How a DDoS Attack Works: History, Mitigation and Remediation

Posted on

Distributed Denial of Service (DDoS). The words and the letters themselves create foreboding. Whatever it is, it is bad. Hackers do it, it causes damage, and only IT pros seemingly know what it is.

What’s the Difference Between DoS and DDoS?

Before DDoS, there was DoS, a simple, single-pronged denial of service attack. As hackers became more able, they launched widespread, or distributed, attacks aimed at crippling a swath of systems.

What is the First Known DDoS Attack?

The first known Distributed Denial of Service attack was launched way back in 1996, when one of the original ISPs, Panix, was crippled by a SYN flood where hackers initiate a connection and never complete it, leaving the system or server hanging.

How Does a DDoS Attack Happen?

Ironically, DDoS generally uses an attack to launch an attack.

“Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks leverage stolen computing power from infected endpoints to flood target networks and web applications with malicious or spurious traffic. By consuming available network bandwidth or server resources, DoS attacks disrupt the online operations of target organizations. These attacks reduce the amount of computing resources available to legitimate end users and can cause massive economic and reputation impact,” said the Protecting From DDoS Attacks webpage. “In general, any organization that has a significant online presence — such as finance, retail, healthcare, entertainment and technology companies — are likely targets. DDoS attackers have typically focused on infrastructure (network and session) level attacks, but application-centric attacks are becoming more common.”

DDoS Attacks Hit All Sizes, Including Microsoft, Google and AWS

The big tech players all have security tools as part of their product line, and all have decades of IT experience. But they regularly fall victim to hack attacks including DDoS. The main advantage is that these vendors excel at DDoS remediation.

Case and point is Microsoft, which in late 2021 mitigated the largest DDoS attack in history aimed at an Azure customer.

In early 2020, Cloud giant Amazon Web Services (AWS) was struck by a huge DDoS attack and like with Microsoft, it targeted a web services client. The Connectionless Lightweight Directory Access Protocol (CLDAP) attack went after CLDAP servers, hitting the AWS client with up to 70 times the normal amount of traffic. The attack went on for a full three days.

Years earlier, Google was hit with what was at the time the largest DDoS attack in history. In 2017, a state-sponsored Chinese cybercriminal organization bombarded Google’s cloud business with massive gobs of traffic from four Chinese ISPs. “The DDoS attack lasted over a six-month campaign, peaking to 2.5Tbps in traffic,” PC Mag reported. Despite a massive 2.5Tbps DDoS attack, Google reported no negative impact thanks to deft DDoS mitigation and DDoS remediation.

DDoS Attacks Only Expected to Increase

DDoS is over 25 years old and shows no signs of abating. In fact, the opposite is true. Nexusguard’s 2020 Threat Report shows in the first quarter of 2020, DDoS attacks increased by more than 278% compared to the previous year’s quarter, and over 542% compared to the previous quarter.

DDoS Has Become Simple

Like most any IT attack, hackers no longer must invent exploits. Instead, they can reuse and sometimes tweak the work of others. Many attacks are available as a service, just like your Office 365 subscription — except it’s sinister.

This approach has made launching DDoS attacks easy as pie — and cheap. The Dark Web Price Index 2020 found that a distributed denial-of-service (DDoS) attack sells for around $10 per hour or $60 for 24 hours.

DDoS Attacks Can Cost Big Money

IT downtime costs serious bucks, and DDoS is no exception. Gartner pegs the average cost of downtime for a small- to medium-sized (SME) business at $5,600 per minute, and higher for larger enterprises.

How Do You Catch a DDoS Attacker?

How do you catch a DDoS perpetrator? In most cases, you don’t. In fact, the success rate of finding and punishing a hacker is 0.05% in the US, the World Economic Forum’s Global Risks Report finds.

What Happens in a DDoS Attack?

DDoS is a simple but brutish concept.

“The basic method employed is to flood servers with so many requests or data packets that they can’t cope, and therefore fail to provide a service to any legitimate users. In recent years, more sophisticated attacks that target specific applications or protocols have also emerged. The attacks often use compromised clients and servers on the internet to generate the requests. Increasingly there are also attacks using hijacked Internet of Things (IoT) devices as many of the current wave of IoT devices have very poor security protection,” explained the Distributed Denial of Service (DDoS) webpage. “DDoS attacks can be targeted at several layers of the network stack. The original kind of attack operated at the infrastructure layer, or layers 2 to 4 in OSI network stack terms. These are the traditional flood the network type of attacks that simply overwhelm the servers providing services.”

What are the Types of DDoS Attacks?

While there are countless DDoS approaches, we’ll focus on six main types:

Infrastructure (Network & Session) Layer Attacks

Infrastructure layer DDoS attacks work at OSI layers 2-4 and bombard the network with junk traffic until systems such as servers become unavailable.

SYN Flood Attack

Half-open TCP connections are attacked and make the server exhaust its resources by forcing it to retain the information related to these pending and malicious connections. The result is a system failure or complete crash.

TCP Reset Attack

With this attack, hackers listen in on the TCP connections of the target, then send a fake TCP RESET packet causing the target to inadvertently terminate the TCP connection.

ICMP Attack

Here the “attacker broadcasts a large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP to the network. Most devices on the network will (by default) respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim’s computer will be flooded with traffic,” explained Kemp’s Protecting From DDoS Attacks page. “This can slow down the victim’s computer to the point where it becomes impossible to work. ICMP datagram can also be used to start an attack via ping. Attackers use the ping command to construct oversized ICMP datagram to launch the attack.”

UDP Storm Attack

A UDP Storm impairs a host’s services, thus slowing or congesting network traffic. These attacks rely on connections established by hackers between two UDP services, causing both to produce a huge number (or storm) of packets.

Application Layer Attacks

Application layer DDoS attacks operate at Layer 7 and overloads a website or application, ultimately taking the site down or crashing the application. These attacks account for a large share of DDoS activity. Meanwhile, attack scripts that go after open proxies on the Internet make these application-based DDoS attacks easier to launch.

How Can I Prevent a DDoS Attack?

IT has largely implemented protections against infrastructure-layer DDoS attacks. As result, hackers have simply moved up the stack, attacking the upper layers of the network such as the application layer.

While application layer attacks are harder to ward off, Progress Kemp LoadMaster, an application delivery controller, load balancer, and security tool all in one, is a big help. In fact, LoadMaster has been designed to extend DDoS protection to the application layer.

How to Identify a DDoS Attack: LoadMaster vs. DDoS

LoadMaster addresses DDoS and other cyberattacks by tracking and analyzing network metrics and communicating these to IT pros via an event-based UI and critical alerts that stand out in a noisy daily alert environment. Metrics include configuration changes, transactions per second, and apps with the largest volume of TCP connections. All this can point to a DDoS attack and narrow down the attack surface.

Say IT notices a surge in connections to an application. Even more telling, end users are complaining that some applications are down. With LoadMaster, illegitimate traffic is blocked while IT is alerted so immediate action can be taken.

Early detection of a DDoS attack can make a monumental difference in having the least negative impact on your network — and more importantly, your business. LoadMaster helps you block illegitimate traffic and stay on top of threats.

Layered Protection Against DDoS Attacks with LoadMaster

Let’s look more deeply into adding DDoS protection with LoadMaster. The first layer of protection is to block traffic from known malicious sources based on their IP address. LoadMaster maintains a list of malicious IP addresses updated regularly and will drop connection requests from these IP addresses before they reach the application servers. As newly compromised endpoints are constantly appearing, this list will not catch all traffic, but it can be amended by administrators to further reduce malicious traffic.

LoadMaster can also dock all known IP addresses from specific countries, further minimizing the risk of a cyberattack. The IP reputation controls, which is what we call IP blocking, can be applied to LoadMaster’s global server load balancing (GSLB) feature, where DNS requests from malicious actors are ignored. This feature set can also be applied to the Cloud load balancing appliance.

Talk with a technical expert about how to protect your organization from DDoS attacks and learn how layered security can benefit your network and applications.

Posted on

Doug Barney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug has also served as Executive Editor of Network World, Editor in Chief of AmigaWorld and Editor in Chief of Network Computing.