Detecting DDoS attacks: how to tell a real attack from fake news using AI and common sense


This article is part of our Opinions section.


DDoS attacks are frequently making front-page news at the moment, with prominent companies reporting attacks on what feels like a weekly basis. Microsoft’s recent global outage caused chaos when a DDoS mitigation mechanism went awry, leaving users unable to access several services, including Office, for ten hours.

Other recent claims of DDoS downtime have been more dubious. When X’s ‘Space’ platform for live streaming went down, Elon Musk blamed a DDoS attack – the evidence suggests this isn’t true. 

But it raises a fair question. When trying to protect yourself against downtime, how can you accurately detect the DDoS attacks that cause it? And, can AI save the day? 

The old ways are no longer the best ways 

Traditionally, one of the most popular ways of detecting DDoS attacks has been to monitor incoming traffic via threshold-based DDoS detection methods. By counting the number of requests coming into specific servers or IP addresses, any unusually large amount of requests can be swiftly spotted and dealt with.

This remains true, in theory. But, attackers are getting smarter: we’re seeing a move away from just volumetric attacks, with attackers favouring ‘low and slow’ methods where they manipulate the traffic at an application level to use up server resources without hogging the bandwidth. This means that these attacks are practically invisible to traditional traffic monitoring methods of detection as they’re nearly impossible to distinguish from regular network traffic. 

While these methods may detect some DDoS attacks, organisations can no longer afford to just detect and stop ‘some’ or even ‘most’ attempted DDoS attacks. Just five years ago, Facebook’s 14-hour outage cost it $90 million; fast forward to today and the losses from the recent CrowdStrike outage are estimated to range from $300 million to a whopping $1 billion. DDoS detection has never been more vital. 

AI, a knight in shining algorithms? 

No-one needs to be reminded that AI has now made its way into pretty much every sector, including cyber security. It’s one of the main reasons why these traditional detection methods are becoming so outdated and frankly, ineffective. Even government bodies, like the UK’s National Cyber Security Centre (NCSC), are warning organisations of the risks that AI adoption is bringing to current cyber security defences.

Attackers are now using machine learning (ML) algorithms to bolster their DDoS attacks, making it practically impossible for traditional detection methods to identify and stop them. To make things worse, these AI-enabled DDoS attacks can now evolve in real-time once inside a system to bypass any countermeasures deployed against them.

So, how do you detect them early and stop them from getting inside in the first place? Quite simply, you fight fire with fire. Sure, attackers can benefit from using AI in their attacks, but organisations defending against them can also take advantage of AI. In fact, nearly 50% of enterprises are already doing so, using a mix of AI and ML tools to bolster their cybersecurity. 

Most vitally, ML can be used to enhance the traditional methods of DDoS attack detection and replace the older, threshold-based model. By utilising specifically trained ML models, organisations can deploy predictive models that can near-instantly analyse large amounts of traffic data to detect malicious attack patterns and attack accordingly to defend against them. 

Detecting DDoS attacks: beyond traffic analysis

It can also be used to add new dimensions to DDoS detection beyond traffic analysis.

AI-powered algorithms can also be applied to data from outside sources such as threat intelligence feeds and social media to identify potential planned cyber threats. With the rise of DDoS-as-a-service, this additional layer of detection will be vital for organisations to pre-emptively counter these possible attacks.

The same method can also be applied to carry out behavioural analysis to identify anomalies in user behaviour that could signal a future security threat. AI can then alert security teams to investigate it instantly to prevent a breach before it even starts. 

In the current climate where everything is seemingly AI-powered, it’s unsurprising that the most accurate method of DDoS detection follows suit. But beyond the benefits it provides for DDoS detection, AI also allows the automation of routine security tasks such as patch management, incident response and threat hunting. It reduces the historically heavy workload that security teams deal with, supporting them to focus on the other tasks that AI can’t.

So, while it’s a nuisance to deal with AI-enabled DDoS attacks, AI can also allow organisations to detect them far more accurately and give security teams the capacity to defend against them to avoid that dreaded downtime. Plus, the accuracy it provides far reduces (but seemingly doesn’t remove) the risk that someone will incorrectly blame their downtime on DDoS. 

Donny Chong
Donny Chong

Donny Chong is a Product & Marketing Director at Nexusguard, where he's responsible for designing the company’s solutions for the enterprise segment. He has contributed to TechFinitive under the Opinions section.

NEXT UP