The Rise of AI Driven DDoS Attacks

What keeps me awake at night is the thought of artificial intelligence lying in wait in the hands of bad actors. Artificial Intelligence combined with the powers of IoT-based attacks will create an environment tapped for mayhem. It is easy to write about, but it is hard for security professionals to combat. AI has more force, severity, and fatality which can change the face of a network and application in seconds.

When I think of the capabilities artificial intelligence has in the world of cybersecurity I know that unless we prepare well we will be like Bambi walking in the woods.

The time is now to prepare for the unknown. Security professionals must examine the classical defense mechanisms in place to determine if they can withstand an attack based on artificial intelligence.
Fail to prepare, prepare to fail

The arrival of new technologies comes with an abundance of security threats. New products are released to cover the inadequacies in protocols. With today's attack surface, no one can ever be fully secure. Being almost secure is good enough for most and security teams work on the basis that it’s not a matter of if, it's a matter of when.

There are well-known mechanisms to combat distributed denial of service (DDoS) attacks. We can spread the perimeter, offload to a scrubbing center, and tackle the problem head-on. Then along came IoT-based attacks that raised the bar causing respectable networks to fall flat. However, there is only so much bandwidth out there and the headlines are often worse than the capabilities.

What I haven't heard too much about is the repercussions of artificial intelligence in the hands of bad actors. A combination that will inevitably unlock a more powerful form of DDoS attack. A machine does not stop, get tired, lose concentration or panic. AI-based attacks keep their cool maintaining constant momentum while under pressure from defense mechanisms.
The only way to fight a machine is with another machine. Any other way is useless. Unless you want to be left blindfolded, security professionals must look to introduce artificial intelligence on the defense side and not rely on traditional defense mechanisms. 

An AI-based defense comes in two flavors, unsupervised learning, and supervised machine learning systems. Unsupervised learning being the superior defense mechanism of the two. L7Defense is a pioneer in the ability to defend from attacks in real-time using unsupervised machine learning.

From scripts with loops to automated AI-based attacks
Did you know the first DoS attack was carried out in 1974? It went mainstream with Classical Bots that started in the early 2000’s and consisted of a manual Denial of Service (DoS) approach. Essentially, DoS is when a bad actor sends traffic to overwhelm a system. 

Back then, they were pretty basic. Even if tools were not readily available those with medium technicality could carry out an attack. A single machine would send a single attacking signature. The automation was essentially done by manual keyboard entries.

This proved to be inefficient and bad actors quickly moved from manual to semi-manual. For example, this may include a simple script combined with a number of loops enabling a level of automation. However, we still only had a limited number of attacking signatures that were preconfigured in the script and only one IP source was used. The attack surface and vectors used were limited.

We then moved into a semi-automated wave consisting of multiple attacking IP sources. The introduction of command & control (C&C) servers presented a new shift in DoS, known as distributed denial of service (DDoS). C&C servers are centralised machines controlled by bad actors that are able to send commands and receive outputs. The C&C servers were not sophisticated, but they could control a number of infected end host computers, spreading the attack source. These infected computers were known as botnets.

The botnets would receive predefined commands from the C&C servers and carry out a set pattern of attack signatures. The signatures were set in stone regardless of how well the defense side was doing. The botnets were still static because the C&C Servers issue similar commands to each of them. The scale of the attack increased but the intelligence didn't. We experienced more spread and a larger attacking surface but with the same intelligence.

Malware automation
The major turning point in the evolution of DDoS came with the automatic spreading of malware. Malware is a phrase you hear a lot of and is a term used to describe malicious software. The automatic spreading of malware represented the major route for automation and marked the first phase of fully automated DDoS attacks. Now, we could increase the distribution and schedule attacks without human intervention. 

Malware could automatically infect thousands of hosts and apply laterally movement techniques infecting one network segment to another. Moving from network segments is known as beachreading and malware could beachhead from one part of the world to another.

There was still one drawback. And for the bad actor, it was a major drawback. The environment was still static, never dynamically changing signatures based on responses from the defense side. The botnets were not variable by behavior. They were ordered by the C&C servers to sleep and wake up with no mind for themselves.

As I said, there is only so much bandwidth out there. So, these type of network attacks started to become less effective. Bad actors started to side step a little and target the application layer instead of the network infrastructure. Reflection style attacks started to appear along with its enhancement known as the amplification. 

Distributed reflection denial of service attacks was the worse at that time. Reflection attacks are used to abuse user datagram protocol (UDP) services. UDP by design is connectionless in which the receiver does not validate the IP of the source. This is the address of the client requesting a service. The lack of validation makes it possible for someone to pretend to be you using your IP as the source, known as IP spoofing.

Unknowingly the legitimate source that has its IP address spoofed is overwhelmed when the UDP server sends back requests. The UDP server is essentially acting as the reflector hiding the identity of the bad actor. Amplification exploits the fact that the size of responses is generally much larger than the size of server requests. 

A simple request sent to www.network-insight.net can include a response with many IP addresses along with additional information. If a DNS server can amplify requests to a factor of 200 a bad actor with bandwidth of 100Mbps using both amplification and reflection techniques can generate an attack of 200Gbps. Now, can you imagine what happens if there are thousands of reflectors?

Different variations of layer 3, 4 and 7 based attacks were well underway with readily available tools. It became easy and cheap to launch an attack. The major difference between these attack variations is the ability to create a session, for example, a secure socket layer (SSL) session for the victim with an attempt to cause session exhaustion higher up in the stack. Alternatively, the bad actor may send a flood of internet control message protocol (ICMP) messages without waiting for a reply, making no attempt to take over the session.

Eventually, a combination developed to form a dangerous mix of layer 3, 4 and 7 based attacks. The classical volumetric was often combined with a layer 7 focusing on the application. The volumetric would simply act as a cover for the layer 7 based attack. Application attacks are heaven for bad actors. Each web application represents an infinite number of attack possibilities with so much variation for them to pick and choose from. There are so many tools available out there that can generate random page attacks along with randomisation techniques. Web security companies are on the back foot. They have the capability to scan and detect for hundreds of thousands of vulnerabilities but not for an infinite number of signatures.
Things got a bit more serious when bad actors started to combine the automatic spreading of malware with IoT. We experienced a mega-attack scale and solid networks started to hit the floor. While traditional C&C’s are not very sophisticated, the big brother IoT C&C servers are more dynamic and can control botnets with a number of optimisations that can change every few seconds based on the defense response.

They are heaps more intelligent than the classical C&C’s. The botnets are no longer static. Each botnet now controls its own unit of work representing many small armies working in isolation attacking a single destination.

The rise of Artificial Intelligence
Today, we are entering into a different wave of DDoS attack. This new era has all the power of IoT-based attacks along with artificial intelligence combined with various feedback loops and automatic optimisations.

Artificial intelligence is constantly optimizing, changing parameters and signatures automatically in response to the defense without any human interaction. It works alone keeping security professionals up all night unless the right precautions are in place.

There are two flavors of AI-based defenses; supervised and unsupervised machine learning. Supervised learning is similar to having a teacher with a predefined curriculum including specific questions and answers. With unsupervised learning, there is no teacher or a narrow curriculum. The curriculum is developing itself based on changing student’s needs.
Supervised learning needs to be fed with examples in order to deal with the situation. After enough examples, it becomes a closed problem. However, this represents a number of drawbacks in the world of AI-based attacks. If you have malware different from the current exampled one, will the system identify and appropriately deal with it? Probably not and this is where false positives start to increase.

Unsupervised learning is superior in the sense that you don't need to feed the system with examples. This represents a major shift in how you protect against a machine that is constantly changing in response to the defense side. Unsupervised learning has the ability to change and adapt as the problem itself changes. 

The real issue hitting supervised learning is that traffic patterns are by their very nature, unpredictable. The source and destination IP endpoints may remain unchanged but there can be numerous alterations in the headers and message body.

The variations are a major problem for supervised learning.
No one can predict and create examples for all application traffic profiles and potential attack vectors. As a result, we cannot cover the entire space and feed a supervised machine learning system with enough examples to cover every possible angle. 
If you can't cover the entire space, then you need a system that can by itself analyse the environment and figure out by itself without human intervention the best possible path of action while still keep false positives to a minimum. A system that can dynamically learn and adapt to known and unknown environments.

Supervised learning can help to a certain extent but in a world that is full of dynamic variables, you really need a system that can adapt to these changes and predict the unknown future that AI-based attacks will bring.

Within the cybersecurity realm attackers are moving fast. Similar to moving from ice to water, yet the ice is not moving, so you need now, not a hammer for the ice but a device that can analyse the water to determine a poison ingredient in disguise. This is why you need to move from supervised to unsupervised learning.

Network World

You Might Also Read: 

DDoS Protection: 14 Unique Ways to Protect Your Organisation:

 

« Will Russian Hackers Affect this Year's US Election?
Embracing The AI Robot Revolution »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

Consult Hyperion

Consult Hyperion

Consult Hyperion is an independent strategic and technical consultancy specialising in digital identity and secure electronic transactions.

Cyberbit

Cyberbit

Cyberbit empowers cybersecurity teams to be fully prepared with a product portfolio ready to detect and respond effectively across both IT and OT networks.

Business Continuity

Business Continuity

Business Continuity delivers integrated IT solutions for cybersecurity, virtualization, cloud platforms and operational security solutions.

Aricoma

Aricoma

Aricoma are Architects of Digital. We aim to become a major player in end-to-end IT services and digital transformation in Europe.

Veratad Technologies

Veratad Technologies

Veratad Technologies, LLC is a world class provider of online/real-time Identity Verification, Age Verification, Fraud Prevention and Compliance Solutions.

Spyderbat

Spyderbat

Spyderbat ATI closes the manual investigation gap between detection and response by instantly presenting causally connected threat activity to security analysts at the onset of an investigation.

Airtel Secure

Airtel Secure

Airtel Secure’s multi-layered, full service cybersecurity offerings are designed to safeguard enterprises against threats of various kinds and origins.

Topsec Cloud Solutions

Topsec Cloud Solutions

The Topsec Managed Email Security Platform eliminates Spam, Viruses, Malware, and Phishing.

Training.com.au

Training.com.au

Training.com.au is a comparison website through which those looking to learn about different aspects of cyber security can compare learning courses from training providers from across Australia.

Rezonate

Rezonate

Rezonate discovers, profiles, and protects Identities and their entire access journey to cloud infrastructure and critical SaaS applications. Preventing and stopping cyberattacks.

RADICL

RADICL

RADICL's mission is to give SMBs that serve America's Defense Industrial Base (DIB) access to strong, enterprise-grade cyber security protection.

Disecto Technologies

Disecto Technologies

At Disecto, we provide SaaS based Data Discovery, Classification and a remediation solution for data privacy compliance.

Theori

Theori

Theori tackles the most difficult cybersecurity challenges from an attacker’s perspective and conquers them as the best strategic security experts.

Redinent Innovations

Redinent Innovations

Redinent is a cutting-edge IoT Security platform that offers precise security posture analysis and delivers actionable intelligence, empowering businesses to operate with unrivaled resilience.

SeQure

SeQure

SeQure is a novel cybersecurity and data observability company that offers Fortune 100 and Governments a zero-trust service to continuously monitor large network environments.