk, Freenet, Snipes.com. Hackers pretended that they are “testing DDoS protection systems”, and as a result, they put down the company’s business client portal and all the APIs. As a result, there were big interruptions in the delivery of goods to customers.

Call tomorrow

Last year, the Federal Trade Commission (FTC) reported a double increase in complaints from businesses and users about spam and fraudulent phone bot calls. By some estimates, they make up Almost 50% of all calls.

As in the case of DDoS, the goals of TDoS - massive bot attacks on phones - range from rallies to unscrupulous competition. Bots are able to overload contact centers and not miss real customers. This method is effective not only for call centers with “live” operators, but also where AVR systems are used. Bots can also massively attack other channels of communication with clients (chats, emails), disrupt CRM systems and even to some extent negatively affect personnel management, because operators are overloaded trying to cope with the crisis. Attacks can also be synchronized with a traditional DDoS attack on the victim’s online resources.

Recently, such an attack disrupted the rescue service 911 in the United States - ordinary people who urgently need help just do not could get through. Around the same time, the Dublin Zoo suffered the same fate: at least 5,000 people received spam in the form of SMS text messages prompting them to urgently call the zoo's phone number and ask for a fictitious person.

No Wi-Fi

Cybercriminals can also easily block the entire corporate network. Often IP blocking is used to combat DDoS attacks. But this is not only ineffective, but also a very dangerous practice. The IP address is easy to find (for example, using resource monitoring) and easy to replace (or fake). Before our arrival to Variti, our clients had cases when this led to the fact that blocking a certain IP simply turned off Wi-Fi in their own offices. There was a case when the client “slipped” the desired IP, and he blocked access to his resource to users from the whole region, and for a long time he did not notice this, because otherwise the whole resource worked fine.

What's new?

New threats require new security solutions. However, this new niche in the market is just beginning to take shape. There are many solutions to effectively repel simple bot attacks, but complex ones are not so simple. Many solutions still practice IP blocking techniques. Others need time to collect primary data to get started, and these 10-15 minutes can become a vulnerability. There are solutions based on machine learning that allow you to identify a bot by its behavior. And at the same time, teams from the “other” side boast that they already have bots that can imitate real, indistinguishable from human patterns. It’s not clear who is whom.

What to do if you have to deal with professional botware teams and complex, multi-stage attacks on several levels at once?

Our experience shows that we need to focus on filtering illegitimate requests without blocking IP addresses. For complex DDoS attacks, filtering is required at once on several levels, including the transport layer, and the application layer, and APIs. Thanks to this, even low-frequency attacks, which are usually invisible and therefore often passed on, can be repelled.Finally, you need to skip all real users, even while the active phase of the attack is in progress.

Secondly, companies need the ability to create their own multi-stage security systems, where, in addition to tools for preventing DDoS attacks, anti-fraud, data theft, content protection and so on systems will be built in.

Thirdly, they should work in real time from the very first request - the ability to instantly respond to security incidents greatly increases the chances of preventing an attack or reducing their destructive force.

Near Future: Reputation Management and Big Data Collection with Bots
The history of DDoS has evolved from simple to complex. At first, the goal of the attackers was to stop the site. Now they consider it more efficient to aim at basic business processes.

The complexity of the attacks will continue to grow, this is inevitable. Plus, what bad bots are doing right now - data theft and falsification, extortion, spam bots will collect data from a large number of sources (Big Data) and create “reliable” fake accounts to manage influence, reputation or mass phishing.

Currently, only large companies can afford to invest in protection against DDoS and bots, but even they can not always fully track and filter traffic generated by bots. The only positive that bot attacks are becoming more complex is that it encourages the market to create smart and better defense solutions.

What do you think - how will the bot protection industry develop and what solutions are needed on the market right now ?.