Distributed Denial-of-Service (DDoS) Attacks

What is DDoS?

A distributed denial-of-service (DDoS) attack is a cybercrime in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites.

Motivations for carrying out a DDoS vary widely, as do the types of individuals and organizations eager to perpetrate this form of cyberattack. Some attacks are carried out by disgruntled individuals and hacktivists wanting to take down a company's servers simply to make a statement, have fun by exploiting weakness, or express disapproval.

Other DDoS attacks are financially motivated, such as a competitor disrupting or shutting down another business's online operations to steal business away in the meantime. Others involve extortion, in which perpetrators attack a company and install hostageware or ransomware on their servers, then force them to pay a large sum for the damage to be reversed.

DDoS attacks are on the rise, and even some of the largest companies are not immune to DDoS. The largest attack in history occurred in February 2020 to none other than Amazon Web Services (AWS), overtaking an earlier attack on GitHub two years prior. DDoS ramifications include a drop in legitimate traffic, lost business, and reputation damage.

As the Internet of Things (IoT) continues to proliferate, as do the number of remote employees working from home, and so will the number of devices connected to a network. The security of each IoT device may not necessarily keep up, leaving the network to which it is connected vulnerable to attack. As such, the importance of DDoS protection and mitigation is crucial.

 

How DDoS Attacks Work

A DDoS attack aims to overwhelm the devices, services, and network of its intended target with fake internet traffic, rendering them inaccessible to or useless for legitimate users.

DoS vs. DDoS

DDoS is a subcategory of the more general denial-of-service (DoS) attack. In a DoS attack, the attacker uses a single internet connection to barrage a target with fake requests or to try and exploit a cybersecurity vulnerability. DDoS is larger in scale. It utilizes thousands (even millions) of connected devices to fulfill its goal. The sheer volume of the devices used makes DDoS much harder to fight.

Botnets

Botnets are the primary way DDoS attacks are carried out. The attacker will hack into computers or other devices and install a malicious piece of code, or malware, called a bot. Together, the infected computers form a network called a botnet. The attacker then instructs the botnet to overwhelm the victim's servers and devices with more connection requests than they can handle.

DDoS Attack Symptoms

One of the biggest issues with identifying a DDoS attack is that the symptoms are not unusual. Many of the symptoms are similar to what technology users encounter every day, such as slow upload or download speeds, certain websites becoming unavailable, a dropped internet connection, or an excessive amount of spam. 

Further, a DDoS attack may last anywhere from a few hours to a few months, and the degree of attack can vary.

 

Types of DDoS Attacks

Different attacks target different parts of a network, and they are classified according to the network connection layers they target. A connection on the internet is comprised of seven different “layers," as defined by the Open Systems Interconnection (OSI) model created by the International Organization for Standardization. The model allows different computer systems to be able to "talk" to each other.

Volume-Based or Volumetric Attacks

This type of attack aims to control all available bandwidth between the victim and the larger internet. Domain name system (DNS) amplification is an example of a volume-based attack. In this scenario, the attacker spoofs the target's address, then sends a DNS name lookup request to an open DNS server with the spoofed address.

When the DNS server sends the DNS record response, it is sent instead to the target, resulting in the target receiving an amplification of the attacker’s initially small query.

Protocol Attacks

Protocol attacks consume all available capacity of web servers or other resources, such as firewalls. They expose weaknesses in Layers 3 and 4 of the OSI protocol stack to render the target inaccessible. 

A SYN flood is an example of a protocol attack, in which the attacker sends the target an overwhelming number of transmission control protocol (TCP) handshake requests with spoofed source IP addresses. The target's servers attempt to respond to each connection request, but the final handshake never occurs, overwhelming the target in the process.

Application-Layer Attacks

These attacks also aim to exhaust or overwhelm the target's resources but are difficult to flag as malicious. Often referred to as a Layer 7 DDoS attack—referring to Layer 7 of the OSI model—an application-layer attack targets the layer where web pages are generated in response to Hypertext Transfer Protocol (HTTP) requests. 

A server runs database queries to generate a web page. In this form of attack, the attacker forces the victim's server to handle more than it normally does. An HTTP flood is a type of application-layer attack and is similar to constantly refreshing a web browser on different computers all at once. In this manner, the excessive number of HTTP requests overwhelms the server, resulting in a DDoS.

 

DDoS Prevention

It is extremely difficult to avoid attacks because detection is a challenge. This is because the symptoms of the attack may not vary much from typical service issues, such as slow-loading web pages, and the level of sophistication and complexity of DDoS techniques continues to grow.

Further, many companies welcome a spike in internet traffic, especially if the company recently launched new products or services or announced market-moving news. As such, prevention is not always possible, so it is best for an organization to plan a response for when these attacks occur.

DDoS Mitigation

Once a suspected attack is underway, an organization has several options to mitigate its effects.

Risk Assessment

Organizations should regularly conduct risk assessments and audits on their devices, servers, and network. While it is impossible to completely avoid a DDoS, a thorough awareness of both the strengths and vulnerabilities of the organization's hardware and software assets goes a long way. Knowing the most vulnerable segments of an organization's network is key to understanding which strategy to implement to lessen the damage and disruption that a DDoS attack can impose.

Traffic Differentiation

If an organization believes it has just been victimized by a DDoS, one of the first things to do is determine the quality or source of the abnormal traffic. Of course, an organization cannot shut off traffic altogether, as this would be throwing out the good with the bad.

As a mitigation strategy, use an Anycast network to scatter the attack traffic across a network of distributed servers. This is performed so that the traffic is absorbed by the network and becomes more manageable.

Black Hole Routing

Another form of defense is black hole routing, in which a network administrator—or an organization's internet service provider—creates a black hole route and pushes traffic into that black hole. With this strategy, all traffic, both good and bad, is routed to a null route and essentially dropped from the network. This can be rather extreme, as legitimate traffic is also stopped and can lead to business loss.

Rate Limiting

Another way to mitigate DDoS attacks is to limit the number of requests a server can accept within a specific time frame. This alone is generally not sufficient to fight a more sophisticated attack but might serve as a component of a multipronged approach.

Firewalls

To lessen the impact of an application-layer or Layer 7 attack, some organizations opt for a Web Application Firewall (WAF). A WAF is an appliance that sits between the internet and a company's servers and acts as a reverse proxy. As with all firewalls, an organization can create a set of rules that filter requests. They can start with one set of rules and then modify them based on what they observe as patterns of suspicious activity carried out by the DDoS.

Protect your network with FortiGate Firewalls

If an organization believes it has just been victimized by a DDoS, one of the first things to do is determine the quality or source of the abnormal traffic. Of course, an organization cannot shut off traffic altogether, as this would be throwing out the good with the bad. 

As a mitigation strategy, use an Anycast network to scatter the malicious traffic across a network of distributed servers. This is performed so that the traffic is absorbed by the network and becomes more manageable.

 

DDoS Protection Solution

A fully robust DDoS protection solution includes elements that help an organization in both defense and monitoring. As the sophistication and complexity level of attacks continue to evolve, companies need a solution that can assist them with both known and zero-day attacks. A DDoS protection solution should employ a range of tools that can defend against every type of DDoS attack and monitor hundreds of thousands of parameters simultaneously.

Combat Attacks with FortiDDoS