A Complete Guide to DDoS Attacks: What They Are and How to Protect Yourself

Shanika W.

By Shanika W. . 6 December 2021

Cybersecurity Analyst

Miklos Zoltan

Fact-Checked this

1 Comments

In this guide, we will discuss a wide range of topics related to DDoS attacks, including what a DDoS attack is, how they work, the types of DDoS attacks, impacts of DDoS attacks, and how to defend against DDoS attacks.

This article will address the following questions:

  • What is a DDoS attack?
  • How does a DDoS attack work?
  • Impacts of DDoS attacks
  • Basic types of DDoS attacks
  • DDoS attack styles
  • How to detect a DDoS attack
  • How to protect yourself against DDoS attacks

Quick Summary

Distributed Denial of Service (DDoS) attacks have been a powerful weapon on the internet for twenty years. They have evolved to be more prevalent and powerful over time and now they have become one of the major threats to any company running online businesses.

Generally, DDoS attacks work by overwhelming a website or online service with more traffic than its server or network can accommodate. The attackers typically depend on botnets which are networks consisting of malware-infected computers that are centrally controlled. A DDoS attack aims to make that website or online service unavailable to users.

Guide to DDoS Attacks

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack is an attempt by an attacker to interrupt the delivery of an online service to users. This can be done by blocking access to virtually anything such as servers, networks, devices, services, applications, and even particular transactions within applications.

DDoS attacks can be called a variant of denial-of-service attacks (DoS) attacks where an attacker or group of attackers use multiple devices to carry out a DoS attack simultaneously.

The major difference between DoS attacks and DDoS attacks is that while DoS attacks use one system to send malicious data or requests, a DDoS attack is sent from multiple systems, increasing its strength and effectiveness.

DDoS attacks target victims at all levels by completely blocking their access to systems and even resorting to extortion to take down the attack.

Banks, websites, online retailers, and news channels are among the key targets of attackers, making it a real challenge to ensure that sensitive information can be accessed and published safely.

It is difficult to detect and block these DDoS attacks as the traffic they generate is difficult to track and easily confused with legitimate traffic.

How Does a DDoS Attack Work?

Most DDoS attacks are carried out through botnets which are large networks of smart IoT devices, computers infected with malware, and other internet-enabled devices that are under the control of hackers.

The attacker instructs the machines in the botnet to send huge amounts of connection requests to a specific website or the IP address of a server.

It overwhelms that website or online service with more traffic than its server or network can accommodate. The final result will be those websites or online services becoming unavailable to users with overwhelmed internet bandwidth, RAM capacity, and CPU.

The impact of these DDoS attacks can range from minor indignation and interrupted services to whole websites, applications, or even entire businesses being down.

Impacts of DDoS Attacks

DDoS attacks can affect victims in a number of ways.

  • Financial loss
  • Damage to reputation
  • Data loss
  • Damage to customer trust
  • Impact on essential services
  • The direct and indirect costs involved in restoring systems
  • Impact on third parties

Basic Types of DDoS Attacks

DDoS attacks generally fall into one or more categories, with some advanced attacks combining attacks on different vectors. Following are the three main categories of DDoS attacks.

1. Volumetric attacks

This is the classic type of DDoS attack, employing methods to generate large volumes of bogus traffic to fully flood the bandwidth of a website or server. This fake traffic makes it impossible for real traffic to flow into or out of the targeted site. These attacks include UDP, ICMP, and spoofed-packet flood attacks. The size of volume-based attacks is measured in bits per second (BPS).

2. Protocol attacks

These attacks are more focused and utilize the vulnerabilities of resources in a server. They consume actual server resources or intermediate communication equipment like firewalls and load balances and send large numbers of packets to them. These attacks usually include SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS, etc., and their size is measured in packets per second (PPS).

3. Application layer attacks

These are the most sophisticated type of DDoS attacks, which targets specific web applications. They are carried out by overwhelming applications with malicious requests. The size of these attacks is measured in requests per second (RRS).

Styles of DDoS Attacks

1. UDP and ICMP floods

These are the most common attack styles that fall under volumetric attacks. UDP floods drown host resources with User Datagram Protocol (UDP) packets, while ICMP floods do the same with Internet Control Message Protocol (ICMP) echo request (ping ) packets until the service gets overwhelmed.

Furthermore, attackers tend to use reflection attacks to increase the crushing flow of these floods where the victim’s IP address is spoofed to make the UDP or ICMP request. This way, these attacks consume both incoming and outgoing bandwidth. The response is sent back to the server itself as the malicious packet appears to be coming from the victim.

2. DNS Amplification

As the name suggests, these attacks involve criminals sending numerous DNS search requests to render a network non-functional. The amplification exhausts the bandwidth of the server by expanding the outbound traffic flow.

This is done by sending information requests to the server that output high amounts of data as the response and then routing that data directly back to the server by spoofing the reply-to address.

So, the attacker sends numerous relatively small packets to a publicly accessible DNS server through many different sources of a botnet. All of them are requests for a very lengthy response, like DNS name lookup requests. Then, the DNS server replies to each of these dispersed requests with response packets including many orders of immense more data than the initial request packet, with all that data being sent right back to the DNS server of the victim.

3. Ping of Death

This is another type of protocol attack where the attacker sends a number of malicious or malformed pings to a computer. While the maximum length of an IP packet is 65,535 bytes, the data link layer limits the maximum frame size allowed over an Ethernet network.

Hence, a large IP packet is split into multiple IP packets (called fragments), and the recipient host reassembles these fragments to create a complete packet. In the Ping of Death situation, the host ends up with an IP packet larger than 65,535 bytes when trying to reassemble the fragments of the malicious pings. This causes the overflow of the memory buffers allocated for the packet, resulting in a denial of service even for legitimate data packets.

4. SYN Flood

SYN Flood is one of the most common protocol attacks that circumvent the three-way handshake process needed to establish TCP connections between clients and servers.

These connections are usually made with the client making an initial synchronize (SYN) request of the server, the server replying with an acknowledging (SYN-ACK) response, and the client completing the handshake with a final acknowledgment (ACK).

SYN floods work by making a rapid succession of those initial synchronization requests and leaving the server hanging by never replying with a final acknowledgment. Ultimately, the server is called on to keep open a bunch of half-open connections that eventually overwhelm resources, often until the server crashes.

5. HTTP Flood

These are one of the most common types of application-layer DDoS attacks. There, the criminal makes interactions that appear to be normal with a web server or application.

Even though all these interactions come from web browsers to look like normal user activity, they’re arranged to consume as many resources from the server as possible.

The request made by the attacker can include anything from calling up URLs for documents or images using GET requests to making the server process calls to a database using POST requests.

How to Detect a DDoS Attack

DDoS attacks can often sound like non-malicious things that can create availability issues. For instance, they may seem like a downed server or a system, too many requests from actual users, or sometimes a cut cable. So you will always need to analyze traffic to determine what is actually taking place.

If you have become the victim of a DDoS attack, you will notice a sudden surge of incoming traffic, leading your server to crash under pressure. Moreover, if you visit a website under a DDoS attack, it will load extremely slow or show the 503 “service unavailable” error. You will probably be unable to access that site until the attack is turned down.

Symptoms of DDoS attacks

The most obvious symptom of a DDoS attack is a site or service becoming slow. The common symptoms of a DDoS attack include:

  • Slow access to files located locally or remotely
  • Inability to access a specific website for a long term
  • A huge amount of traffic from one specific source or IP address
  • An overflow of traffic from users indicating similar behavior, device type, web browser, and location
  • A sudden and abnormal surge in requests to a page
  • Problems with accessing all websites
  • Large amounts of spam emails
  • Internet disconnectivity

While a legitimate traffic surge can also cause performance issues, it is essential to investigate further. Especially, an analysis should be done when the traffic appears to be abnormal.

Ex: An online shop experiences a spike in traffic just after Black Friday sales, Christmas, etc. Apart from the symptoms mentioned above, DDoS attacks have some specific symptoms, depending on the type of attack.

Furthermore, if your computer is used by a botnet to conduct a DDoS attack, it will show the following warning signs.

  • A sudden decrease in performance
  • System crashes
  • Frequent error messages
  • Extremely slow internet speed

How to Protect Yourself Against DDoS Attacks

Protecting yourself from a DDoS attack can be a challenging task. Organizations have to plan well to defend and prevent such attacks.

Identifying your vulnerabilities is the key and initial step of any protection strategy. Apart from that, the steps mentioned below will help decrease an organization’s attack surface and mitigate the damage done by a DDoS attack.

  1. Take quick actions by informing the ISP provider, having a backup ISP, and rerouting the traffic.
  2. Configure firewalls and routers to help decline fake traffic as an initial layer of defense.
  3. Protect individual computers by installing antivirus or security software with the latest security patches.
  4. Analyze application architecture and implementation. The application should be implemented in a way that user actions do not deplete system resources or overconsume application components.
  5. Monitor network traffic to get alerts on unexpected spikes in network traffic. It will help identify network-targeted DoS attacks. You will be able to gain additional insight by analyzing the origin of the traffic.
  6. Monitor system health and responsiveness by running frequent health checks to recognize system-targeted DoS attacks.
  7. Evaluate application health and responsiveness by running frequent health checks on application components. It can help identify application-targeted DDoS attacks.
  8. Create a mitigation plan. Different types of DDoS attacks need different strategies for mitigation. Many providers now offer strategies and mechanisms to prevent DDoS attacks. So consider if the strategies and mechanisms offered by your provider fit well for your needs.

Additionally, practicing the following internet safety habits will keep your devices away from being used in botnets.

Use strong passwords

Use long, unique, and difficult to guess passwords for all your accounts. In addition, you can use a password manager to store and sync passwords across your devices securely.

Use up-to-date software

Outdated software is full of cracks that hackers can use to get into your system. So constantly update your software and install the updates and patches released by software vendors as soon as possible. These updates are often built to address various security vulnerabilities.

Be cautious of strange links and attachments

Cybercriminals try to make you download their malware using emails that include malicious links or attachments. So don’t engage with those kinds of emails if you are not aware of the sender. Furthermore, you can use an email security tool for checking email attachments for malware.

Use a firewall

A firewall is capable of blocking access to and from unauthorized sources. Moreover, a smart firewall can prevent hackers from communicating with your machines if they try to infect them with botnet malware.

Conclusion

DDoS attacks provide a way for intruders to make a website or online service unavailable for a certain period or indefinitely.

They widely vary in complexity and can make a severe impact on the targeted businesses or organizations. Therefore, online businesses and organizations should take every possible step to mitigate DDoS attacks and secure their systems.

FAQ

Why do Cyber Security professionals should worry about DDoS attacks?

DDoS attacks can heavily damage the availability of critical online resources and also act as a deceptive mechanism to perform other illegal activities on the network.

Why is it difficult to prevent DDoS attacks with traditional forms of cybersecurity filtering?

Since DDoS attacks are carried out in a distributed nature using multiple systems, it is difficult to block the malicious traffic by closing a particular spigot.

What is the role of a botnet in a DDoS attack?

Botnets are networks of compromised devices controlled by cybercriminals, which are sometimes called bots or zombies. These compromised devices can include devices such as desktops, laptops, servers, and IoT devices. Attackers communicate with these machines and combine them to generate distributed sources of malicious traffic to overwhelm a company’s infrastructure.

1 Comment

  • Sharath

    December 23, 2021 4:18 pm

    Thanks for these noteworthy points in DDoS Attacks! It was of great help. Coming to reducing the DDoS Attacks can you suggest a few services like Mazebolt to help minimize DDoS attacks?

Leave a Comment