What Is a DDoS Attack?
A
DDoS attack is a type of cyberattack that is designed to prevent legitimate access to a website or application hosted on the web. DDoS is an acronym for Distributed Denial Of Service. As this name implies the cybercriminals controlling a DDoS attack use multiple devices distributed over the Internet to mount the attack. This is in contrast to a Denial of Service (DoS) attack in which a single source is used to attack a system. DDoS attacks are now much more common than DoS attacks due to several factors that make them easy to mount.
A DDoS attack aims to flood the attacked service with so many access requests, or so much network traffic, that the servers hosting the targeted website or application cannot respond to them all. This prevents legitimate user requests from being serviced, and the site appears to be unreachable as access requests time out.
Many analogies have been proposed to explain DDoS attacks. None of them conveys the sheer volume of network traffic and requests that a DDoS attack entails, but they are useful for explaining the implications of a DDoS attack to anyone non-technical. The multiple callers to a mobile phone number is a helpful analogy. If a single person repeatedly called your number and prevented others from getting you, this would be like a simple DoS attack. However if someone posted your number to Facebook and said you have a valuable item for sale very cheaply, then hundreds or thousands of callers trying to reach you would be an analogue to a DDoS attack. As most of the callers would get an engaged tone.
DDoS attacks have increased in number and scale in the last few years. They are now a core part of the IT security threat landscape that all IT teams need to consider. A report by TechRepublic showed a 967% increase in DDoS attacks larger than 100Gbps from Q1 2018 to Q1 2019, plus the largest attack volume recorded increased by 70% to 587Gbps. This trend has continued into 2020, with early research showing a further increase in both the number and size of DDoS attacks.
How are DDoS Attacks Carried Out?
As the distributed term in DDoS implies, the attacks are carried out from multiple devices spread over the Internet. A common method to mount DDoS attacks is to use a botnet army of compromised machines and devices to send requests or network traffic, at the same time, to disrupt the operation of the target system. The devices that make up the botnet army are usually servers or PC’s that have been infected with malware, or they are poorly secured Internet of Things (IoT) devices that have a vulnerability that allows them to be hijacked.
Types of DDoS Attack
DDoS attacks use multiple techniques to disrupt websites and applications. All of them typically fall into three main groups:
- Volumetric attacks - these generate large amounts of network traffic that consumes all of the available bandwidth that the targeted system has on its Internet connection. Attacks of this type occur at Layer 3 (Network layer) of the OSI model stack.
- Protocol attacks - this attack method sends an overwhelming number of requests to a critical service that is running on the target network devices. These mostly occur at Layer 3 & Layer 4 (Transport Layer) of the OSI stack. Examples of protocol DDoS attack methods include:
- SYN Flood attack - uses the TCP handshake protocol to tie up a receiving server until it times out.
- TCP Reset attack - fake TCP RESET commands are sent to the server causing it to drop its TCP connections.
- ICMP attack - a forged ICMP message is sent with the target server as the return IP address. When devices respond, they overwhelm the attacked server.
- UDP Storm Attack - UDP does not require a handshake as TCP does. When an attacker sends a UDP request for a service on a random UDP port that doesn’t exist, it’ll respond with a destination unreachable response. Flood the server with these bogus requests and it’ll get overwhelmed responding.
- Reflected DNS attack - uses spoofed IP addresses in requests sent to DNS servers so that the DNS servers return a large amount of data to the attacked server. The DNS responses are reflected to the attacked server rather than the initiator of the request.
- Reflected NTP attack - uses the same method as the reflected DNS attack but uses time servers to overwhelm the target servers.
- Application layer attacks - these target applications and services that are operating at Layer 7 (Application Layer) of the OSI stack. These types of attacks target the functionality of a website or application. Examples include:
- GET flood attack - the URLs for applications or services are repeatedly requested over and over again. This prevents legitimate access requests from being handled.
- POST flood attack - the reverse of a GET flood attack. Instead of lots of requests to the server, a POST flood attack continuously sends requests to write data to the server. Again preventing legitimate requests from being processed.
- Low and Slow attacks - attacks that take time to slowly use up the resources being served at the application layer. Over time they grab and don’t release access slots. Eventually, no remaining resources are available for legitimate use. The slow nature of these attacks is designed to make them hard to detect. Slowloris is an example of this type of attack (although technically it might not be a DDoS attack as it can be mounted from a single source over a long time).
Most DDoS attackers will use a mix of all of the available methods. A reported 2019 attack on a large bank used six different attack methods at once. It is also possible to mount DDoS attacks without any technical knowledge as services exist to purchase DDoS time and bandwidth for very low costs on the dark web. DDoS as a Service is unfortunately a reality today.
What is the Purpose of a DDoS attack?
The reasons DDoS attacks are mounted fall into a few headline categories:
- Financial - the attackers are looking to get some financial gain. Either by being paid by someone to mount the attack (DDoS as a Service) or by extorting the targeted organization and demanding a ransom is paid to stop the attack.
- Deflection - often a DDoS attack is designed to distract IT and security staff so that another type of cyberattack can be performed under its cover. Installing malware or doing phishing attacks, for example.
- Ideological or political - often DDoS attacks target organizations that the attackers disagree with for ideological or political reasons. This is often grouped in with other forms of hacktivism.
- Industrial espionage - DDoS attacks to disrupt competitors. This can be as simple as taking a popular web store down for a while to allow a competitor to gain sales.
- State-sponsored - many state actors use DDoS and other cyberattack methods to target the government’s, infrastructure, and commerce in countries with which they have disagreements.
Protecting Against DDoS Attacks
Protecting against DDoS attacks and dealing with them when they occur will vary depending on the network infrastructure in place in an organization. A common framework includes the four steps below:
- Early detection - it is vital to have systems and tools in place that can detect the abnormal activity associated with a DDoS attack as soon as possible.
- Diversion - any DDoS traffic detected needs to be diverted to a sinkhole where it can be dropped. This should be transparent on the network without the legitimate users having their work affected.
- Filtering - the removal of DDoS traffic at multiple points on the network to prevent it reaching target servers and disrupting them.
- Analysis - reviews of all the data about a DDoS attack and how the response handled it. With updates to systems and procedures to plug any gaps in defenses.
Deploying Kemp LoadMaster to provide
load balancer and application delivery functionality on your network means you also have access to functionality that can help mitigate DDoS attacks. At the Network Layer, LoadMaster can help prevent many of the common types of DDoS attack including SYN Flood Attacks, TCP Reset Attacks, ICMP Attacks, UDP Storm Attacks, and Reflected Request (DNS/NTP) Attacks.
Application Layer attacks are hard to prevent with traditional edge security devices such as firewalls. This is because firewalls typically don’t have any awareness of the data payload contained in network packets. LoadMaster can inspect data packets at the Application Layer and so is ideally suited to the prevention of Application Layer attacks. Any data packets the contain malicious or suspicious content can be dropped at the LoadMaster and will never reach the application servers to disrupt them. LoadMaster can protect applications from the main types of Application Layer attack such as GET Floods, POST Floods, and Slowloris attacks.
Kemp 360 Vision can also be used to provide the early detection of abnormal network activity due to a DDoS attack.