DDoS is the neglected cybercrime that's getting bigger. Let's kill it off
- Reference: 1756723868
- News link: https://www.theregister.co.uk/2025/09/01/ddos_opinion/
- Source link:
Distributed Denial of Service (DDoS) is a profoundly unsexy cybercrime, and that's a big problem. Headlines are full of ransomware, data breaches, or the latest exploit. DDoS, where a site or service is poleaxed by a packet tsunami, is just background noise. Now and again, security agencies put out a press release because they've taken down one of the botnets that propagate DDoS attacks, but that's been going on for decades without much effect.
This summer's half-yearly threat status update from DDoS mitigation merchant Netscout [1]documents how rampant DDoS is . The company reported 8 million attacks globally in the first half of 2025, with Europe, the Middle East, and Africa (EMEA) getting the lion's share with 3.2 million. The most powerful attacks peaked at over 3 Tbps.
[2]
This sort of insane speed is only possible because DDoS acts like a discontent distribution network. Hundreds of thousands of compromised machines, from IoT devices to routers, servers, and PCs, have malware that spews out packets designed to soak up resources on a single target. This botnet is summoned into being and synchronized from a central command-and-control server.
[3]
[4]
There are many different ways to construct and amplify a DDoS attack, with many often combined in a single incident. Individual DDoS packets look like normal traffic, and indeed if a site goes massively viral and gets hit by millions of curious humans, that looks exactly like a botnet attack. It is sophisticated, robust, and very hard to disrupt or even detect unless you're the target – then it's hard to ignore. To add to the fun, while DDoS tech has gotten cleverer, deploying it is now much easier with groups emerging that sell DDoS-as-a-Service to anyone with Bitcoin to burn.
The Netscout report breaks down targets by type, with various infrastructure sectors taking most of the top slots. The jewelry, gem, watch, and precious metal wholesale sector is curiously popular too, coming in at number eight. Which raises the obvious question – who is doing the DDoS dance, and why? Netscout points to hacktivists and nations wanting to disrupt things they don't like, like capitalism and civil society. Switzerland saw attacks double during the World Economic Forum, while the Iran-Israel and India-Pakistan conflicts kicked up flurries. There was a focused spring campaign against the Italian public sector. They're unsettling, and perhaps that's the intent.
[5]
Sometimes, though, the attacks remain perplexing. Take Bachtrack, a British classical music and dance events website with a global audience. It's a blameless business, co-founded and run for nearly 20 years by a husband and wife team, one half of which is UK tech industry veteran David Karlin.
As he writes [6]in a recent blog post , earlier this year the Bachtrack server went from three-nines reliability to losing more than a day a month to downtime, and things were getting worse. The culprit was an applications-layer DDoS attack, with streams of HTTP URL requests soaking up server resources. At first, Karlin tried to block individual IP addresses, then blocks of 256, then 65,536. As he notes, not only did it not work due to the wide distribution of IP addresses used, but it was bound to hit genuine users too. Finally, he had to ban entire countries, with most hostile traffic traced to Brazil. There went a chunk of the audience.
Karlin is the sole technical resource on Bachtrack, and after months of trying endless remedies and not getting much help from his hosting service, he was running out of options. Then he found a pattern in the clearly machine-generated URLs that could be translated to firewall rules, and the server could breathe again. For now, the DDoS continues, but it's mitigated.
[7]
It is next to impossible to guess who would attack Bachtrack for months – there is nothing to be gained. It could conceivably be part of a campaign to dishearten Bachtrack's demographic, social engineering being a big part of active enmity between cultures. It might be an accidental DDoS with the primary purpose of probing for some other vulnerability. Whatever, it shouldn't take detective work worthy of Poirot to fix. With DDoS tools now available to all and the attacks gaining momentum, a proper defense is needed.
[8]How Windows 11 is breaking from its bedrock and moving away
[9]Two wrongs don't make a copyright
[10]Anarchy in the AI: Trump's desire to supercharge US tech faces plenty of hurdles
[11]Generative AI isn't just a matter of life and death. It's far more important than that
Botnet DDoS parasitizes the entire internet infrastructure. An effective defense must also be infrastructural. Filtering and command-and-control server detection doesn't work. Until a way is found to disable the compromised nodes that generate the packets, DDoS will continue. Put simply, these nodes are broken, dangerous, and have to be detected and taken offline.
One possible architecture would have automated DDoS detection in potential targets that send botnet IP addresses to a central service. Once verified – spoofing the system would be ironic but mostly bad – the central service would inform the ISP servicing each botnet node, which would then disconnect each compromised device. It has to be automated.
This might sound harsh to the presumably naive owner of the now dead device, but the truth is that the device is broken, as broken as if it had physically failed. If an electrical appliance develops an earth leakage fault, it can carry on working fine until it kills you, or the distribution board circuit breaker pops. And keep popping until the appliance is fixed. A malware circuit breaker is no different.
To use another analogy, if your sewage pipe fails and the output of your lavatory spills out into the street, you can keep flushing, but only until you are forcibly restrained from doing so. As with the circuit breaker, entire industries exist to get things fixed. Helping the user diagnose and rectify the problem has to be part of the design. Nevertheless, a compromised device that is disrupting millions of lives needs fixing. Once DDoS stops working, the fix will be permanent.
DDoS isn't a sexy cybercrime, which means taking bold and controversial action to solve it is difficult to make happen. It is a nasty, clever, toxic perversion of technology, though, and an industry committed to running it out of town should be capable of making that story good enough to sell to the billions of people the fix could benefit. It would be nice to have Agatha Christie help out, but we already know whodunnit in DDoS land. Let's cut to the last page and get the cuffs on the culprits. ®
Get our [12]Tech Resources
[1] https://www.netscout.com/threatreport
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLXDF9XuWaTDG0i7Ont5QQAAAJQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLXDF9XuWaTDG0i7Ont5QQAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLXDF9XuWaTDG0i7Ont5QQAAAJQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLXDF9XuWaTDG0i7Ont5QQAAAJQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://bachtrack.com/feature-swamped-by-bots-bachtrack-inside-cybercrime-august-2025
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLXDF9XuWaTDG0i7Ont5QQAAAJQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/08/29/opinion_windows_11/
[9] https://www.theregister.com/2025/08/26/opinion_column_copyright_ads/
[10] https://www.theregister.com/2025/08/20/opinion_us_govt_ai/
[11] https://www.theregister.com/2025/08/18/opinion_column_gen_ai/
[12] https://whitepapers.theregister.com/
Guilt by tenuous unwarranted association
Practically all the traffic we received from Digital Ocean and Linode was garbage, so we blocked all their networks.
It is likely because some moron at M$ thinks like this that my email to places that have been overrun by M$ (significantly including many universities) doesn't get through.
I regard it as my Civil Right in as a citizen of Cyberspace to have my emails handled independently of the tech giants.
It is sufficient for my level of usage to use shared hosting for my email and website. That is done by Primexeon in Cambridge, whose delighted customer I have been for 18 years.
They in turn use the cloud services of Linode.
However, M$ scrambles the standard email headers and replaces them with hundreds of lines of their own garbage. In some inscrutable way they they judge a large fraction of the legitimate email that passes through them as spam.
I had the same problem with Google/gmail, which I apparently solved by routing my outgoing email though my phone/broadband provider, ICUK/CIX, of whom I am also a longstanding happy customer.
Neither Primexeon nor ICUK/CIX have any idea how to fix this. If I say "debugging" and "M$" in the same breath, I can't keep a straight face.
On what basis M$ judges my email to be spam I have no idea. If it's not the IP address then it's presumably the domain name of the From: address.
But the most likely explanation is that some j*rk at M$ thinks it's a good idea to block everything that has a Linode MX record, even though it hasn't come from there and they're not sending anything there.
Re: Perhaps a bit like a driving licence
"Would these same people expect to get behind a steering wheel and just drive, because somebody told them it's easy? "
Unfortunately yes... that seems to be the assumption.
RPF and then whack-a-mole starts
Firstly, you should ensure that Reverse Path Filtering is enabled at all ISPs' edges.
Secondly, when you start to cripple nodes (not a bad idea), then the chances are that many, many, many nodes will be targeted for lockouts. It will become the new sport of the day: DLOS (Distributed Lock Out Syndrome). Soon, major parts of the internet nodes will be blocked and locked out automatically by ISPs upon receiving a message. Now, who would have an interest in that?
This is a really bad idea
One possible architecture would have automated DDoS detection in potential targets that send botnet IP addresses to a central service. Once verified – spoofing the system would be ironic but mostly bad – the central service would inform the ISP servicing each botnet node, which would then disconnect each compromised device. It has to be automated.
That would be exploited to attack valid services. How would it be validated? How would you get unblocked? It can't be automated.
Who could possibly be responsible for this?
I find it strange that there were multiple articles on the Reg this weekend about AI data scrapers damaging performance on internet sites and how to stop them, but this article doesn't connect the dots.
I don't much like this idea at all...
Okay, if your DDoS node is an IP address that connects to some compromised corporate VM, sure. But if it's connected to someone's house? How exactly is John/Jane Q. Public supposed to fix it? It could be any one of a dozen crap consumer-grade devices, all behind the wall of NAT (and a possibly-compromised consumer-grade router.) The ISP's would never agree to this, and they shouldn't.
Until we have IPv6 actually working at the household level, instead of NAT mashing everything together, this is a non-starter.
P.S. Not to mention, this could be exploited as a "RDoS" (reverse denial of service, a term I just made up)... knock households offline by getting someone to click on a bad link, or whatever, triggering an "attack" to a known honeypot. It won't trigger a single malware alert, since it'll look entirely legit from the client's perspective. But, "BAM!" a few minutes later, their Internet simply cuts off with no explanation, or assistance in getting it back online.
Re: I don't much like this idea at all...
DDOS isn't a single click from an IP address. I don't see how the RDOS you propose would work unless you could trick someone into clicking several million times a second for a while.
I'll agree that for the scheme to work, the ISPs would need to be coerced into becoming part of the solution. That makes sense to me the same way it makes sense to tax businesses that pollute rather than tax everyone to clean up the pollution. Put the burden at the source of the DDOS rather than trying to mitigate it at the destination as we currently do.
How about reverse DDoSing
Instead of banning the IP addresses, you send them to a service that DDoSes them right back.
Perhaps a bit like a driving licence
Practically all the traffic we received from Digital Ocean and Linode was garbage, so we blocked all their networks. Nobody complained. Not a single complaint in the years that we did it. It's not worth our time to complain to DO or Linode. When I read this article the other day - https://www.theregister.com/2025/08/25/infosec_in_brief/ - I laughed. Yeah, Digital Ocean finally got off its arse and did something.
I'm going to state something maybe obvious here, but also controversial. There are a lot of people out there who have no idea how to manage UNIX systems (or computer systems in general). They think they do, or they they bought into the one-liner that UNIX is more secure than Windows (so they don't have to worry about it). These people shouldn't be managing computer systems in the first place. They should not be able to set up a cheap VPS, then let it become compromised because they don't know how to stop it and they don't know how to clear it up.I get it. I'm not a doctor so I should not be mending broken bones. Would these same people expect to get behind a steering wheel and just drive, because somebody told them it's easy? Cheap VPS providers have no real motivation to stop unqualified and/or inexperienced people from badly administering UNIX boxes.
Another problem is cheaper routers, which no longer have firmware updates. Some of these cheaper routers come from big name vendors. No security updates, or no security updates unless you pay. Hmmm.
The idea of a central service is not going to fly. Who would run it? Why would you trust them?