What Is A DDoS Attack?


DDoS Meaning: What Is A DDoS Attack?

A distributed denial-of-service (DDoS) attack occurs when multiple machines are operating together to attack one target to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

DDoS allows for exponentially more requests to be sent to the target, therefore increasing the attack power. It also increases the difficulty of attribution, as the true source of the attack is harder to identify.

DDoS attacks can be devasting to an online business, which is why understanding how they work and how to mitigate them quickly is critical.

Motivations for carrying out a DDoS vary widely, as do the types of individuals and organizations who execute DDoS attacks. Some attacks are carried out by disgruntled individuals and hacktivists wanting to take down a company's servers simply to make a statement, have fun by exploiting a weakness, or express disapproval.

Other distributed denial-of-service attacks are financially motivated, such as a competitor disrupting or shutting down another business's online operations to steal business away in the meantime. Others involve extortion, in which perpetrators attack a company and install ransomware on their servers, then force them to pay a large financial sum for the damage to be reversed.

How Does a DDoS Attack Work?

A DDoS attack aims to overwhelm the devices, services, and network of its intended target with fake internet traffic, rendering them inaccessible to or useless for legitimate users.

While a simple denial-of-service attack involves one “attack” computer and one victim, a DDoS relies on an army of infected or “bot” computers able to carry out tasks simultaneously. These botnets —a group of hijacked internet-connected devices – are capable of executing large scale attacks. Attackers take advantage of security vulnerabilities or device weaknesses to control numerous devices using command and control software. Once in control, an attacker can command their botnet to conduct DDoS on a target. In this case, the infected devices are also victims of the attack.

Botnets—made up of compromised devices—may also be rented out to other potential attackers. Often the botnet is made available to “attack-for-hire” services, which allow unskilled users to launch DDoS attacks.

In a DDoS attack, cybercriminals take advantage of normal behavior that occurs between network devices and servers, often targeting the network devices that establish a connection to the internet. Therefore, attackers focus on the edge network devices (e.g., routers, switches), rather than individual servers. A DDoS attack overwhelms the network’s pipe, (the bandwidth) or the devices that provide that bandwidth.

What Is A DDoS Attack?

How To Identify A DDoS Attack?

The best way to detect and identify a DDoS attack would be via network traffic monitoring and analysis. Network traffic can be monitored via a firewall or intrusion detection system. An administrator may even set up rules that create an alert upon the detection of an anomalous traffic load and identify the source of the traffic or drops network packets that meet a certain criteria.

Symptoms of a DoS attack can resemble non-malicious availability issues, such as technical problems with a particular network or a system administrator performing maintenance. However, the following symptoms could indicate a DoS or DDoS attack:

  • Unusually slow network performance
  • Unavailability of a particular network service and/or website
  • An inability to access any website
  • An IP address makes an unusually large number of requests in a limited timespan
  • Server responds with a 503 error due to a service outage
  • Log analysis indicated a large spike in network traffic
  • Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unusual

Main Types of DDoS Attacks

DDoS and network-layer attacks are as diverse as they are sophisticated. Due to the growing array of online marketplaces, it is now possible for attackers to execute DDoS attack with little to no knowledge of networks and cyberattacks. Attack tools and services are easy to access, making the pool of possible assaults larger than ever.

Here are four of the most common, and sophisticated, DDoS attacks currently targeting organizations.

Application, Layer-7 DDoS Attacks

Application DoS attacks target resource exhaustion by using the well-known Hypertext Transfer Protocol (HTTP) as well as HTTPS, SMTP, FTP, VOIP and other application protocols that possess exploitable weaknesses, allowing for DoS attacks. Much like attacks targeting network resources, attacks targeting application resources come in a variety of flavors, including floods and “low and slow” attacks.

Application, Layer 7 DDoS Attacks

Volumetric or Volume-Based Attacks

Volumetric and reflection/amplification attacks take advantage of a disparity of request and response ratios in certain technical protocols. The attackers send packets to the reflector servers with a source IP address spoofed to their victim’s IP, therefore indirectly overwhelming the victim with the response packets. At high rates, these responses have generated some of the largest volumetric DDoS attacks to date. A common example is a reflective DNS amplification attack

Volumetric or Volume-Based Attacks

SSL/TLS And Encrypted Attacks

Attackers use SSL/TLS protocols to mask and further complicate attack traffic in both network and application-level threats. Many security solutions use a passive engine for SSL/TLS attack protection, meaning they cannot effectively differentiate encrypted attack traffic from encrypted legitimate traffic while only limiting the rate of request.

Stopping assaults like these requires DDoS mitigation that combines automated, machine-learning based detection and mitigation capabilities with comprehensive protection for any infrastructure: on premise, private cloud and public cloud.

Web DDoS Tsunami Attack

Web DDoS Tsunami attacks combine application layer attack vectors, leveraging new tools to create sophisticated attacks that are harder—and sometimes impossible—to detect and mitigate with traditional methods.

How To Prevent DDoS Attacks

To prevent DDoS attacks, there are several key capabilities organizations should consider to mitigate DDoS attacks, ensure service availability and minimize false positives. Leveraging behavioral-based technologies, understanding the pros and cons of different DDoS deployment options and having the ability to mitigate an array of DDoS attack vectors is essential to preventing DDoS attacks.

The following capabilities are critical to preventing DDoS attacks:

Automation

With today's dynamic and automated DDoS attacks, organizations do not want to rely on manual protection. A service that does not require any customer intervention with a fully automated attack lifecycle - data collection, attack detection, traffic diversion and attack mitigation – ensures better quality protection.

Behavioral-Based Protection

A DDoS mitigation solution that blocks attacks without impacting legitimate traffic is key. Solutions that leverage machine-learning and behavioral-based algorithms to understand what constitutes legitimate behavior and automatically blocks malicious attacks are critical. This increases protection accuracy and minimizes false positives.

Scrubbing Capacity and Global Network

DDoS attacks are increasing in quantity, severity, complexity and persistence. If faced with large volumetric or simultaneous assaults, cloud DDoS services should provide a robust, global security network that scales with several Tbps worth of mitigation capacity with dedicated scrubbing centers segregating clean traffic from DDoS attack traffic.

Multiple Deployment Options

Flexibility of deployment models is crucial so an organization can tailor its DDoS mitigation service to suit its needs, budget, network topology and threat profile. The appropriate deployment model – hybrid, on-demand or always-on cloud protection – will vary based on network topology, application hosting environments and sensitivity to delays and latency.

Comprehensive Protection Against An Array Of Attack Vectors

The threat landscape is consistently evolving. A DDoS mitigation solution that offers the widest protection, is not limited to just network-layer attack protection and includes protection against the aforementioned attack vectors is crucial.

How To Mitigate DDoS Attacks

There are several important steps and measures an organization can follow to mitigate a DDoS attack. This includes timely communication with both internal stakeholders and 3rd providers, attack analysis, activation of basic countermeasures (such as rate limiting) and more advanced DDoS mitigation protection, and analysis.

Here are five steps to follow to mitigate a DDoS attack.

Step 1: Alert Key Stakeholders

Alert key stakeholders within the organization of the attack and steps that are being taken to mitigate it.

Examples of key stakeholders include the CISO, security operations center (SoC), IT director, operations managers, business managers of affected services, etc. Keep the alert concise but informative.

Key information should include:

  • What is happening
  • When the attack started
  • Which assets (applications, services, servers, etc.) are being impacted
  • Impact to users and customers
  • What steps are being taken to mitigate the attack

Step 2: Notify Your Security Provider

You will also want to alert your security provider and initiate steps on their end to help mitigate the attack.

Your security provider could be your internet service provider (ISP), web hosting provider or a dedicated security service. Each vendor type has different capabilities and scope of service. Your ISP might help you minimize the amount of malicious network traffic reaching your network, whereas your web hosting provider might help you minimize application impact and scale your service accordingly. Likewise, security services will usually have dedicated tools for dealing with DDoS attacks.

Even if you don’t already have a predefined agreement for service, or are not subscribed to their DDoS protection offering, you should nonetheless reach out to them to see how they can assist.

Step 3: Activate Countermeasures

If you have already have anti-DDoS countermeasures in place, activate them. Ideally, these countermeasures will initiate immediately when an attack is detected. However, in some cases, certain tools – such as out-of-path hardware devices or manually-activated, on-demand mitigation services – might require the customer to initiate them manually.

One approach is to implement IP-based access Control lists (aCls) to block all traffic coming from attack sources. This is accomplished at the network router level and can usually be accomplished by either your network team or your ISP. This is a useful approach if the attack is coming from a single source or a small number of attack sources. However, if the attack is coming from a large pool of IP address, this approach might not help.

If the target of the attack is an application- or a web-based service, you could limit the number of concurrent application connections. This approach is known as rate-limiting and is frequently the favored approach by web hosting providers and CDNs. Note that this approach is prone to high degrees of false positives because it cannot distinguish between malicious and legitimate user traffic.

Dedicated DDoS protection tools will give you the widest coverage against DDoS attacks. DDoS protection measures can be deployed either as an appliance in your data center, as a cloud-based scrubbing service, or as a hybrid solution combining a hardware device and a cloud service.

Step 4: Monitor Attack Progression

Throughout the attack, monitor the progression of the attack to see how it develops. This should include:

  • What type of DDoS attack is it? Is it a network-level flood or an application-layer attack?
  • What are the attack characteristics? How large is the attack, both in terms of bits-per-second and of packets-per-second?
  • Is the attack coming from a single IP source or multiple sources? Can you identify them?
  • How does the attack pattern look like? Is it a single sustained flood or is it a burst attack? Does it involve a single protocol or does it involve multiple attack vectors?
  • Are the targets of the attack staying the same or are attackers changing their targets over time?

Tracking attack progression will also help you tune your defenses to stop it.

Step 5: Assess Defense Performance

Finally, as the attack develops and countermeasures are activated, assess their effectiveness.

Your security vendor should provide a service level agreement document which commits their service obligations. Ensure they’re meeting their SLAs and whether there is an impact to your operations. If they’re not, or not able to stop the attack whatsoever, now is the time to assess whether you need to make an emergency change to your service.

Additional Resources

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia