DDoS Meaning: What is DDoS?
A distributed denial-of-service (DDoS) attack is a cybercrime in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites.
Motivations for carrying out a DDoS vary widely, as do the types of individuals and organizations eager to perpetrate this form of cyberattack. Some attacks are carried out by disgruntled individuals and hacktivists wanting to take down a company's servers simply to make a statement, have fun by exploiting cyber weakness, or express disapproval.
Other distributed denial-of-service attacks are financially motivated, such as a competitor disrupting or shutting down another business's online operations to steal business away in the meantime. Others involve extortion, in which perpetrators attack a company and install hostageware or ransomware on their servers, then force them to pay a large financial sum for the damage to be reversed.
DDoS attacks are on the rise, and even some of the largest global companies are not immune to being "DDoS'ed". The largest attack in history occurred in February 2020 to none other than Amazon Web Services (AWS), overtaking an earlier attack on GitHub two years prior. DDoS ramifications include a drop in legitimate traffic, lost business, and reputation damage.
As the Internet of Things (IoT) continues to proliferate, as do the number of remote employees working from home, and so will the number of devices connected to a network. The security of each IoT device may not necessarily keep up, leaving the network to which it is connected vulnerable to attack. As such, the importance of DDoS protection and mitigation is crucial.
How DDoS Attacks Work
A DDoS attack aims to overwhelm the devices, services, and network of its intended target with fake internet traffic, rendering them inaccessible to or useless for legitimate users.
DoS vs. DDoS
DDoS is a subcategory of the more general denial-of-service (DoS) attack. In a DoS attack, the attacker uses a single internet connection to barrage a target with fake requests or to try and exploit a cybersecurity vulnerability. DDoS is larger in scale. It utilizes thousands (even millions) of connected devices to fulfill its goal. The sheer volume of the devices used makes DDoS much harder to fight.
Botnets are the primary way DDoS attacks are carried out. The attacker will hack into computers or other devices and install a malicious piece of code, or malware, called a bot. Together, the infected computers form a network called a botnet. The attacker then instructs the botnet to overwhelm the victim's servers and devices with more connection requests than they can handle.
DDoS Attack Symptoms and How to Identify
One of the biggest issues with identifying a DDoS attack is that the symptoms are not unusual. Many of the symptoms are similar to what technology users encounter every day, including slow upload or download performance speeds, the website becoming unavailable to view, a dropped internet connection, unusual media and content, or an excessive amount of spam.
Further, a DDoS attack may last anywhere from a few hours to a few months, and the degree of attack can vary.
Which countries are most impacted by DDoS Attacks?
Types of DDoS Attacks
Different attacks target different parts of a network, and they are classified according to the network connection layers they target. A connection on the internet is comprised of seven different “layers," as defined by the Open Systems Interconnection (OSI) model created by the International Organization for Standardization. The model allows different computer systems to be able to "talk" to each other.
Volume-Based or Volumetric Attacks
This type of attack aims to control all available bandwidth between the victim and the larger internet. Domain name system (DNS) amplification is an example of a volume-based attack. In this scenario, the attacker spoofs the target's address, then sends a DNS name lookup request to an open DNS server with the spoofed address.
When the DNS server sends the DNS record response, it is sent instead to the target, resulting in the target receiving an amplification of the attacker’s initially small query.
Protocol attacks consume all available capacity of web servers or other resources, such as firewalls. They expose weaknesses in Layers 3 and 4 of the OSI protocol stack to render the target inaccessible.
A SYN flood is an example of a protocol attack, in which the attacker sends the target an overwhelming number of transmission control protocol (TCP) handshake requests with spoofed source IP addresses. The targeted servers attempt to respond to each connection request, but the final handshake never occurs, overwhelming the target in the process.
These attacks also aim to exhaust or overwhelm the target's resources but are difficult to flag as malicious. Often referred to as a Layer 7 DDoS attack—referring to Layer 7 of the OSI model—an application-layer attack targets the layer where web pages are generated in response to Hypertext Transfer Protocol (HTTP) requests.
A server runs database queries to generate a web page. In this form of attack, the attacker forces the victim's server to handle more than it normally does. An HTTP flood is a type of application-layer attack and is similar to constantly refreshing a web browser on different computers all at once. In this manner, the excessive number of HTTP requests overwhelms the server, resulting in a DDoS.
DDoS Attack Prevention
It is extremely difficult to avoid attacks because detection is a challenge. This is because the symptoms of the attack may not vary much from typical service issues, such as slow-loading web pages, and the level of sophistication and complexity of DDoS techniques continues to grow.
Further, many companies welcome a spike in internet traffic, especially if the company recently launched new products or services or announced market-moving news. As such, prevention is not always possible, so it is best for an organization to plan a response for when these attacks occur.