The first half of 2021 saw a 33 percent year-on-year increase in DDoS attacks. Corresponding attack bandwidth increased sharply along with the number of high-volume attacks. Ransomware is the most widely reported cyber-attack over the past months, but DDoS remains significant, and something organizations need to prepare for.
The use of Artificial intelligence and machine learning to fend off DDoS and cyber attacks is not a novel concept. Many security firms have tried it in the past with varying levels of success. However, AI is once more taking centre stage, with Google announcing a new tool against DDoS launched by botnets.
A Google rep says that they have been “building and maturing this technology with internal and external design partners and testers over the last few years.” The technology has existed for years, but it took some time to achieve maturity.
Aiding detection and mitigation
Is machine learning or AI necessary to fight DDoS? The answer is a resounding yes. Distributed denial of service attacks has been increasing in volume and sophistication. “Due to the increasingly sophisticated attack techniques being used by hackers, many security tools are reaching their limits,” says ICT business leader Marc Wilczek.
Rules and human monitoring cannot keep up with the dynamic nature of DDoS attacks, especially with the growing number of internet-enabled devices. DDoS perpetrators have creative and discreet ways to introduce malware into mobile, IoT, and other internet-connected gadgets to turn them into DDoS attack agents. These devices are used to flood web servers with anomalous traffic without being easily identified and blocked.
Conventionally, human security officers would take a tediously meticulous observation and assessment to determine if traffic is legitimate or malicious. They cannot rely on IP address filtering, as determining and grouping the offending IP addresses one by one would be impossible given the wide variety of IP addresses presented by malware-infected actual devices that have been turned into DDoS agents.
Filtering access requests based on time or region alone is also unviable. It comes with the risk of filtering out legitimate server requests, creating problems for existing and potential customers or site visitors.
AI or machine learning helps in establishing patterns of legitimate user activity and detecting traffic that appears deviant. It may sound simple, but it is not. Different websites or app servers deal with different kinds of users with unique activities. It would be impossible for humans to set rules based on these activities, especially when hundreds of thousands or millions of users are involved.
Once the DDoS attack is detected, what follows is the crucial step of minimizing the attack’s adverse impact and restoring services that may have been disrupted. For this, AI also plays an important role.
DDoS mitigation services that use AI or machine learning divert, filter, and analyze the attack to establish defences for similar attacks in the future. AI is necessary to automate all of these steps to ensure prompt response and prevent aggravated outcomes or the dreaded complete interruption in websites and web services.
Establishing patterns and cross-matching behaviours
User activity data that enable AI-driven DDoS protection include various details that are not taken individually but matched to generate patterns that can be considered regular. These include the extent of backend services used, such as network bandwidth, CPU processing, and memory.
DDoS attacks seek to force a system into downtime, so they attempt to hog as much of its resources as possible. However, there are also those that approximate normal resource usage and make distinction difficult. Instead of focusing on high resource draws, they leverage attack volume to achieve their ultimate goal of denying service to a website or web app users.
This trick makes it difficult to distinguish legitimate from anomalous requests. However, when the activities are compared to other data about normal usage, the distinctions emerge.
For example, it is unusual when large volumes of requests are made by IP addresses associated with a specific region that usually has little activity at a particular time in a specific store or web app. This helps narrow down the determination of whether or not specific traffic surges are legitimate.
This is an oversimplified example, but it summarizes how machine learning plays a critical role. It would take forever if pattern determination and activity cross-matching were done manually.
Machine vs Machine
Unfortunately, machine learning and AI are not exclusive to cyber defenders. Bad actors, too, can take advantage of machine learning for their purposes. A late 2020 study revealed the growing incidences of the distributed denial of service as a service (DDoSaaS).
The DDoS cybercrime sub-sector has expanded its “business” with the DDoS as a service (DDoSaaS) model for bad actors that lack the technical know-how to build their botnets. They develop potent botnets that can then be leased to those who want to use DDoS to attack a business competitor, extort a company, or pursue state-sponsored attacks.
Dealing with DDoS is hard enough. Things can get more complicated when the attacks are made more convenient through a rentable DDoS infrastructure. It becomes logical to employ machine learning to go toe-to-toe against a comparably-driven adversary.
Botnets are becoming remarkably good at emulating regular traffic and making it extremely challenging to distinguish between legitimate users and DDoS agents. These constitute the so-called Level 7 attacks that make use of “well-formed” requests. Without AI, catching them would be a tall order.
DDoS is unlike other cyber attacks that are usually undertaken discreetly to get past cyber defences. It is a largely straightforward attack whose goal is to take down websites or interrupt web services by overloading their servers with malicious or unwanted requests. However, stopping them is hardly a straightforward process. It’s not easy to determine which specific requests are legitimate and which ones are weird.
Establishing patterns of legitimate activity is crucial to distinguish anomalous activities once they appear in large volumes. This requires the analysis of humongous amounts of data, which would be impossible for humans to handle but relatively easy for machines.
In the end, Google’s announcement of its machine learning-driven DDoS defence tool does not mean that it is the only viable option. It shows that AI does work in fighting against distributed denial of service attacks, with other security firms offering similar solutions and delivering good outcomes.