What is a DDoS Attack? | A Radware Minute
A distributed denial-of-service (DDoS) attack occurs when multiple machines are operating together to attack one target to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
DDoS allows for exponentially more requests to be sent to the target, therefore increasing the attack power. It also increases the difficulty of attribution, as the true source of the attack is harder to identify.
DDoS attacks can be devasting to an online business, which is why understanding how they work and how to mitigate them quickly is critical.
Motivations for carrying out a DDoS vary widely, as do the types of individuals and organizations who execute DDoS attacks. Some attacks are carried out by disgruntled individuals and hacktivists wanting to take down a company's servers simply to make a statement, have fun by exploiting a weakness, or express disapproval.
Other distributed denial-of-service attacks are financially motivated, such as a competitor disrupting or shutting down another business's online operations to steal business away in the meantime. Others involve extortion, in which perpetrators attack a company and install ransomware on their servers, then force them to pay a large financial sum for the damage to be reversed.
A DDoS attack aims to overwhelm the devices, services, and network of its intended target with fake internet traffic, rendering them inaccessible to or useless for legitimate users.
While a simple denial-of-service attack involves one “attack” computer and one victim, a DDoS relies on an army of infected or “bot” computers able to carry out tasks simultaneously. These botnets —a group of hijacked internet-connected devices – are capable of executing large scale attacks. Attackers take advantage of security vulnerabilities or device weaknesses to control numerous devices using command and control software. Once in control, an attacker can command their botnet to conduct DDoS on a target. In this case, the infected devices are also victims of the attack.
Botnets—made up of compromised devices—may also be rented out to other potential attackers. Often the botnet is made available to “attack-for-hire” services, which allow unskilled users to launch DDoS attacks.
In a DDoS attack, cybercriminals take advantage of normal behavior that occurs between network devices and servers, often targeting the network devices that establish a connection to the internet. Therefore, attackers focus on the edge network devices (e.g., routers, switches), rather than individual servers. A DDoS attack overwhelms the network’s pipe, (the bandwidth) or the devices that provide that bandwidth.
The best way to detect and identify a DDoS attack would be via network traffic monitoring and analysis. Network traffic can be monitored via a firewall or intrusion detection system. An administrator may even set up rules that create an alert upon the detection of an anomalous traffic load and identify the source of the traffic or drops network packets that meet a certain criteria.
Symptoms of a DoS attack can resemble non-malicious availability issues, such as technical problems with a particular network or a system administrator performing maintenance. However, the following symptoms could indicate a DoS or DDoS attack:
- Unusually slow network performance
- Unavailability of a particular network service and/or website
- An inability to access any website
- An IP address makes an unusually large number of requests in a limited timespan
- Server responds with a 503 error due to a service outage
- Log analysis indicated a large spike in network traffic
- Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unusual
Main Types of DDoS Attacks
DDoS and network-layer attacks are as diverse as they are sophisticated. Due to the growing array of online marketplaces, it is now possible for attackers to execute DDoS attack with little to no knowledge of networks and cyberattacks. Attack tools and services are easy to access, making the pool of possible assaults larger than ever.
Here are four of the most common, and sophisticated, DDoS attacks currently targeting organizations.
Application, Layer-7 DDoS Attacks
Application DoS attacks target resource exhaustion by using the well-known Hypertext Transfer Protocol (HTTP) as well as HTTPS, SMTP, FTP, VOIP and other application protocols that possess exploitable weaknesses, allowing for DoS attacks. Much like attacks targeting network resources, attacks targeting application resources come in a variety of flavors, including floods and “low and slow” attacks.
Volumetric or Volume-Based Attacks
Volumetric and reflection/amplification attacks take advantage of a disparity of request and response ratios in certain technical protocols. The attackers send packets to the reflector servers with a source IP address spoofed to their victim’s IP, therefore indirectly overwhelming the victim with the response packets. At high rates, these responses have generated some of the largest volumetric DDoS attacks to date. A common example is a reflective DNS amplification attack
SSL/TLS And Encrypted Attacks
Attackers use SSL/TLS protocols to mask and further complicate attack traffic in both network and application-level threats. Many security solutions use a passive engine for SSL/TLS attack protection, meaning they cannot effectively differentiate encrypted attack traffic from encrypted legitimate traffic while only limiting the rate of request.
Stopping assaults like these requires DDoS mitigation that combines automated, machine-learning based detection and mitigation capabilities with comprehensive protection for any infrastructure: on premise, private cloud and public cloud.
Web DDoS Tsunami Attack
Web DDoS Tsunami attacks combine application layer attack vectors, leveraging new tools to create sophisticated attacks that are harder—and sometimes impossible—to detect and mitigate with traditional methods.
To prevent DDoS attacks, there are several key capabilities organizations should consider to mitigate DDoS attacks, ensure service availability and minimize false positives. Leveraging behavioral-based technologies, understanding the pros and cons of different DDoS deployment options and having the ability to mitigate an array of DDoS attack vectors is essential to preventing DDoS attacks.
The following capabilities are critical to preventing DDoS attacks:
Automation
With today's dynamic and automated DDoS attacks, organizations do not want to rely on manual protection. A service that does not require any customer intervention with a fully automated attack lifecycle - data collection, attack detection, traffic diversion and attack mitigation – ensures better quality protection.
Behavioral-Based Protection
A DDoS mitigation solution that blocks attacks without impacting legitimate traffic is key. Solutions that leverage machine-learning and behavioral-based algorithms to understand what constitutes legitimate behavior and automatically blocks malicious attacks are critical. This increases protection accuracy and minimizes false positives.
Scrubbing Capacity and Global Network
DDoS attacks are increasing in quantity, severity, complexity and persistence. If faced with large volumetric or simultaneous assaults, cloud DDoS services should provide a robust, global security network that scales with several Tbps worth of mitigation capacity with dedicated scrubbing centers segregating clean traffic from DDoS attack traffic.
Multiple Deployment Options
Flexibility of deployment models is crucial so an organization can tailor its DDoS mitigation service to suit its needs, budget, network topology and threat profile. The appropriate deployment model – hybrid, on-demand or always-on cloud protection – will vary based on network topology, application hosting environments and sensitivity to delays and latency.
Comprehensive Protection Against An Array Of Attack Vectors
The threat landscape is consistently evolving. A DDoS mitigation solution that offers the widest protection, is not limited to just network-layer attack protection and includes protection against the aforementioned attack vectors is crucial.
There are several important steps and measures an organization can follow to mitigate a DDoS attack. This includes timely communication with both internal stakeholders and 3rd providers, attack analysis, activation of basic countermeasures (such as rate limiting) and more advanced DDoS mitigation protection, and analysis.
Here are five steps to follow to mitigate a DDoS attack.
Step 1: Alert Key Stakeholders
Alert key stakeholders within the organization of the attack and steps that are being taken to mitigate it.
Examples of key stakeholders include the CISO, security operations center (SoC), IT director, operations managers, business managers of affected services, etc. Keep the alert concise but informative.
Key information should include:
- What is happening
- When the attack started
- Which assets (applications, services, servers, etc.) are being impacted
- Impact to users and customers
- What steps are being taken to mitigate the attack
Step 2: Notify Your Security Provider
You will also want to alert your security provider and initiate steps on their end to help mitigate the attack.
Your security provider could be your internet service provider (ISP), web hosting provider or a dedicated security service. Each vendor type has different capabilities and scope of service. Your ISP might help you minimize the amount of malicious network traffic reaching your network, whereas your web hosting provider might help you minimize application impact and scale your service accordingly. Likewise, security services will usually have dedicated tools for dealing with DDoS attacks.
Even if you don’t already have a predefined agreement for service, or are not subscribed to their DDoS protection offering, you should nonetheless reach out to them to see how they can assist.
Step 3: Activate Countermeasures
If you have already have anti-DDoS countermeasures in place, activate them. Ideally, these countermeasures will initiate immediately when an attack is detected. However, in some cases, certain tools – such as out-of-path hardware devices or manually-activated, on-demand mitigation services – might require the customer to initiate them manually.
One approach is to implement IP-based access Control lists (aCls) to block all traffic coming from attack sources. This is accomplished at the network router level and can usually be accomplished by either your network team or your ISP. This is a useful approach if the attack is coming from a single source or a small number of attack sources. However, if the attack is coming from a large pool of IP address, this approach might not help.
If the target of the attack is an application- or a web-based service, you could limit the number of concurrent application connections. This approach is known as rate-limiting and is frequently the favored approach by web hosting providers and CDNs. Note that this approach is prone to high degrees of false positives because it cannot distinguish between malicious and legitimate user traffic.
Dedicated DDoS protection tools will give you the widest coverage against DDoS attacks. DDoS protection measures can be deployed either as an appliance in your data center, as a cloud-based scrubbing service, or as a hybrid solution combining a hardware device and a cloud service.
Step 4: Monitor Attack Progression
Throughout the attack, monitor the progression of the attack to see how it develops. This should include:
- What type of DDoS attack is it? Is it a network-level flood or an application-layer attack?
- What are the attack characteristics? How large is the attack, both in terms of bits-per-second and of packets-per-second?
- Is the attack coming from a single IP source or multiple sources? Can you identify them?
- How does the attack pattern look like? Is it a single sustained flood or is it a burst attack? Does it involve a single protocol or does it involve multiple attack vectors?
- Are the targets of the attack staying the same or are attackers changing their targets over time?
Tracking attack progression will also help you tune your defenses to stop it.
Step 5: Assess Defense Performance
Finally, as the attack develops and countermeasures are activated, assess their effectiveness.
Your security vendor should provide a service level agreement document which commits their service obligations. Ensure they’re meeting their SLAs and whether there is an impact to your operations. If they’re not, or not able to stop the attack whatsoever, now is the time to assess whether you need to make an emergency change to your service.