Distributed Denial of Service (DDoS) attacks have been on the rise in recent years and show no sign of slowing up. With businesses and consumers both feeling the impact of DDoS attacks, mainstream media outlets (i.e. ABC, CNN, and the New York Times) have provided in-depth coverage of some of the larger attacks.
Despite rising awareness of DDoS attacks, their perpetrators are undaunted and continue to level attacks against organisations of all sizes on a daily basis. This is the result of a growing number of wrongdoers easily aligning themselves with nefarious groups. They create or locate readily available tools to launch automated attacks against any target, from social media and travel websites, to global enterprises and government agencies.
Organisations that fall victim to a DDoS attack typically suffer damage in one or more areas: deteriorating customer trust; lost revenue; negative brand impact; or slowed web innovation and expansion. As a result, organisations of all kinds recognise the need to shore up their web infrastructure against these easily launched DDoS attacks.
Defining a DDoS attack
A denial of service attack occurs when web infrastructure, usually one or more servers, becomes so overwhelmed with malicious traffic that it utilises all its resources and can no longer respond to legitimate website users. A distributed denial of service attack amplifies this scenario by launching an attack from multiple computers distributed across the Internet. Most large-scale DDoS attacks leverage botnets – computers with breached security that are being controlled and manipulated by the perpetrators of the attack. The perpetrators instruct all computers in the botnet to send fake or malicious traffic to the targeted organisation’s web servers, overwhelming them with traffic and rendering them incapable of serving legitimate users.
DDoS attacks – the cheap and fast weapon of choice
DDoS attacks have become prevalent for three simple reasons – they are cheap, simple to create, and effective. Instructions for creating a botnet can be found easily online. For example, anyone can perform a Google search on “cheap, automated DDoS” and quickly came up with a botnet creation and launch tutorial. These tutorials come complete with detailed programming instructions to create, launch, and control bots. It even teaches potential perpetrators how to secure their bots and themselves.
The Most Common of DDoS attacks
Three types of volumetric attacks make up the overwhelming majority of DDoS attacks. Among these, the easiest to launch and understand are flood attacks, such as GET/POST flood, SYN flood, and UDP flood. They all “flood” a targeted web server with requests, causing the server to respond and open connections to the compromised computers (botnet) that are making the requests. By not responding back to the targeted server, the botnet holds open all server connections as the targeted server awaits responses. Eventually, the targeted server maintains so many open connections that it runs out of available ports to serve legitimate users, causing service outage.
ICMP flood attacks
A variation on the standard flood attacks is the ICMP Flood, which goes by such names as Smurf attack, Ping flood, and Ping of Death. Perpetrators of this type of DDoS attack spoof (fake) the IP address of the targeted victim, then use that IP address to send out a broadcast of requests to a network of computers. When the network of computers responds, the targeted victim’s network becomes flooded with response traffic, thereby blocking legitimate user traffic from reaching the victim’s machine.
A third, and increasingly common, type of flood attack is called a DNS Flood. A DNS flood attack works by spoofing the IP address of the targeted victim’s server DNS and using it in communications with improperly configured DNS resolvers, called Open DNS Resolvers. Open DNS Resolvers reply to all DNS requests, often with large amounts of data, without confirming their origin. This combination of many machines and large responses makes Open DNS Resolvers ideal resources for launching a large-scale attack. Moreover, they offer ample opportunity to hackers, as noted by The Open Resolver Project, which currently tracks over 27 million Open DNS Resolvers in operation today across the Internet. With so many open resolvers, each with the ability to transmit large amounts of traffic, it is easy to see why DNS flood attacks occur more often today than ever before.
If you’d like to learn more about XOR.DDoS attacks, please read our blog article: Understanding XOR.DDoS attacks
The ‘who’ and where behind DDoS attack origination
As for who perpetrates all these DDoS attacks, that is a difficult puzzle facing the law enforcement community. Groups range from government agencies and organised crime syndicates, to political activists and individual thrill-seekers. The profile of DDoS attack perpetrators is ever shifting, depending on the nature of current issues and opportunities presented. That said, the most common DDoS attackers include the following:
- Organised crime syndicates
- State-sponsored wagers of electronic warfare
- Businesses attempting to weaken competitors
- Politically motivated cyber terrorists (hacktivists)
- Hackers seeking profits
- Individuals out for a thrill
Traditional web infrastructure cannot handle DDoS protection
Just as traditional web infrastructure has proven inadequate for handling large amounts of legitimate web traffic, it falls short in fending off most DDoS attacks. Both the origin and overflow infrastructure lack the resources for all but the smallest of DDoS attacks. The typical enterprise’s server and switch capacity fall far short of the capacity required for mitigating a DDoS attack. In today’s environment of tightened IT budgets, most organisations cannot afford to expand their web infrastructure in the manner required to absorb a DDoS attack. In addition, the costs of establishing additional data centers just to defend against DDoS attacks makes little sense. For this reason, organisations are turning to managed hosting providers and/or content delivery networks (CDNs) with DDoS absorption capabilities to serve their websites to a global audience.
CDN with DDoS absorption
Managed hosting providers and CDNs are not equal when it comes to DDoS absorption. First, the larger managed hosting providers with the capacity needed to absorb an attack often exist on the very networks frequently experiencing DDoS attacks, or at the very least carrying their traffic. Moreover, managed hosting providers do not span across different networks as the larger CDNs do, making them unable to match global CDNs in their ability to shift network usage quickly in the event of an attack on specific networks.
Gain DDoS mitigation now, but plan for evolution
Given the reality of today’s online world – that high-volume DDoS attacks will continue to strike a wide variety of organisations across industries and geographies, professionals charged with maintaining an operational web presence must act fast to shore up their web infrastructure. At the same time, however, they should plan carefully and leverage a service provider that has a track record for evolving its infrastructure and services in line with the evolving nature of the online world. Only this type of strategy will enable continued online innovation in a manner that protects ongoing business today.