How AI has changed the DDoS industry

COMMENTARY: A decade ago, launching a DDoS attack required a fairly technical set of skills.

Today, booter/stresser services available today on the dark web — also known collectively as the DDoS-for-hire industry — have significantly lowered the barrier for launching complex Distributed Denial-of-Service (DDoS) attacks. These services are easy to use and offer users ready-made infrastructure with advanced features that they can rent at any price range.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Indeed, many offer significant innovations in automation, pre-attack reconnaissance, and, more recently, the integration of artificial intelligence (AI). Unfortunately, these innovations are also making many traditional defenses less effective, with profound implications for security professionals tasked with keeping their organizations’ IT infrastructure secure and available.

The emerging role of AI in cyberattacks

In comparison to traditional DDoS attacks, which often rely on brute force or high volumes of traffic, attacks that leverage AI and automation are more targeted and intelligent in their approach. For example, though relatively new on the scene, AI has already been used to get around CAPTCHA boxes designed to verify whether a visitor is human or right. Superior AI image recognition lets attackers understand and bypass these barriers.

In the near future, we may also see AI enable:

Real-time adaptation to evade defense parameters: This may include AI-driven attacks to quickly change attack vectors (HTTP flooding vs SYN flooding), packet size, or frequency until they achieve success. This could be challenging for defenders relying on static defenses, such as rate-limited thresholds, as AI could quickly adjust the traffic flow to remain just under the detection limit.

Behavior mimicry: By mimicking human-like browsing behavior, AI-driven bots could make it harder for traditional security tools to distinguish between legitimate users and attackers.

Automation also contributes to the sophistication of DDoS attacks, eliminating traditional manual processes and allowing for more efficient scheduling, repetition, and overall optimization of attacks. This can mimic AI-like capabilities. In response, organizations need to prepare for prolonged and constantly evolving attacks that test their defense capabilities.

Reinventing cyber defense strategies to combat AI-driven attacks

Just as AI will change how attackers behave, defenders need to consider how to strengthen their responses with the latest advances in AI/ML. Organizations should consider implementing some, if not all, of the following tactics:

Tap into global threat intelligence feeds: It's powerful for teams to know where DDoS attacks happen globally at any given time, because organizations can automatically block IP addresses from known botnets and attackers as they are reported.

Behavioral analysis through machine learning: Small nuances in traffic patterns can indicate if there's an automated or AI-driven attack. The main difference between automation and AI: one of them can learn. Automation will simply flip from one pattern to the next without really learning from the defensive actions taken. In contrast, AI-drive attacks might learn the responses of defenders and deviate from set patterns to further complicate the mitigation of the attack. Defensive tools with AI/ML capabilities can quickly analyze massive amounts of data to pick up on subtle signs of abnormal behavior (such as clustering on source IPs coming from shared infrastructure or originating from specific types of devices).

Advanced CAPTCHA mechanisms: Since AI can now bypass traditional CAPTCHA systems, organizations should consider adopting more sophisticated verification techniques, such as biometric CAPTCHA or multi-step user verification.

In short, the combination of AI and automation by the DDoS-for-hire industry has made many traditional defenses and conventional measures like rate-limiting obsolete. Traditional defenses alone will no longer suffice in combating these advanced, adaptive attacks. Security teams must prioritize innovation —leveraging real-time intelligence, machine learning, and next-generation countermeasures — to stay ahead of attackers.

Only by adopting a proactive, AI-driven defense strategy can organizations reduce vulnerabilities and maintain resilience in an increasingly complex threat environment.

Richard Hummel, director of threat intelligence, Netscout

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.