There’s an endless variety of threats and bad actors lurking online, but few are as elegantly simple–and diabolically destructive– as the distributed denial-of-service (DDoS) attack. A favorite of hacktivists and script kiddies alike, DDoS attacks have the power to bring multi-billion dollar corporations offline, create massive service interruptions, and cost victims thousands per minute.
In this article, we’ll explain what DDoS attacks are, how they work, and some tips and best practices for detecting and mitigating them.
What is a DDoS Attack?
A distributed denial of service (DDoS) attack is an advanced form of denial of service (DoS) attack that attempts to disable a target website or service by flooding it with a massive volume of fake traffic, thus consuming the target’s upstream bandwidth or overwhelming supporting network infrastructure and taking it offline. These attacks are almost always carried out by botnets, large networks of connected devices (which could be user devices or simple IoT devices) infected and controlled by bots.
Essentially, a DDoS attack is a targeted, intentional traffic jam that keeps real users from getting to your business.
DDoS differ from most cyberattacks in that they are not, in and of themselves, an attempt to breach a network or website, and cannot be leveraged to steal data. The sole purpose of a DDoS attack is to take the target offline.
DDoS attacks are used for a wide variety of reasons: they’re popular with hacktivists who use them as political statements, bored vandals, and even with malicious users, who may use a DDoS to carry out a personal vendetta. They’re also commonly leveraged by sophisticated attackers looking to create a smokescreen to engage and distract the target’s IT team while they infiltrate the security perimeter.
What’s the difference between Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks?
The differences between traditional denial of service (DoS) attacks and distributed denial of service (DDoS) lie in both the scale and execution of the attack. In a traditional DoS attack, the attacker leverages a single internet connection to send the target large volumes of data in an attempt to use up server resources. The user may carry this task out manually or may leverage a DoS tool, such as Low Orbit Ion Cannon (LOIC) which helps users flood target servers with TCP, UDP, or HTTP packets in order to disrupt service.
Because DoS attacks rely on a single internet connection, they are typically carried out at a much slower pace than DDoS attacks, are much easier to trace, and can easily be mitigated through IP blocking or filtering.
Unlike DoS attacks, DDoS attacks are carried out from many disparate connected devices, often numbering in the thousands, with different IPs and signatures. These attacks work faster, carry a heavier toll, and are much harder to mitigate, due to the volume of devices involved.
What’s the Impact of a DDoS Attack?
The intended and most noticeable effect of a successful DDoS attack is that it takes the targeted service offline, but depending on the severity of the attack, and the nature of the service targeted, the attacks can have massive downstream effects as well.
DDoS attacks can last minutes or take days to resolve, and during that downtime customers and employees alike will be unable to access company resources, resulting in both lost revenue as customers take their business elsewhere, and wasted resources as workers are unable to fulfill their tasks. For certain targets, such as web services, the effects can be even more devastating. For example, in 2016 Dyn, a major domain name service (DNS) provider, was hit with a one terabit per second DDoS attack that knocked its services offline, taking down the websites of multiple high-profile customers such as HBO, Twitter, Reddit, PayPal, Netflix, GitHub, and Airbnb, along with thousands of other customers. Following the attack, Dyn lost approximately 8% of its customer base–about 14,000 customers.
What is a DDoS Botnet?
A botnet is a network of bots made up of hijacked devices that the attacker controls remotely to carry out DDoS attacks. Botnets typically include personal devices like PCs and mobile phones that have been infected with malware but are increasingly comprised of unsecured connected IoT devices, such as smart TVs and appliances webcams, and even industrial devices. These connected devices make easy targets for hackers as they typically lack the security protections of personal computers, are rarely patched, and are frequently left with default credentials for login.
What are the different kinds of DDoS Attacks?
While all DDoS attacks aim to overload their target with traffic, attackers can leverage the technique to target different components of a network connection for various purposes, and will often cycle through different targets during an attack in order to maximize the effect and evade defensive action.
Most DDoS attacks can be sorted into three categories: application layer attacks, protocol layer attacks, and volumetric attacks.
Application Layer Attacks
Application layer DDoS attacks AKA layer seven attacks (so-called because they target the seventh layer of the OSI model) target victims with large volumes of application layer protocol requests, such as HTTP, FTP, and DNS requests. These requests are simple to generate but can take significant server resources to respond to. For example, in an HTTP flood-style DDoS attack, the attacker aims to overload the target by sending large volumes of HTTP POST or GET requests that have been tailored to allocate as many resources as possible from the server.
These kinds of attacks can be especially difficult to defend against as they closely resemble normal traffic.
Protocol Layer Attacks
Protocol attacks, i.e. state-exhaustion attacks, are DDoS attacks that target the network and transport layers of a network with high volumes of ICMP, SYN, or UDP requests. In a SYN flood attack, for example, the attacker sends SYN packets to a target system, which establishes a half-open connection to a node, which then responds with an attempt to establish a connection. But the client never responds, instead leaving the target with high volumes of “connections” that remain in the half-open state until they time out.
Volumetric DDoS attacks are simple brute-force attacks aimed at consuming all available bandwidth between the target and the internet. In a volumetric attack, the attacker leverages large botnets to send huge volumes of junk packets that simply overwhelm the target. Hackers will also often leverage amplification techniques, such as DNS amplification, to increase the volume of their attack.
DDoS for Hire Platforms
As we’ve established, DDoS attacks can be pretty devastating, and the barrier to entry for carrying out such an attack can be quite low–but it can always be lower. For would-be hackers who want to carry out DDoS attacks but lack the technical chops there’s a simple solution: DDoS-for-hire platforms. These quasi-legal platforms go by multiple names: stresses, booters, or sometimes simply ‘DDoSers,’ and will perform DDoS attacks on the any target on your behalf–for a price.
How to Detect DDoS Attacks
One of the worst things about DDoS attacks is that victims often don’t realize what’s happening until customers or employees complain that they can’t access the site, and even then, many look internally for server or network problems before realizing the root cause. By then, hours of expensive downtime may have passed by.
In order to effectively mitigate a DDoS attack you need to know when it’s happening and take action immediately. These attacks can be difficult to tell from normal traffic, but there are several key indicators that should be monitored. If you’re experiencing any of the following, you may be under attack:
- High traffic volume originating from a single IP or range of IP addresses.
- An unusually high number of requests to a specific endpoint or page.
- Servers respond with 503 or 500 error status codes.
- TTL time-outs on ping requests.
- A pattern of traffic spikes occurring in regular intervals
- High traffic from unusual sources or during unusual time frames.
- Issues with website access.
- Unresponsive servers
- A flood of traffic from an unusual geolocation
Best Practices for DDoS Mitigation
DDoS attacks are an ever-changing threat, and there’s no silver bullet for preventing them, but there are best practices that you can utilize to make sure you’re prepared and ready to respond in the event of a DDoS assault.
As mentioned above, monitoring your traffic and logs is an also essential first step in identifying and combatting DDoS attacks. You can’t fight what you don’t notice, so it’s essential to keep a close eye on your network. Network benchmarking will help you gain a realistic picture of your network’s daily performance so you can quickly and proactively identify security issues and react without losing time.
Finally, it’s key to prepare your team: create a response plan to put defensive procedures in place and test the limits of your infrastructure by simulating attacks.
Once the attack begins, there are a few things you can do to mitigate the ill effects.
One common technique is to create a blackhole route, i.e. a network route that goes nowhere, and funnel bad traffic into it, thus dropping the traffic from the network.
Rate limiting can also help mitigate an attack by limiting the number of requests a server will accept over a certain timeframe, thereby slowing network traffic and relieving overloaded servers.
Finally, a Web Application Firewall (WAF) can be configured to detect and mitigate application layer DDoS attacks by inspecting and filtering traffic based on IP reputation, familiar threat patterns, and predetermined custom rules. However, it’s important to note that WAFs are essentially a static defense that attackers are well-prepared for. A sophisticated attacker will change their attack patterns to overcome this obstacle, so the ability to quickly implement new rules to react is of upmost importance.