Securing critical infrastructure amid DDoS uncertainty

Donny Chong at Nexusguard argues that the threat of DDoS isn’t going anywhere and organisations need to continue to defend against these attacks

 

Although it has been a consistent fixture in cyber-security for decades, the threat of DDoS, particularly against critical national infrastructure (CNI), often feels like it flies under the radar.

 

Perhaps this is because it is so hard to qualify. Statistics are hard to come by for matters of national security and exactly what counts as CNI is evolving. Additionally, attack trends are constantly shifting, and evolving technologies like AI and the Internet of Things threaten to change the game even further. 

 

It’s a messy and obscure picture. But make no mistake, DDoS isn’t going anywhere. The maximum recorded size of attacks seems to go up year-on-year. Against the backdrop of geopolitical instability, major elections and international sporting events, we need to be prepared. 

 

Smoke and mirrors  

The first step to mitigating a threat is defining it: understanding its severity and where it’s coming from. But for attacks on CNI, this is difficult. Organisations may not want to report on or declare attacks they’ve suffered. 

 

There’s also the question of what counts as CNI to begin with. With ongoing digital transformation, businesses like internet service providers are increasingly being brought under the umbrella. After all, if a service provider is brought down by a DDoS attack, national services relying on it for connectivity will quickly find themselves unable to operate. 

 

Even if we had a complete picture of DDoS attacks on CNI, it would be difficult to draw meaningful conclusions. You have to be careful when attaching a motive to the malicious data packets. Finding the source country of the attack is one thing (but even that is not always possible), but who it’s come from and why is a guessing game.

 

Sometimes, that game is easy to play. For example, Sweden found itself heavily targeted by DDoS attacks following its NATO acceptance, as was Finland when it joined the year before. In this case, drawing conclusions seems straightforward enough, but you can never be certain.

 

Predicting future attacks is even more tricky. Looking ahead, major international events like the Olympics and the UEFA European Football Championship, both events that Russia is being excluded from, would be considered at high risk from DDoS attacks. But predicting what would be targeted is another thing, government, transport, event organisers, and public services are all at risk.

 

There’s also the risk of tunnel vision. It depends on which reports you look at, but Russia often isn’t even the top five origin countries for DDoS attacks globally. China, the US, Brazil and Germany often outrank them.

 

The point is, that DDoS attacks are nigh-impossible to predict. It’s like chasing shadows. The only thing you can do is be prepared for the worst. 

 

Shifting tactics 

When looking at the state of DDoS in 2024, you can broadly split patterns into macro and micro trends. The big picture is DDoS attacks are getting larger. One recent report showed that the average attack size grew by well over 200% from 2022 to 2023. That’s a significant increase, and we’re seeing lots of claims of the ‘largest attack ever recorded’ from vendors in recent months.

 

DDoS is both delicately complex and brutally simplistic. Regardless of the protocols used or targets, attack size more than doubling puts organisations of all kinds at risk.

 

However, in more positive news, the frequency of DDoS attacks is going down, according to some reports. Attackers are therefore becoming more targeted, saving resources for fewer, but potentially far more devastating, attacks.    

 

On a micro level, the most popular methods of attack are currently NTP Amplification, DNS Amplification and HTTPS Flood. Both types of amplification attacks are popular because they generate responses (impact) far larger than the initial request. Essentially, they magnify the size of the attack and result in a high impact for a lower commitment of resources, particularly in the case of DNS.

 

NTP servers are also a popular target for these attacks as they are widely accessible and often poorly secured. For HTTPS Floods, the universal move towards HTTPS for securing web traffic, means attacks are increasingly exploiting its higher resource demands. This is particularly relevant for CNI, as servers will likely be built with HTTPS for its secure connections, so the potential to flood these is great. 

 

There’s also the small matter of AI to consider. The UK’s National Cyber Security Centre (NCSC) recently raised the alarm that AI will massively increase the potential speed, scale and sophistication of attacks against critical infrastructure targets.

 

AI-enabled DDoS adds a layer of intelligence and automated decision-making to attacks. Attackers can use AI to search for vulnerabilities in a system or network, and then use machine learning to make attacks able to adapt tactics in real time, making them far harder to mitigate.  

 

Where does the buck stop?

With all this in mind, one final grey area remains: whose responsibility is protecting critical national infrastructure from DDoS attacks? The obvious answer might be CNI entities themselves, but they can’t (and shouldn’t) be expected to be experts in DDoS protection. As threats become more advanced, attacks continue to get larger, and as evolving technology like AI enters the mix, specialist expertise is needed. 

 

However, CNI organisations might struggle to justify the investment that advanced DDoS protection requires. Education on the topic goes a long way here, but government regulation and financial incentives would go further. The industry needs regulations like the NIS2 Directive we’re seeing come into play in Europe, setting specific cyber-security standards for CNI in line with rising threat levels. 

 

Another crucial player here is internet service providers. Not only can they be a difference-maker if an organisation is attacked directly, but increasingly ISPs themselves are being directly targeted. DDoS attacks on these networks have increased massively, many as direct attempts to bring down national infrastructure, such as attacks we’ve seen in Ukraine. As threat levels rise, ISPs need to continuously increase their DDoS resilience, protecting themselves and their CNI customers in the process. 

 

Clearly, securing critical infrastructure from DDoS threats isn’t simple. It is, however, a necessity, in this day and age more than ever. Despite the pure quantity of attacks reportedly going down, their potential to cause chaos has increased. Attacks have more resources at their disposal, new technology like AI to leverage, and more targets and protocols to exploit than ever.

 

CNI organisations, governments, security specialists and internet providers need to work together to keep infrastructure safe.

 

---

 

Donny Chong is Product Director at Nexusguard

 

Main image courtesy of iStockPhoto.com and Hailshadow