In June 2022, the world has reportedly witnessed the most powerful HTTPS Distributed Denial-of-Service (DDoS) attack so far. A botnet called Mantis launched a brief but record-setting DDoS attack, which peaked at 26 million requests per second.

This recent DDoS incident shows how cybercriminals continue to improve their methods and make their attacks more sophisticated to overcome existing defenses or overwhelm targets with unprecedented volumes of requests. DDoS solution providers, hence, must always be ready to step up in response.

The Mantis attack

Mantis is said to be behind the series of attacks that affected almost a thousand customers of the content delivery network firm Cloudflare. It targeted companies in different industries including gaming, finance, telecommunications, and shopping. The attack affected organizations based across the globe including the United States, Canada, the United Kingdom, Germany, France, Ukraine, Poland, and Russia.

Cloudflare describes Mantis as the next evolution of the 2018 Meris botnet attack, which infected MicroTik routers and compromised various popular websites. It operates a relatively small fleet of bots, at around 5,000. However, Cloudflare notes that this fleet is capable of generating a massive force. Cloudflare says it has been “responsible for the largest HTTPS DDoS attacks we have ever observed.”

The attack yielded over 212 million HTTPS requests from over 1,500 networks. It was driven by a botnet that tech journalists characterize as “tiny,” but each node generated approximately 5,200 RPS. It also managed to hijack various virtual machine platforms and took over HTTP proxies to launch attacks.

Effective DDoS mitigation

The overwhelming surge of malicious web traffic lasted for only around 30 seconds. It’s still long enough to create an impact, considering that website users usually leave a site if it fails to load within three to five seconds. However, it is not bad that DDoS mitigation solutions are able to fend off new forms of attacks and prevent long durations of downtimes.

Modern DDoS mitigation services can keep up with the evolving nature of attacks. They now have larger network and processing capacities, shorter latency, and faster time to mitigation. Of course, not all providers are the same, but the top-tier ones are generally enough to prevent serious DDoS consequences.

Choosing a DDoS mitigation service based on their network and processing capacities can be tricky. Higher is always better but the capacities and costs are directly proportional, so organizations need to weigh their options carefully. DDoS, after all, is not the only cyber threat they have to worry about. They have to allocate resources efficiently and prepare for the unpredictable kinds of attacks they will encounter.

It is also important to examine the “time to mitigation” for DDoS attacks. Top solutions can respond to attacks within seconds, and this is what organizations should be looking for. The average duration of DDoS attacks in 2021 was 6.1 minutes. This may sound brief or manageable, but a lot can happen within 6.1 minutes. For online businesses, these “few” minutes can already mean several missed sales or opportunities and reputational damage.

Short-duration attacks are also rarely intended to be harmless. Even the 30-second Mantis attack cited earlier could have been just a part of a bigger cyber-attack. As VentureBeat explains, “organizations should watch out for these types of attacks as they can be a distraction tactic and part of a wider multi-vector attack.”

Some DDoS mitigation solutions may be configured to ignore brief attacks and treat them as insignificant. This is inexpedient and potentially harmful. DDoS attacks can be in tandem with a malware installation, which can take place while an organization is still busy reestablishing its firewall and other security controls after a network disruption.

Important features

It is important for DDoS mitigation solutions to have network layer and application layer mitigation. They should also provide secondary asset protection. Additionally, the ability to protect individual IPs is necessary.

Network layer mitigation is about addressing the volume of an attack, the massive surge of malicious traffic going to a server. Methods to do this include null routing (direction of traffic to a nonexistent IP address), sinkholing (the diversion of traffic away from its target), scrubbing (routing of ingress traffic through a security service), and IP masking (prevention of direct-to-IP DDoS attacks by hiding the origin server’s IP).

Application layer mitigation entails the profiling of incoming traffic to sort out DDoS bots from legitimate requests. This can be done through multiple inspection methods to detect legitimate traffic including the checking of the IP and Autonomous System Number, examination of behavioral patterns, and cross-inspection of HTTP(S) header content. Application layer mitigation can also be undertaken by posing multiple challenges such as CAPTCHAs to make it difficult for automated requests to move ahead.

As mentioned, DDoS attacks may come with other cyberattacks. These other attacks can target various IT assets including DNS servers, web servers, email servers, FTP servers, as well as ERP and CRM platforms. It is important for a DDoS mitigation solution to likewise provide protection for these assets through features such as DNS name server protection and app protection.

Moreover, it is crucial to examine the ability of a DDoS defense system to provide individual IP protection. DDoS solutions are traditionally limited to shielding IP ranges, not specific IPs representing specific cloud environments and assets. In modern use cases, the ability to protect individual IPs is essential to enabling immediate DDoS security for specific IPs or IT assets.

Continuous protection improvement

This post is not saying that DDoS mitigation services at present are already in their optimum form. As long as threats continue to evolve and threat actors ceaselessly find new ways to get around defenses, mitigation solutions should likewise improve. It is reassuring to know that security firms persistently enhance and advance the technologies or solutions they offer against DDoS.

Still, the intended users of these solutions should be mindful of the options they pick. Different providers offer varying DDoS protection performance. Not everyone stays abreast with the latest threat methods. Not all security providers are mindful of the attack combinations that use DDoS as a smoke bomb or deception to conceal more sinister cyberattack schemes.