As the cyber world is rapidly populating, the attackers are also coming up with different techniques to hamper the ongoing services. Distributed Denial of Service, in short, DDoS attack, is one of the most popular cyber threat today.
DDoS refers to the steady bombardment of concurrent data requests to a central server. The attacker transmits these requests from multiple compromised systems. The ultimate goal is to attack a target, such as a server, website or other network resources, and create a (DoS) for users of the targeted resource.
Generally, Botnet devices are used to accomplish a DDoS attack successfully.
DDoS attackers can be diverse threat actors, ranging from individual criminal hackers to organized crime rings and government agencies. Victims of a DDoS attack includes both the end targeted system and all systems maliciously used for carrying out a distributed attack.
In this article, we will emphasize how a DDoS attack works, its types and how you can protect your system from a DDoS attack.
We will also understand how a DDoS attack is different from a DoS attack.
What do you mean by a DDoS attack?
The term Distributed Denial of Service (DDoS) attack means a malicious attempt to disrupt the usual traffic of a targeted server, resource or network by overwhelming the target machine with a flood of Internet traffic.
DDoS attacks work by using multiple compromised computer systems as sources of attack traffic. In general, these exploited machines can include computers and other networking resources such as IoT devices.
You can imagine a DDoS attack as a traffic jam clogging up with the highway, preventing normal traffic from arriving at its desired destination.
Similarly, the flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash. Thus, it results in denial of service to legitimate users or systems.
How can you identify a DDoS attack? DDoS attack Symptoms
Well, DDoS attacks can look like many of the non-malicious things that can cause availability issues. For example, a server down, too many legitimate requests from legitimate users, or even a cut cable.
It often requires traffic analysis to determine what is precisely occurring. In some instances, sparse coding, missing patches or generally unstable systems, can result in DDoS like results.
What is the purpose of DDoS?
The purpose of a DDoS attack is either to cause costly downtime or to block legitimate users from accessing services.
An attacker may use a DDoS attack for extortion or revenge, etc. DDoS attacks can also be beneficial for business competitors or can provide political benefits to governments or hacktivists.
Although it is clear that the chief target of a DDoS attack is a victim, there can be many other victims too. For instance, the owners of the infected computers used to perform the attack.
The owners are typically unaware about the attack, and they are nevertheless likely to suffer degradation of service during a DDoS attack.
How does a DDoS attack work?
In a typical DDoS attack, the attacker starts by exploiting the vulnerability in one computer system and making it the DDoS master.
After that, the attack master system identifies other vulnerable systems and gains control over them by infecting the systems with malware.
A DDoS attack demands an attacker to gain control of a network of online machines to carry out an attack.
Computers and other tools, such as IoT devices are infected with malware, turning each one into a bot. The attacker then has remote control over this group of bots, which is collectively known as the botnet.
Once a botnet assembling is complete, the attacker can direct the machines by sending updated instructions to each bot via remote control method.
When the botnet targets the IP address of a victim, each bot will acknowledge by sending requests to the target. It causes the targeted server or network to overflow capacity, resulting in a denial of service to normal traffic.
As each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.
What is a DDoS Botnet?
A Botnet refers to a group of computing resources injected with malware used to control it from a remote location without the knowledge of the actual owner.
For hackers, these botnet devices can be used for any malicious purposes, most commonly for spam or DDoS attacks. It is also known as a Zombie army.
The term botnet is a portmanteau from the words robot and network, and each infected device is called a bot, or a zombie.
It is infeasible to analyze the exact number of bots in a particular botnet. Commonly, botnets can have tens or hundreds of thousands of bots, and there is no specific upper limit to their size.
What are the types of DDoS attacks?
Different distributed denial-of-service attack mechanisms saturate the targeted system in several ways. The three common types of DDoS attacks are volumetric attacks, application attacks, and protocol attacks.
The duration of each of these can be anywhere from minutes to months. Let’s discuss each of them.
Volumetric attacks exhaust a targeted resource by consuming available bandwidth with packet floods. The motive is to create congestion by saturating all available bandwidth that a target system will use.
Volumetric attacks are the most common and most accessible for attackers to execute. Many times, attackers use amplification techniques to generate this traffic to avoid needing a substantial number of resources.
Some examples are DNS Amplification, Network Time Protocol (NTP) amplification, Ping Flood, and UDP/TCP Flood.
Protocol attacks, also known as state-exhaustion attacks target network layer or transport layer protocols to overload targeted resources.
Some examples of this include Fragmentation, Ping of Death, SYN Flood, and SSL Regeneration.
Protocol attacks consume all the available state table capacity of web application servers or intermediate resources like firewalls and load balancers.
Application layer attacks
Application layer attacks are potent and can be challenging to diagnose and mitigate. These attacks use comparatively less traffic.
Also known as layer 7 DDoS attack, the goal of these attacks is to exhaust the resources of the target.
These attacks overload application services or databases with a high volume of application calls. The inundation of packets at the target causes a denial of service.
Some examples include Slowloris, HTTP Flood, and Low Orbit Ion Cannon (LOIC).
Some famous DDoS attacks
The biggest and the most recent DDoS attack happened in February 2018. The target website was GitHub, a popular online code management service used by millions of developers.
The target organization of the second major DDoS attack was the Dyn, a DNS provider. This attack was devastating and disrupted many significant sites like Airbnb, Netflix, PayPal, Visa, Amazon, etc.
A malware named Mirai was used to cause this attack.
What is the difference between DDoS and DoS attack?
A Denial of Service (DoS) attack is not similar to a DDoS attack. The DoS attack typically employs a single computer and one Internet connection to flood a targeted system or resource.
The DDoS attack uses multiple computers and Internet connections to do the same.
DDoS attacks are many times global attacks, distributed via botnets. DoS does not involve any botnet.
DoS threat level is low and can be stopped relatively quickly with the right security. On the other hand, DDoS threat levels vary from medium to high and are difficult to prevent.
How can you protect your service from a DDoS attack?
The first line of defense for an effective DDoS protection plan includes existing firewall, intrusion prevention system (IPS), and load balancers.
Additionally, dedicated DDoS protection devices can provide specialized mitigation against large-scale and advanced DDoS attacks. There are several ways to protect your services from DDoS attacks.
- Evaluate your application architecture, determine stress points, user capabilities, and failover options.
- Try utilizing third-party testing tools or services to simulate attacks and acquire an understanding of weak points.
- Observe the normal traffic so you can see when abnormalities arise.
- Observe social media and the news for gaining knowledge about upcoming attacks or threats.
- Prepare a response plan with clear procedures, communication, and customer support policies, and ensure the team is trained to minimize the impact.
- Take advantage of alerting tools to notify the team when there are unexpected traffic patterns, connectivity issues, or application events. Incorporate these into your response plan.
- Evaluate and consider using services offered by your providers or other industry experts to protect against and minimize the impact of DDoS attacks.
Although DDoS attacks are not new, these threats are continually evolving to become much more complicated, yet easier to launch than ever before.
More recently, attackers have been employing multiple attack vectors at the same time, making it more difficult to defend. These are called Advanced Persistent Denial of Service (APDoS) attacks.
Furthermore, the evolving technology is making it even harder for defenders to keep up. For example, the Internet of Things (IoT) is slowly becoming a weapon of choice for DDoS attackers.
Such attacks threaten vital business operations and data security. The repercussions of a successful DDoS attack can be catastrophic, from significant revenue loss to damage of an organization’s once great brand.
Therefore, it is essential for IT and security administrators to understand the threats, vulnerabilities, and risks associated with DDoS attacks. Accordingly, they can reduce the impact of these attacks through some core information security practices.