Distributed Denial of Service (DDoS) attacks are a growing threat to organisations’ security and profitability. A DDoS attack that takes down an organisation’s web presence can dramatically damage sales numbers as customers give up and visit another page in the face of slow page loads or failed connections.

Regardless of when a DDoS attack occurs, having a DDoS protection solution in place is essential to ensuring website availability. However, it can’t even be assumed that a DDoS attack will occur when an organisation is able to respond and take steps to remediate it. The patterns of life of DDoS attacks indicate that they are more likely to occur outside of standard business hours, making an automated DDoS protection solution even more essential.

Introduction to DDoS Attacks

A Denial of Service (DoS) attack is designed to degrade or destroy the ability of a system to provide services to legitimate customers. This can be accomplished in a number of different ways. DDoS attacks take the approach of sending a massive amount of data to a system, overwhelming its ability to process the malicious data as well as the connections of legitimate users.

Overwhelming the ability of most online services to function requires a great deal of computational power and networking bandwidth under the control of the attacker. At some point, every byte of data that is received and processed by the victim must be sent by some other system. Depending upon the amount of computing power that an attacker owns, it may not be possible to overwhelm a target using only their own systems.

Cybercriminals overcome these difficulties in a number of different ways. Some DDoS attackers operate massive botnets. Building these botnets has become cheaper and easier in recent years as the Internet has been flooded with Internet of Things (IoT) devices (with default passwords and use of insecure protocols) and cloud computing has made it possible to lease cheap, Internet-connected computing power. These devices are also scattered all over the world, making it harder to identify and block malicious traffic.

Other innovations in the DDoS attack, like the discovery and exploitation of potential DDoS amplifiers, have also helped to make massive DDoS attacks easier to perform and much more common. The low price of DDoS attacks has also made it possible for DDoS botnet operators to sell their services (and that of their botnets) to interested customers.

With a 1000 device DDoS attack costing only about $7 per hour to run, an enterprise-scale DDoS attack is within the reach of a wide variety of potential customers. As DDoS for hire providers tailor their services to certain users, DDoS attacks are starting to fall into patterns, making it easier to predict when an attack is most likely to occur.

Patterns of Life in DDoS Attacks

Despite the fact that a DDOS attack can be performed by systems around the world, patterns have emerged in the timing of DDoS attacks. In general, a DDoS attack is most likely to occur on a Saturday, and, if performed on a weekday, is likely to fall between the hours of 4 and 8 PM. These patterns of life in DDoS attacks suggest quite a bit about the likely attackers. For one, those ranges line up rather well with when gamers are likely to be playing, after school and work hours. Since many DDoS attacks are targeted against game servers to impact gamer rankings, this timing is unsurprising.

However, for the DDoS attacks not designed to ensure that the attacker keeps the top spot in the ranking list, the timing of DDoS attacks have worrisome implications for businesses. Outside of business hours, a company is likely to be operating with greatly reduced security staff, making it more difficult for them to respond quickly to an attack.

On the other hand, the hours that these DDoS attacks are being performed are also the same hours that customers are likely to be browsing ecommerce sites. A strategically timed DDoS attack that brings down a company’s site during peak sales hours can have a significant impact upon revenue.

Protecting Against DDoS Attacks

As the threat of DDoS attacks grows, organisations need to develop and deploy a DDoS protection plan that can mitigate these attacks when and where they occur. The patterns of life of DDoS attacks indicate that they are unlikely to occur when an organisation is best prepared to defend against them. An attack during off hours, whether during the weekday evenings or on the weekend, could catch an organisation off guard and take longer to remediate.

This is a significant concern since a DDoS attack can have a number of impacts upon a company. Beyond the possible loss of revenue due to a loss of customer access to the organisation’s web presence, DDoS attacks are also commonly used as a smokescreen to hide other, subtler types of attacks. An organisation’s security team that is flustered and caught off guard by an off-hours DDoS attack may miss the data breach that the attack is designed to conceal.

For this reason, deploying a DDoS mitigation solution capable of rapidly and automatically responding to a DDoS attack is essential to an organisation’s security and bottom line. When DDoS attacks catch an organisation wrong-footed, they can’t afford to wait until the security staff makes it to the office and is able to respond.