< Back to EPP 101

Distributed Denial-of-Service (DDoS) Attacks Explained

A distributed-denial-of-service (DDoS) attack is an attempt by malicious actors to render a service or a system (eg. server, network resource, or even a specific transaction) unavailable by flooding the resource with requests.

What Is the Purpose of a DDoS Attack?

The purpose of a DDoS attack is to disrupt the ability of an organization to serve its users. The motivations driving a DDoS attack are as various as they are for any type of cyber attack:

  • competitor sabotage
  • insider revenge
  • nation-state activities
  • mayhem/chaos

What Is the Difference Between a DOS Attack and a DDoS Attack?

DDoS attacks are launched from multiple systems, while DOS (denial-of-service) attacks originate from just one system. DDoS attacks are faster and harder to block than DOS attacks. DOS attacks are easier to block because there is only one attacking machine to identify.

Why Are DDoS Attacks a Growing Threat?

DDoS attacks are rocketing in number. Despite a dip in 2018 when the FBI shut down the largest DDoS-for-hire sites on the dark web, DDoS attacks increased by 151% in the first half of 2020.

In some countries, DDoS attacks can represent up 25% of total internet traffic during an attack.

Driving this escalation is the adoption of the Internet of Things (IoT). Most IoT devices do not have built-in firmware or security controls. Because IoT devices are numerous and often implemented without being subjected to security testing and controls, they are susceptible to being hijacked into IoT botnets.

Another growing point of weakness is APIs, or application programming interfaces. APIs are small pieces of code that let different systems share data. For example, a travel site that publishes airline schedules uses APIs to get that data from the airlines’ sites onto the travel site’s web pages. “Public” APIs, which are available for anyone’s use, may be poorly protected. Typical vulnerabilities include weak authentication checks, inadequate endpoint security, lack of robust encryption, and flawed business logic.

How Does a DDoS Attack Work?

It is impossible to discuss DDoS attacks without discussing botnets. A botnet is a network of computers infected with malware that enables malicious actors to control the computers remotely. These botnets are behind the “distributed” nature of a DDoS attack because they may be located anywhere and belong to anyone. Innocent owners of infected computers may never know their systems are part of a botnet. Botnets are highly accessible: they can be rented on the dark web, come with toolkits and distribution networks, and cost less than $50/month.

Types of DDoS Attacks

DDoS attacks can be classed in various ways, but it’s common to group them into three types:

1. Volumetric attacks

Botnets send massive amounts of bogus traffic to a resource. This type of attack may use ping floods, spoofed-packet floods, or UDP floods. A volume-based attack is measuring in bits per second (BPS).

2. Network layer attacks

Network-layer attacks send large numbers of packets to a target. Typical network layer attacks include smurf attacks and SYN floods. A network layer attack does not require an open TCP connection and does not target a specific port. A network layer attack is measured in packets per second (PPS).

3. Application layer attacks

Application layer attacks exploit common requests such as HTTP GET and HTTP POST. These attacks impact both server and network resources, so the same disruptive effect of other types of DDoS attacks can be achieved with less bandwidth. Distinguishing between legitimate and malicious traffic in this layer is difficult because the traffic is not spoofed and so it appears normal. An application layer attack is measured in requests per second (RPS).

While most attacks are volume-based, there are also “low and slow” DDoS attacks that elude detection by sending small, steady streams of requests that can degrade performance unobserved for long periods of time. Low and slow attacks target thread-based web servers and cause data to be transmitted to legitimate users very slowly but not quite slowly enough to cause a time-out error. Some tools used in low and slow attacks include Slowloris, R.U.D.Y., and Sockstress.

What Are the Signs of a DDoS Attack?

Victims of DDoS attacks usually notice that their network, website, or device is running slowly or is not providing service. However, these symptoms are not unique to DDoS attacks – they can be caused by many things, such as a malfunctioning server, a surge in legitimate traffic, or even a broken cable. That’s why you cannot simply rely on manual observations, and instead should leverage a traffic analysis tool to detect distributed denial-of-service attacks.

DDoS Defense Tools

DDoS defense requires a multi-pronged approach – no single tool can guarantee complete protection from all types of DDoS attacks. Below are a few basic tools to add to your arsenal:

Web Application Firewall (WAF): A WAF is like a checkpoint for web applications in that it’s used to monitor incoming HTTP traffic request and filter out malicious traffic. When an application-layer DDoS attack is detected, WAF policies can be quickly changed to limit the rate of requests and block the malicious traffic by updating your Access Control List (ACL).

Security information and event management (SIEM): A SIEM is a tool that pulls data from every corner of an environment and aggregates it in a single centralized interface, provide visibility into malicious activity that can be used to qualify alerts, create reports and support incident response.

CDN/Load Balancers: Content Delivery Networks (CDN) and load balancers can be used to mitigate the risk of server overload and the subsequent performance/availability issues by automatically distributing traffic influxes across multiple servers.