The ICO exists to empower you through information.

Just as other areas of the digital ecosystem have moved to as-a-service models, cyber criminals are making use of the same business model, offering services and tools as a service for financial gain.

Cybercrime-as-a-service (CaaS) and related tools (booters, stressers, or ddosers) are increasingly available to launch distributed denial of service (DDoS) attacks at scale, to those without any technical knowledge at all.

The Financial Conduct Authority (FCA) has published information about cyber security incidents. DDoS attacks accounted for 25% of all hacking incidents reported to the FCA in the first half of 2022, compared to just 4% in 2021. Hackers are increasingly launching DDoS attacks against the UK’s financial sector, as they move away from using phishing and ransomware, which was down 63% against the same period in the previous year.

According to the most recent UK government cyber security breaches survey, 15% of businesses identified having a denial-of-service (DoS) attack in the last year. Microsoft’s Digital defense report 2023 showed DDoS attacks are continuing to rise, with an average of 1,700 attacks per day in the last year. Criminals are increasingly exploiting cloud computing resources, such as virtual machines, to launch DDoS attacks. Those same cloud resources provide our best defence against such large-scale attacks.

What is a denial-of-service (DoS) attack and how does it happen?

A DoS attack aims to stop the normal functioning of a website or computer network by overloading it and creating a virtual ‘traffic jam’. Overloading the system makes it unusable and causes disruption. DoS attacks cause a machine to consume all available hard disk space, memory, or processing time.

A more complex version of this type of attack is a distributed denial of service (DDoS) attack. The attack still overloads systems, but the hacker uses a network of connected devices to flood the target from multiple points, ‘distributing’ the attack and making it much harder to stop.

DoS attacks either flood web services or crash them. They target organisations and exploit how computer networks connect. Flooding attacks overwhelm systems by sending large amounts of traffic which servers can’t handle, commonly by sending ‘spoof’ information to every computer on a network.

Spoof information is information that the system is tricked into believing is from a legitimate source but is actually from the attacker. This false information overloads the system, causing it to come to a stop.

Alternatively, the criminals transmit software bugs that target the system to crash it.

DoS attacks take advantage of the way computer networks function and the way devices communicate. Misconfiguration or system vulnerabilities make a successful attack more likely.

In some cases, attackers aim to disrupt services for social or political reasons, but profit is usually a key driver.

Network connectivity errors and a heavy bandwidth use can affect performance, but indications of a DoS attack include:

  • exceptionally slow network speeds, with very long load times for files or websites, or a failure to load at all;
  • a sudden loss of connectivity across devices on the same network;
  • being unable to load a particular website; and
  • a sudden and noticeable increase in spam emails (known as an email bomb).

These issues may not be limited to the targeted computer as the available bandwidth is reduced and taken up by the attack.

Why is NIS relevant to denial of service?

The Network and Information Systems Regulations 2018 (NIS) concern systems that process ‘digital data’ for operation, use, protection, and maintenance purposes. NIS requires specific security requirements and incident reporting thresholds for Operators of essential services (OES) and Relevant digital service providers (RDSPs).

Clearly, a denial-of-service attack could significantly impact the availability of services and information. Therefore, for RDSPs, there may be additional reporting requirements. The magnitude, frequency and impact of security incidents is increasing, and network and information systems may become a target for harmful actions.

What might help reduce risks from denial-of-service attacks?

Our review of cases indicates that it might be helpful for you to take the following actions:

  • Consider purchasing services which help defend and recognise legitimate increases in network traffic from possible attacks, as prompt detection makes an attack easier to contain.
  • Check your firewalls and routers are correctly configured and updated with the latest security patches and consider a router that has in-built DDoS protection.
  • Consider using hardware to help classify information before traffic reaches the server.
  • Consider leveraging third party DoS protection services.
  • Have a tested business continuity and disaster recovery plan.

In cases of DDoS attack, there may be another surge in traffic before recovery is complete, so on-going monitoring is essential.

What are the likely future developments?

The number of DDoS-for-hire platforms continues to rise, with 20% having emerged in the past year alone, according to Microsoft’s Digital defence report 2023.

In 2023, the cyber warfare associated with the Ukrainian conflict saw DDoS used as a key weapon to paralyse essential services. DDoS attack numbers reportedly rose following the Russian invasion in February. Just prior to the start of the conflict there had been a rise in carpet bomb attacks, a DDoS attack type that targets a range of addresses or subnets.

These are designed to attack multiple small targets, rather than a single, main target. These attacks expand to a range of IP addresses that share the same network provider or data centre. They can bypass traditional DDoS detection methods and alerts, going undetected. This invalidates the use of black hole or null route techniques and overloads reporting systems.

It is likely that machine learning will play a part in future mitigation strategies, but also attack techniques, just as with other aspects of cyber security. Machine-learning based algorithms can learn normal (and therefore expected) traffic patterns. This allows them to subsequently detect anomalies and detect a likely DDoS attack automatically.