What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack occurs when an attacker or attackers attempt to make it impossible to provide a service. This can be achieved by preventing access to virtually everything: servers, devices, services, networks, applications, and even specific transactions within applications. In a DoS attack, it is a system that sends malicious data or requests; a DDoS attack originates from multiple systems.
Typically, these attacks work by flooding a system with requests for data. It could be sending a web server so many requests to serve a page that it crashes under the request, or it could be a database receiving a high volume of requests. The result is that available Internet bandwidth, CPU and RAM capacity are exceeded.
The impact can range from a minor annoyance from interrupted services to the experience of entire websites, applications, or even an entire business being taken offline.
How do DDoS attacks work?
DDoS botnets are at the heart of any DDoS attack. A botnet consists of hundreds or thousands of machines, called zombies Where robots, which a malicious hacker has taken control of. Attackers will harvest these systems by identifying vulnerable systems that they can infect with malware through phishing attacks, malicious advertising attacks, and other mass infection techniques. Infected machines can range from ordinary home or office PCs to DDoS devices – the notorious Mirai botnet has amassed an army of hacked CCTV cameras – and their owners are almost certainly unaware they’ve been compromised, as they continue to operate normally in most cases. respects.
Infected machines wait for a remote command from a so-called command and control server, which serves as the command center for the attack and is often a hacked machine itself. Once triggered, the bots all attempt to access a resource or service that the victim makes available online. Individually, the requests and network traffic directed by each bot to the victim would be harmless and normal. But because there are so many of them, requests often exceed the capabilities of the target system, and because bots are usually ordinary computers widely distributed across the Internet, it can be difficult, if not impossible, to block their traffic without cutting off legitimate users. time. the same time.
There are three main classes of DDoS attacks, distinguished primarily by the type of traffic they direct to victim systems:
- Volume-Based Attacks using massive amounts of fake traffic to overwhelm a resource such as a website or server. These include ICMP, UDP, and spoofed packet flood attacks. The size of a volume-based attack is measured in bits per second (bps).
- Protocol or network layer DDoS attacks send large numbers of packets to targeted network infrastructures and infrastructure management tools. These protocol attacks include SYN floods and Smurf DDoS, among others, and their size is measured in packets per second (PPS).
- Application Layer Attacks are carried out by flooding applications with maliciously crafted requests. The size of application layer attacks is measured in requests per second (RPS).
Important techniques used in all types of DDoS attacks include:
- Impersonation: It is said that an attacker parodies an IP packet when they modify or obscure information in its header that should tell you where it came from. Since the victim cannot see the true source of the packet, they cannot block attacks from that source.
- Reflection: The attacker can craft a spoofed IP address so that it appears to be from the intended victim, then send that packet to a third-party system, which “responds” to the victim. This makes it even harder for the target to figure out where an attack is really coming from.
- Amplification: Some online services may respond to packets with very large packets or multiple packets.
These three techniques can be combined in what is known as a reflection/amplification DDoS attack, which has become increasingly common.
How to Identify DDoS Attacks
DDoS attacks can be difficult to diagnose. After all, the attacks superficially look like a stream of traffic from legitimate requests from legitimate users. But there are ways to distinguish the artificial traffic of a DDoS attack from the more “natural” traffic you’d expect from a real user. Here are four DDoS attack symptoms to watch out for:
- Despite spoofing or distribution techniques, many DDoS attacks will come from a restricted range of IP addresses or from a single country or region, perhaps a region you don’t typically see not much traffic.
- Likewise, you may notice that all the traffic is coming from the same type of client, with the same operating system and the same web browser showing up in its HTTP requests, instead of showing the diversity you expect from real visitors.
- Traffic can concentrate on a single server, network port, or web page, rather than being spread evenly across your site.
- Traffic could come in regularly timed waves or patterns.
How to Stop a DDoS Attack
Mitigating a DDoS attack is difficult because, as stated earlier, the attack takes the form of web traffic of the same type that your legitimate customers use. It would be easy to “stop” a DDoS attack on your website simply by blocking all HTTP requests, and this may be necessary to prevent your server from crashing. But it also prevents anyone else from visiting your website, which means your attackers have achieved their goals.
If you can distinguish DDoS traffic from legitimate traffic, as described in the previous section, this can help mitigate the attack while keeping your services at least partially online: for example, if you know the attack traffic is coming from from Eastern European sources, you can block IP addresses from that geographic region. A good preventative technique is to shut down any publicly exposed services that you are not using. Services that may be vulnerable to application layer attacks can be disabled without affecting your ability to serve web pages.
In general, however, the best way to mitigate DDoS attacks is simply to have the ability to withstand large amounts of incoming traffic. Depending on your situation, this may mean strengthening your own network or using a content delivery network (CDN), a service designed to accommodate huge amounts of traffic. Your network service provider may have their own mitigation services that you can use.
Reasons for DDoS Attacks
A DDoS is a blunt instrument of an attack. Unlike a successful infiltration, this does not earn you any private data and does not allow you to control your target’s infrastructure. It just takes their cyber infrastructure offline. Yet, in a world where having a web presence is essential for just about any business, a DDoS attack can be a destructive weapon aimed at an enemy. People could launch DDoS attacks to knock business or political rivals offline – the Mirai botnet was designed as a weapon in a war between Minecraft server providers, and there is evidence Russian security services were preparing for a time a similar attack. And while a DDoS attack is not the same as a ransomware attack, DDoS attackers will sometimes contact their victims and promise to turn off the packet firehose in exchange for a few Bitcoins.
DDoS Tools: Booters and Stressers
And, sometimes DDoS attackers are only in it for the money – not money from you, but from someone who wants to take down your website. Tools called booties and stressors are available on more inconvenient parts of the internet that essentially provide DDoS-as-a-Service to interested customers, offering access to ready-to-use botnets at the click of a button, for a price.
Is DDoS illegal?
You might see an argument that goes something like this: It’s not illegal to send web traffic or requests over the internet to a server, and so DDoS attacks, which just aggregate an overwhelming amount of web traffic, cannot be considered a crime. This is, however, a fundamental misunderstanding of the law. Aside from currently hacking a computer into a botnet is illegal, most cybercrime laws in the US, UK and elsewhere are quite broad and criminalize any act that impairs the operation of a computer or online service, rather than specifying particular techniques. However, simulating a DDoS attack with the consent of the target organization for the purpose of stress testing their network is legal.
DDoS attacks today
As mentioned briefly above, it is increasingly common for these attacks to be carried out by rented botnets. Expect this trend to continue.
Another trend is the use of multiple attack vectors within an attack, also known as APDoS Advanced Persistent Denial-of-Service. For example, an APDoS attack can involve the application layer, such as attacks against databases and applications as well as directly on the server. “It goes beyond just ‘flooding,'” says Chuck Mackey, general manager of partner success at Binary Defense.
Additionally, Mackey explains, attackers often don’t directly target their victims, but also the organizations they rely on, such as ISPs and cloud providers. “These are large-scale, high-impact attacks that are well-coordinated,” he says.
It also changes the impact of DDoS attacks on organizations and increases their risk. “Companies are no longer just concerned with DDoS attacks against themselves, but with attacks against the vast number of business partners, vendors and vendors that these companies rely on,” says cybersecurity attorney Mike Overly at Foley & Lardner LLP. “One of the oldest sayings in security is that a company is only as secure as its weakest link. In the current environment (as evidenced by recent breaches), this weakest link can be, and often is, one of the third parties,” he says.
Copyright © 2022 IDG Communications, Inc.