• Richard Blech

A Look at DDoS and Disrupting its Disruption

Distributed denial-of-service, or DDoS, attacks have become more powerful and frequent. According to one report, the number of DDoS attacks will exceed 15 million in 2023, more than double what it was in 2018. They are also becoming more sophisticated, using two or more vectors, such as TLS manipulation and DNS floods.

Hackers are adding to that sophistication by integrating artificial intelligence and machine learning into the attacks to detect the most vulnerable systems and to reconfigure themselves to actively deter detection and modify attack strategies in mid-attack. At the same time, many of the cybersecurity solutions that are widely used today haven't been able to thwart the increasing tide of DDoS attacks, creating a security gap in organizations’ cybersecurity infrastructures where proactive mitigation measures should be.


A DDoS attack is a deliberate attempt to make an application or website unavailable to users by bombarding it with network traffic. Multiple systems will besiege a target by flooding the bandwidth or resources to provoke a denial-of-service, or DNS. A DDoS attack can utilize connection requests, incoming messages, incorrectly assembled packets or incoming messages to generate the DNS.

The primary goal of a DDoS attack is to disrupt the availability of a target. Cyber actors who use DDoS attacks will target all types of endpoints—anything connected to the network—including workstations, servers, mobile devices, etc. These endpoints can be infected with malware or ransomware for a specific purpose. Like MITM attacks, DDoS attacks are also used in combination with other attack methods as part of a multipronged approach to execute advanced persistent threats.


These attacks are executed using botnets, or vast networks of computers, devices, servers, routers, workstations, IoT devices, etc., all of which are managed by a central server. Theoretically, a botnet can be composed of bots of an unlimited number; botnets composed of hundreds of thousands of bots is very common. DDoS attacks can also be implemented from a group of thousands of network devices that are not necessarily compromised, but that are misconfigured in such a way that they can be manipulated into being part of a botnet even while they are operating normally/as they should be.

DDoS attacks can generate as much as many terabits of data, like in the Amazon Web Services network volumetric DDoS attack in 2019 that peaked at 2.3 Tbps before the company was able to mitigate it. There is also the 2017 Google DDoS attack that was disclosed in 2020. Suspected to have been launched by a hacking group backed by the Chinese government, the attack lasted for over six months and peaked at 2.5Tbps.

It is worth noting that DDoS attacks are harmful at both sides of the attack: The devices that are used to transmit the malicious traffic to the target can also experience deterioration of service.


IoT devices can be used to deploy immense DDoS attacks. Because the devices used in a typical IoT system are armed only with the hardcoded authentication credentials they were manufactured with and organizations fail to add supplemental security layers to make the devices more secure, they present a large attack surface for hackers. These vulnerable devices can be exploited by cybercriminals to create more extensive botnets. With the accelerated proliferation of IoT, IIoT and smart devices brought on by the rollout of 5G technologies, there is an astronomically growing number of potential endpoints that can be compromised to launch DDoS attacks. The source code of the 2016 Mirai IoT botnet is often used as a foundation for many current IoT DDoS attacks.


DDoS attacks generally impact the network, transport, presentation and application layers of the OSI model.

  • Network-focused or volumetric attacks overload a target by bombarding the available bandwidth with packet floods to destroy the network stack. For example, UDP floods overwhelm miscellaneous ports on servers with UDP packs to that the system cannot respond to legitimate applications. ICMP floods rush servers with ICMP echo requests from spoofed IP addresses to achieve overloading.

  • Protocol attacks are deployed on the network layer or transport layer protocols by leveraging any flaws in the protocol to overburden the desired resources. One example is the SYN flood attack, in which a flood of SYN packets is sent to disrupt the three-way handshake that takes place when users connect to TCP services, like web servers.

  • Application layer DDoS attacks, are the most sophisticated form of DDoS attacks, targeting a specific functionality of a target by burdening the function or process with excessive numbers of requests. In one type, HTTPS floods, hackers send HTTP requests that seem to be from a real user of the targeted application.


Mitigating DDoS attacks begins with assuming that such attacks are inevitable. As such, an organization’s responsibility is two-fold: It has to fortify its IT system, and it has to ensure that the endpoints in its IT system cannot be wielded in a botnet. This entails reducing the attack surface of the IT system.

The attack surface and the other vulnerabilities of an IT system can be addressed with multi-level cybersecurity strategy that features the integration of effective security technology, including encryption and cryptography solutions.

XSOC's SOCKET is a more efficient alternative to SSL/TLS as it does not have the inherent vulnerabilities that make SSL/TLS susceptible to DDoS attacks. For example, web applications that are delivered over TLS can be at risk because the TLS negotiation process can be attacked. SOCKET enables security of the web application using a secure symmetric key exchange and can significantly minimize the attack surface of network environments.

Using refined algorithmic sharding mechanism and double-blind exchange infrastructure, WAN-SOCKET, XSOC Corp's cryptographic key exchange for fully open networks, can be used to help secure devices, including IoT and IIoT devices.

ERP can be used as a data security supplement for web-based applications. The protocol, which was initially created for IIoT applications, can also be used to help reject bogus traffic.

Having the right solution in the right place within the IT system, along with engaging in cybersecurity best practices can help provide the best defense against DDoS attacks. Talk with one of our cybersecurity experts to learn how XSOC CORP's encryption and cryptography should be a part of your organization's arsenal.