A Distributed Denial-of-Service or DDoS attack is a type of cyber attack that targets a resource such as a network or web server with an overwhelming amount of requests with the goal of taking it offline. Once the traffic shoots past the capacity of the server, it is unable to respond to legitimate requests from legitimate users, thereby resulting in the ‘denial of service”.
DDoS attacks involve multiple machines working together in a network to flood the server with a large amount of traffic, beyond its capacity. They are often perpetrated by malicious actors at large businesses that people depend on for essential services, such as banks to news websites, and in some cases even power plants. The end goal could also vary from theft and extortion during the system outage and downtime, launch of additional attacks like phishing and ransomware, reputation damage or simply causing anarchy.
How do Distributed Denial-of-Service Attacks Work?
DDoS attacks are launched using a network of machines that operate together under the perpetrators’ commands. These compromised devices form what is called a botnet, which does the job of sending the flood of malicious traffic to the target resource.
The machines could include laptops, mobile devices, PCs, servers or Internet of Things (IoT)devices and could be distributed across distances. There could be thousands or up to millions of such devices that are remotely controlled in a botnet. The devices themselves could have been compromised by attackers by taking advantage of security vulnerabilities and injecting them with malware without the knowledge of the devices’ owners.
One of the largest and more high-profile DDoS attacks was the 2016 Dyn attack that brought down much of America’s internet and crippled sites like Twitter, the Guardian and Netflix. This attack used a malware known as Mirai using a botnet of IoT devices including cameras, televisions, printers and even baby monitors.
The process of launching a DDoS attack goes something like this. First, the attacker takes control of the devices after infecting them with malware. Once such a botnet has been created, specific instructions are sent remotely to each bot to carry out an attack. If the target is a network or web server, each bot sends requests to the server’s IP address.
Since each bot is a legitimate device on the internet, the traffic from the bot looks normal and therefore hard to separate from legitimate traffic to the server.
Why Are DDoS Attacks Dangerous?
One of the key reasons why DDoS attacks are dangerous is because of their simplicity. To create and launch a DDoS attack does not require any seriously sophisticated techniques. A hacker does not have to install any code on the target server. All it takes is to be able to compromise machines and control them to send millions of pings to the targeted web server at the same time. In fact, the Mirai botnet used in the Dyn attack of 2016 was open-source, which meant that any cybercriminal can use and adapt it to launch attacks in the future.
DDoS attacks are also tricky to defend against since the incoming traffic is distributed. The compromised “zombie” machines in the botnet have different IP addresses. Adding filters to block requests from suspicious IP addresses is one countermeasure but when there are millions of such IP addresses, it becomes an unsustainable defense strategy.
To make matters worse, the potential attack vectors in DDoS attacks are increasing every day. As more devices enter the hands of every day consumers and as the IoT market expands to cover more types of devices, defending against potential DDoS attacks from these becomes more challenging. These devices may not have advanced security software compared to a standard computer or server and therefore stay vulnerable to being hacked and compromised to form part of the botnet.
The Different Types of DDoS Attacks
Despite their simplicity, DDoS attacks can come in different varieties depending on the method used. Here are some common types of DDoS attacks.
Networking layer or Protocol attacks
These are DDoS attacks that target the network infrastructure. For example, they could attack network areas responsible for verifying connection requests by sending slow pings, malformed pings and partial packets. They can go through web application firewalls (WAF) and therefore this type of DDoS threat cannot be topped by just firewalls.
Moreover, firewalls may be placed deep in the network which means routers could be compromised before the traffic gets to the firewall. Common types of network layer attacks include the Smurf DDoS and SYN flood attack, which initiates a TCP/IP connection request without finalizing it and keeps the server waiting for an acknowledgement (ACK) packet which doesn’t arrive. The severity of the networking layer or protocol attacks are measured in packets per second as these depend on the number of packets of information that are sent rather than the actual bits.
Application layer attacks
This type of DDoS attack are intended to cripple apps directly than the underlying infrastructure. They attack the topmost layer or the L7 layer in the Open Systems Interconnection Model (OSI) and can be launched through HTTP, HTTPS, DNS or SMTP. The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. Some examples of application layer attacks include HTTP flood, Low and Slow and BGP hijacking. These are measured in requests per second since their severity depends on how frequently or continuously hackers request access to the apps services using the botnet traffic.
In volume based DDoS attacks, the method relies on the sheer amount of traffic sent beyond the network bandwidth. User Datagram Protocol or UDP floods and Internet Control Message Protocol (ICMP) floods are two common forms of volumetric attacks. In UDP flood attacks, attackers use the UDP format to skip integrity checks and generate amplification and reflection attacks.
For example, the DNS amplification attack is one type of volumetric DDoS attack where the attacker makes a request to an open DNS server with IP spoofing address (of the victim) and overwhelms the target server with a traffic amplification attack. ICMP floods have attackers send false error requests to network nodes to make it unable to respond to real requests. The goal of the attacker here is to just send as many requests as possible in a short time from as many compromised devices.
Another categorization of DDoS attacks involves their intended outcomes. Some are intended to be for flooding and others for crashing.
Flooding DDoS attacks
These are attacks which use an overwhelming flood of data to target a server with the intention of taking it down. For example, an ICMP flood or ping flood sends data packets to overwhelm a network of computers to take them down together. The SYN flood described above under networking layer attack is also one that operates on a similar basis.
Crashing DDoS attack
In this type of DDoS attack, the attacker sends bugs to a compromised system in order to take advantage of weak spots in the system’s infrastructure. This exposes the flaws which can be exploited in the absence of patches on routers and firewalls and leads to a system crash.
How to Identify DDoS Attacks in Order to Protect Against Them
As mentioned before, DDoS attacks can be hard to detect since they involve traffic from devices that are legitimate, even if they may be part of a remote controlled botnet. This makes it hard to distinguish such botnet traffic from legitimate requests. However, there are a few symptoms that you can lookout for in trying to identify and protect your business against DDoS attacks.
Start investigating sudden site issues
The most straightforward sign of a DDoS attack is when a site or service suddenly and unexpectedly starts running slow or becomes unavailable altogether. However, this is not a guarantee of a DDoS attack as even legitimate requests can create performance issues if there is a large amount of traffic. Look further to see if there is an unreasonable amount of this attack traffic that is coming from a single source such as a single IP address or from within a range of IP addresses. Or there could be a flood from the same type of device, location or browser type or even that all the surge in attack traffic could be directed at a single end point like a particular web page. Other such patterns like spikes at unusual hours or at suspiciously frequent time periods like every few minutes could also be a sign that you need to investigate further.
Look out for unusual technical problems
Certain availability issues may seem non-malicious at first but they could be signs of an incoming DDoS attack. For example, certain technical issues with the network security during maintenance such as unusually slow network performance. If there are issues opening files, accessing websites or if a particular website is down, it is definitely worth investigating further to see if they are the result of a DDoS attack.
Adopt network security and traffic monitoring tools
The best way to detect and identify a DoS attack would be via network traffic monitoring and analysis. Network traffic can be monitored via a firewall or intrusion detection system. An administrator may even set up rules that create an alert upon the detection of an anomalous traffic load and identify the source of the DDoS traffic or drops network packets that meet a certain criteria.
DDoS Mitigation for Your Business
DDoS protection has become an essential component of cybersecurity for businesses today. DDoS attacks involve the attacker relying on strength in numbers of bots or compromised devices to overwhelm a target resource. Despite the simplicity of the methods used, DDoS attacks can cause major damage to businesses, including server downtime, interruption of services to customers and as a pathway to launch other more expansive attacks.
To effectively implement DDoS protection strategies, it is not enough to merely identify symptoms and then react to the onslaught. By the time a DDoS threat is detected, part or most of the damage might already be done and you might be on a clock to minimize the extent of the damage. This is why it is critical to be proactive and explore DDoS mitigation services for your business. Professional services including DNS and service providers like CDNetworks can help you protect your network and systems with network monitoring tools and technologies such as content delivery networks for routing malicious attack traffic as needed.