Denial-of-service, or DoS, attacks and DDoS (distributed denial-of-service) attacks are the bane of any service provider’s or web host’s existence. From the user’s perspective, if you’ve ever tried to load up a web-based service only to find a message waiting for you that says it’s either over capacity or down for an indefinite period of time, then there’s a chance the site was hit with a DDoS attack that overwhelmed it with fake traffic and is now keeping legitimate users from getting through.
DDoS attacks are surprisingly common because the tools themselves are relatively easy and inexpensive to acquire, and they are also difficult to predict and mitigate without the proper tools. Fortunately, once you get over the hurdle of actually understanding why someone would want to perpetrate a DDoS attack, you can start putting yourself in the best possible position to limit the damage.
Take Advantage Of On-Premises & Cloud-Based Solutions To Protect Your Network & Services From Distributed Denial-Of-Service Attacks
- DDoS attacks essentially flood a network or service with illegitimate traffic and prevent real users from getting through.
- These attacks use botnets, which are groups of computers that have been infected with malware and have become “zombies” for the hacker to use.
- The goal of a DDoS attack may be to bring down a service or to hijack it until a fee is paid to release it.
- You can choose between on-premises, cloud-based, and hybrid solutions to protect yourself from DDoS attacks.
How DDoS Attacks Work
A DDoS attack starts with a botnet, which is essentially a group of computers that have been infected with malware and can be controlled as one entity by an outside party. These are private computers that have been hacked without the user’s knowledge and can then be used to attack networks or services in a variety of ways. For example, one DDoS attack might use spam messages to overwhelm an email service and cause issues, while another may use those computers to send fake traffic to a service such as Twitter and temporarily bring it down.
“Effectively, the botnet is ordered to repeatedly access a certain system,” says Michela Menting, research director at ABI Research. “Each time a request to view a specified page is sent, information flows between the user’s system and the website in order for the page to appear on the user’s screen. If a great number of requests are sent, the server on which the page is hosted can be overwhelmed and becomes unable to respond to all the demands, sometimes becoming submerged and unable to respond altogether, thus denying service to all requests. DDoS are simply distributed attacks, meaning the botnet is composed of usually thousands of bots, and perhaps several botnets are used. It is simply an increase in scale.”
The interesting thing about botnets is that they are widely available on the black market for a range of prices and a variety of use cases. For example, for $200 to $500 you can buy a turnkey botnet with maybe 50 “zombies,” which is the term for the infected computers. For varying fees, you can rent larger botnets with thousands of bots by the hour. The goal of the attack, as well as the target, will determine what type of botnet needs to be used and for how long.
Jim Davis, Senior Analyst, 451 Research
“Enterprises with significant revenue from web operations (e.g., e-commerce, online gaming) should consider placing web infrastructure behind a CDN provider to increase protection from DDoS attacks, which leverage CDN content and application-delivery functions to offer better end-user experiences.”
Jim Davis, senior analyst at 451 Research, also points out that there are different types of DDoS attacks that go after specific targets. There are the standard volumetric DDoS attacks, which are network-based and “have the effect of exhausting server resources and/or consuming available bandwidth with spurious requests,” he says. And then there are application-layer DDoS attacks, which, although less common, are growing in popularity. “The techniques are different in that the attacker targets web, application, and database resources,” says Davis. “These attacks require more sophisticated knowledge of features and vulnerabilities but can be done without large botnets. These attack types can be harder to detect and harder to mitigate. When done in conjunction with a volumetric attack, they can be quite devastating.”
The Goals Of A DDoS Attack
With DDoS attacks, it can sometimes be tough to tell the attacker’s desired outcome, but in other instances, they wear their goals on their sleeves. An example of this would be the 2010 series of DDoS attacks referred to as Operation Payback and Operation Avenge Assange. These attacks were perpetrated by Anonymous and other notorious hacker groups in an effort to take down opponents of piracy, in the case of Operation Payback, and payment providers that refused services to WikiLeaks and its founder, Julian Assange, after the group started leaking U.S. government documents. In the latter attack, Visa, MasterCard, PayPal, and many other financial institutions were taken offline for hours, and it disrupted service to the user base. The hacker groups even made fliers laying out the exact reasons why they were conducting the attacks and why those specific companies and services were targeted.
Michela Menting, Research Director, ABI Research
“There are various ways to mitigate a DoS/DDoS attack using network defenses (IPS, firewalls, and others). These are primarily on-premises methods. Alternatively, traffic can be passed through a cleaning or scrubbing center before going to the intended user. This is often offered as a cloud-based service because the platform can be scaled depending on attacks. Of course there is also the possibility of sinkholing botnets [redirecting them to research machines for study], but that requires a coordinated, intelligence-based offensive approach.”
Attacks such as Operation Payback are less about financial gain and more about sending a message, but that doesn’t mean that money-based DDoS attacks don’t exist. “DoS and DDoS attacks can be used to blackmail or immobilize any website,” says Menting. “In exchange for money, the perpetrator agrees to cease an attack or to desist from carrying one out. Commercial organizations can lose important financial gains because of their inability to trade due to a DoS attack. Even just the threat of an attack could be sufficient for the perpetrator to successfully extort money. With the sale and rental of botnets, it has become a lucrative business and perpetrators are not all necessarily technology experts. They need not even launch the attack themselves but can rent a service from a criminal organization specializing in this type of activity.”
Then there’s the idea of causing damage within an organization or picking up leaked information during a DDoS attack that can then be used to extort money from a company. These types of attacks often come from disgruntled workers or hacktivists who want to bring down a perceived foe. “The offender can also be a discontented employee, a lone actor, or a competitor seeking out sensitive information using methods such as social engineering, spyware, system penetration, device theft, data interception, and unauthorized disclosure of information from the inside,” Menting says. Attackers either use the DDoS attack as a distraction to pull security resources away from the real target, or they can be used to attack the company from multiple directions and make it more difficult to defend against.
On-Premises, Cloud-Based & Hybrid Solutions
When it comes to mitigating DDoS attacks, there are many different approaches, but the end goal is to ultimately absorb the brunt of the attack and divert it away from your primary servers and networks until it can be stopped. Many vendors offer on- premises solutions, including A10 Networks, F5 Networks, and Radware, which require you to handle everything in-house, so you may need some extra infrastructure in place. This is a good approach for organizations that are attacked on a relatively consistent basis and know how to handle the traffic.
From there, you have cloud-based solutions such as CloudFlare and CDNetworks, which tend to come in one of two flavors. There are CDN (content delivery network) solutions, which are designed to deliver content to users based on geographic location and can also be used to mitigate DDoS attacks. There are also cloud-based scrubbing services, “which consist of several points of presence that ingest traffic bound for the customer, mitigate attacks, and send clean traffic on its way to the customer,” says Davis. “These services can be deployed in always-on fashion, but smaller enterprises may not always be able to justify the cost of this option. If services are not deployed in an always-on fashion, there can be delays in defending against attacks (typically between 15 to 20 minutes) as traffic gets re-routed.”
This illustrates how traffic from legitimate end users is allowed to travel through the CDN (content delivery network) and WAF (web application firewall) unimpeded while the DDoS attack and secondary attack run into security measures, are absorbed, and can’t impact service to actual clients.
One example of a cloud-based CDN provider is CDNetworks. It creates a filter of sorts in the cloud that directs unwanted traffic to a “sponge” server that can absorb the impact while still letting legitimate traffic through. But this approach can also help stop secondary attacks that can sometimes accompany the DDoS and tend to go after the application layer. That attack would run into a WAF (web application firewall) that prevents it from impacting any applications or the data stored within. The key to these cloud-based service providers is that they have enough bandwidth, and probably more than most companies have, to absorb the traffic without having it impact other services, which is exactly what you need during a DDoS attack.
There are also hybrid on-premises/ cloud solutions that let you keep some control onsite but then you can take advantage of scrubbing services as needed. The important thing to remember is that you need to take a layered approach to security, especially when dealing with DDoS attacks. “Not all services mitigate all types of attacks,” says Davis. “Web application firewall technology may be useful in supplementing protection against application-layer DDoS attacks.”
“In general,” Davis adds, “leveraging cloud-based services for protection from DDoS attacks is a must as attacks continue to scale in size beyond what on-premises solutions alone can handle. Additionally, they promise faster deployment and easier management.”
Internet Of Things & DDoS
One of the newer developments in DDoS (distributed denial of service) attacks is using Internet of Things devices in place of computers. In the same way that an attacker would create a private network of infected computers to perpetrate attacks and send unwanted traffic to networks and services, hackers are now taking advantage of a 12-year-old vulnerability in the SSH protocols of IoT devices to use them for DDoS purposes. What’s happening is these IoT devices are shipped with this vulnerability in their credentials, which are often used for remotely logging in to computer systems and accounts, and if they aren’t changed immediately after purchase, then hackers can take advantage of the flaw and take over the device.
The problem is that some vendors don’t allow these credentials to be changed, and so there isn’t an easy way to patch them after the fact. The danger in using IoT is that if hackers could gain access to every sensor within a data center, for example, they could use those devices to send signals and overload systems from the inside. Or, in a more consumer-oriented focus, an attacker could take over smart home systems, smartwatches, and other devices to send traffic to internal or external networks and bring them down. Given the number of IoT devices on the market, this presents a big problem for security experts and vendors as they try to figure out how to defend against these attacks.