Distributed Denial-of-Service (DDoS) Attacks

August 16, 2021

What is a DDoS Attack?

A Distributed-denial-of-service (DDoS) attack is a cybercrime that attempts to interrupt a server or network by flooding it with fake internet traffic.

The purpose of a DDoS attack is to disrupt the ability of an organization to serve its users. Malicious actors use DDoS attacks for:

  • competitor sabotage
  • insider revenge
  • nation-state activities
  • mayhem/chaos

DoS vs DDoS – What is the Difference?

DDoS attacks are launched from multiple systems, while DoS (denial-of-service) attacks originate from just one system. DDoS attacks are faster and harder to block than DOS attacks. DoS attacks are easier to block because there is only one attacking machine to identify.

How Does a DDoS Attack Work?

It is impossible to discuss DDoS attacks without discussing botnets. A botnet is a network of computers infected with malware that enables malicious actors to control the computers remotely. These botnets are “distributed” because they may be located anywhere and belong to anyone. Innocent owners of infected computers may never know their systems are part of a botnet.

After building a massive botnet of millions of compromised devices, a DDoS attacker remotely directs each bot to send requests to the target’s IP address. The goal is to exceed the capacity limits of the victim’s web resources with an overwhelming number of connection requests or data to ultimately halt their service.

Types of DDoS Attacks

DDoS attacks can be classed in various ways, but it’s common to group them into three types:

1. Volumetric Attack

Botnets send massive amounts of bogus traffic to a resource. This type of attack may use ping floods, spoofed-packet floods, or UDP floods. A volume-based attack is measured in bits per second (BPS).

2. Network Layer Attacks

Network-layer attacks, also known as protocol attacks, send large numbers of packets to a target. A network layer attack does not require an open Transmission Control Protocol (TCP) connection and does not target a specific port. A network layer attack is measured in packets per second (PPS).

Examples of a network layer attack include:

  • Smurf Attack: Attempt to flood a server at the network level using Internet Control Message Protocol (ICMP) packets and exploiting IP vulnerabilities.
  • SYN Flood: Initiates a connection to a server without closing said connection, overwhelming servers as a result. This type of attack uses a vast amount of TCP handshake requests with spoofed IP addresses.

3. Application Layer Attacks

Application layer attacks exploit common requests such as HTTP GET and HTTP POST. These attacks impact both server and network resources, so the same disruptive effect of other types of DDoS attacks can be achieved with less bandwidth. Distinguishing between legitimate and malicious traffic in this layer is difficult because the traffic is not spoofed and so it appears normal. An application layer attack is measured in requests per second (RPS).

While most attacks are volume-based, there are also “low and slow” DDoS attacks that elude detection by sending small, steady streams of requests that can degrade performance unobserved for long periods of time. Low and slow attacks target thread-based web servers and cause data to be transmitted to legitimate users very slowly but not quite slowly enough to cause a time-out error. Some tools used in low and slow attacks include Slowloris, R.U.D.Y., and Sockstress.

Why Are DDoS Attacks a Growing Threat?

DDoS attacks are rocketing in number. Despite a dip in 2018 when the FBI shut down the largest DDoS-for-hire sites on the dark web, DDoS attacks increased by 151% in the first half of 2020. In some countries, DDoS attacks can represent up 25% of total internet traffic during an attack.

Driving this escalation is the adoption of the Internet of Things (IoT). Most IoT devices do not have built-in firmware or security controls. Because IoT devices are numerous and often implemented without being subjected to security testing and controls, they are susceptible to being hijacked into IoT botnets.

Another growing point of weakness is APIs, or application programming interfaces. APIs are small pieces of code that let different systems share data. For example, a travel site that publishes airline schedules uses APIs to get that data from the airlines’ sites onto the travel site’s web pages. “Public” APIs, which are available for anyone’s use, may be poorly protected. Typical vulnerabilities include weak authentication checks, inadequate endpoint security, lack of robust encryption, and flawed business logic.

What is the Largest DDoS Attack Ever Recorded?

When it comes to DDoS attacks, size does not matter. No company is completely safe, no matter how large they are. To this day, the largest DDoS attack happened to one of Google’s Cloud Services clients in June 2022. At one point, Google’s client was being bombarded with 46 millions RPS (requests per second). Google alerted its client about the attack and were able to block it from happening within an hour.

What Are the Signs of a DDoS Attack?

Victims of DDoS attacks usually notice that their network, website, or device is running slowly or is not providing service. However, these symptoms are not unique to DDoS attacks – they can be caused by many things, such as a malfunctioning server, a surge in legitimate traffic, or even a broken cable. That’s why you cannot simply rely on manual observations, and instead should leverage a traffic analysis tool to detect distributed denial-of-service attacks.

DDoS Mitigation and Protection

DDoS mitigation and defense requires a multi-pronged approach – no single tool can guarantee complete protection from all types of DDoS attacks. Below are a few basic tools to add to your arsenal:

Risk Assessment:

Companies should employ a proactive approach when protecting against DDoS attacks. The first step is to be aware of all your company’s vulnerabilities and strengths. Conduct risk assessments on all your digital assets (i.e. networks, servers, devices, software) to be prepared with the best mitigation plan when the time comes.

Web Application Firewall (WAF):

A WAF is like a checkpoint for web applications in that it’s used to monitor incoming HTTP traffic requests and filter out malicious traffic. When an application-layer DDoS attack is detected, WAF policies can be quickly changed to limit the rate of requests and block the malicious traffic by updating your Access Control List (ACL).

Security information and event management (SIEM):

A SIEM is a tool that pulls data from every corner of an environment and aggregates it in a single centralized interface, providing visibility into malicious activity that can be used to qualify alerts, create reports and support incident response.

Content Delivery Networks/Load Balancers:

CDNs and load balancers can be used to mitigate the risk of server overload and the subsequent performance/availability issues by automatically distributing traffic influxes across multiple servers.

Blackhole Routing

During blackhole routing, the network administrator pushes all traffic, whether good or bad, through a black hole route. The goal is to drop ALL traffic from the network, which comes with the downside of losing legitimate traffic and potentially some business.

Rate Limiting

Limit the number of service requests your network receives and accepts on a given period of time. It is usually not enough to fight more sophisticated DDoS attacks, so it should be employed alongside other mitigation strategies.