In this guide, we will discuss a wide range of topics related to DDoS attacks, including what a DDoS attack is, how they work, the types of DDoS attacks, the impacts of DDoS attacks, and how to defend against DDoS attacks.
Distributed Denial of Service (DDoS) attacks have been a powerful weapon on the internet for twenty years. They have evolved to be more prevalent and powerful over time, and now they have become one of the major threats to any company running online businesses.
Generally, DDoS attacks work by overwhelming a website or online service with more traffic than its server or network can accommodate. A DDoS attack aims to make that website or online service unavailable to users. The attackers typically depend on botnets, networks consisting of malware-infected computers that are centrally controlled.
A Distributed Denial of Service (DDoS) attack is an attempt by an attacker to interrupt the delivery of an online service to users. This can be done by blocking access to virtually anything such as servers, networks, devices, services, applications, and even particular transactions within applications.
DDoS attacks can be called a variant of denial-of-service attacks (DoS) attacks where an attacker or group of attackers use multiple devices to carry out a DoS attack simultaneously.
The major difference between DoS attacks and DDoS attacks is that while they use one system to send malicious data or requests, a DDoS attack is sent from multiple systems, increasing its strength and effectiveness.
DDoS attacks target victims at all levels by completely blocking their access to systems and even resorting to extortion to take down the attack.
Banks, websites, online retailers, and news channels are among the key targets of attackers, making it a real challenge to ensure that sensitive information can be accessed and published safely.
It is difficult to detect and block these DDoS attacks as the traffic they generate is difficult to track and easily confused with legitimate traffic.
Most DDoS attacks are carried out through botnets, which are large networks of smart IoT devices, computers infected with malware, and other internet-enabled devices under hackers’ control.
The attacker instructs the machines in the botnet to send huge amounts of connection requests to a specific website or the IP address of a server.
It overwhelms that website or online service with more traffic than its server or network can accommodate. The final result will be those websites or online services becoming unavailable to users with overwhelmed internet bandwidth, RAM capacity, and CPU.
The impact of these DDoS attacks can range from minor indignation and interrupted services to whole websites, applications, or even entire businesses being down.
DDoS attacks can affect victims in several ways.
DDoS attacks generally fall into one or more categories, with some advanced attacks combining attacks on different vectors. Following are the three main categories of DDoS attacks.
1. Volumetric attacks
This is the classic type of DDoS attack, employing methods to generate large volumes of fake traffic to fully flood the bandwidth of a website or server. This fake traffic makes it impossible for real traffic to flow into or out of the targeted site. These attacks include UDP, ICMP, and spoofed-packet flood attacks. The size of volume-based attacks is measured in bits per second (BPS).
2. Protocol attacks
These attacks are more focused and utilize the vulnerabilities of resources in a server. They consume existing server resources or intermediate communication equipment like firewalls and load balances and send large packets to them. These attacks usually include SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS, etc., and their size is measured in packets per second (PPS).
3. Application layer attacks
These are the most sophisticated type of DDoS attacks, which targets specific web applications. Overwhelming applications with malicious requests carry them out. The size of these attacks is measured in requests per second (RRS).
1. UDP and ICMP floods
These are the most common attack styles that fall under volumetric attacks. UDP floods drown host resources with User Datagram Protocol (UDP) packets. In contrast, ICMP floods do the same with Internet Control Message Protocol (ICMP) echo request (ping ) packets until the service gets overwhelmed.
Furthermore, attackers tend to use reflection attacks to increase the crushing flow of these floods where the victim’s IP address is spoofed to make the UDP or ICMP request. The response is sent back to the server itself as the malicious packet appears to be coming from the victim. This way, these attacks consume both incoming and outgoing bandwidth.
2. DNS Amplification
As the name suggests, these attacks involve criminals sending numerous DNS search requests to render a network non-functional. The amplification exhausts the bandwidth of the server by expanding the outbound traffic flow.
This is done by sending information requests to the server that output high amounts of data as the response and then routing that data directly back to the server by spoofing the reply-to address.
So, the attacker sends numerous relatively small packets to a publicly accessible DNS server through many different sources of a botnet. They are all requests for a lengthy response, like DNS name lookup requests. Then, the DNS server replies to each of these dispersed requests with response packets, including many orders of more big data than the initial request packet, with all that data being sent right back to the DNS server of the victim.
3. Ping of Death
This is another protocol attack where the attacker sends several malicious or malformed pings to a computer. While the maximum length of an IP packet is 65,535 bytes, the data link layer limits the maximum frame size allowed over an Ethernet network.
Hence, a large IP packet is split into multiple packets (called fragments), and the recipient host reassembles these fragments to create a complete packet. In the Ping of Death situation, the host ends up with an IP packet larger than 65,535 bytes when trying to reassemble the fragments of the malicious pings. This causes the overflow of the memory buffers allocated for the packet, resulting in a denial of service even for legitimate data packets.
4. SYN Flood
SYN Flood is one of the most common protocol attacks that circumvent the three-way handshake process needed to establish TCP connections between clients and servers.
These connections are usually made with the client making an initial synchronize (SYN) request of the server, the server replying with an acknowledging (SYN-ACK) response, and the client completing the handshake with a final acknowledgment (ACK).
SYN floods work by making a rapid succession of those initial synchronization requests and leaving the server hanging by never replying with a final acknowledgment. Ultimately, the server is called on to keep open a bunch of half-open connections that eventually overwhelm resources until the server crashes.
5. HTTP Flood
These are one of the most common types of application-layer DDoS attacks. There, the criminal makes interactions that appear normal with a web server or application.
Even though all these interactions come from web browsers to look like normal user activity, they’re arranged to consume as many resources from the server as possible.
The request made by the attacker can include anything from calling up URLs for documents or images using GET requests to making the server process calls to a database using POST requests.
DDoS attack services are often being sold on the dark web.
DDoS attacks can often sound like non-malicious things that can create availability issues. For instance, they may seem like a downed server or a system, too many requests from actual users, or sometimes a cut cable. So you will always need to analyze traffic to determine what is happening.
If you have become the victim of a DDoS attack, you will notice a sudden surge of incoming traffic, leading your server to crash under pressure. Moreover, if you visit a website under a DDoS attack, it will load extremely slow or show the 503 “service unavailable” error. You will probably be unable to access that site until the attack is turned down.
A site or service becoming slow is the most obvious symptom of a DDoS attack. The common symptoms of a DDoS attack include:
While a legitimate traffic surge can also cause performance issues, it is essential to investigate further. Especially, an analysis should be done when the traffic appears abnormal.
Ex: An online shop experiences a spike in traffic just after Black Friday sales, Christmas, etc. Apart from the symptoms mentioned above, DDoS attacks have specific symptoms, depending on the type of attack.
Furthermore, if a botnet uses your computer to conduct a DDoS attack, it will show the following warning signs.
Protecting yourself from a DDoS attack can be a challenging task. Organizations have to plan well to defend and prevent such attacks.
Identifying your vulnerabilities is the key and initial step of any protection strategy. Apart from that, the steps mentioned below will help decrease an organization’s attack surface and mitigate the damage done by a DDoS attack.
Additionally, practicing internet safety habits will prevent your devices from being used in botnets.
Use strong passwords
Use long, unique, and difficult-to-guess passwords for all your accounts. In addition, you can use a password manager to store and sync passwords across your devices securely.
Use up-to-date software
Outdated software is full of cracks that hackers can use to get into your system. So constantly update your software and install the updates and patches released by software vendors as soon as possible. These updates are often built to address various security vulnerabilities.
Be cautious of strange links and attachments
Cybercriminals try to make you download their malware using emails containing malicious links or attachments. So don’t engage with those emails if you are unaware of the sender. Furthermore, you can use an email security tool to check email attachments for malware.
Use a firewall
A firewall is capable of blocking access to and from unauthorized sources. Moreover, a smart firewall can prevent hackers from communicating with your machines if they try to infect them with botnet malware.
DDoS attacks provide a way for intruders to make a website or online service unavailable for a certain period or indefinitely.
They vary widely in complexity and can severely impact the targeted businesses or organizations. Therefore, online businesses and organizations should take every possible step to mitigate DDoS attacks and secure their systems.
The article also provides insights on how to protect against DDoS attacks. DDoS attacks aim to overwhelm a website or online service with more traffic than its server or network can accommodate, making it unavailable to users.
The impacts of these attacks can range from financial loss to damage to customer trust. To defend against such attacks, organizations need to identify vulnerabilities, configure firewalls and routers, monitor network traffic, and develop a mitigation plan.
Practicing internet safety habits, such as using strong passwords and firewalls, can also help prevent devices from being used in botnets.
Why do Cyber Security professionals should worry about DDoS attacks?
DDoS attacks can heavily damage critical online resources’ availability and act as a deceptive mechanism to perform other illegal activities on the network.
Why is it difficult to prevent DDoS attacks with traditional forms of cybersecurity filtering?
Since DDoS attacks are carried out in a distributed nature using multiple systems, it is difficult to block the malicious traffic by closing a particular fixture.
What is the role of a botnet in a DDoS attack?
Botnets are networks of compromised devices controlled by cybercriminals, which are sometimes called bots or zombies. These compromised devices can include devices such as desktops, laptops, servers, and IoT devices. Attackers communicate with these machines and combine them to generate distributed sources of malicious traffic to overwhelm a company’s infrastructure.