1. What is a DDoS attack?
A distributed denial-of-service (DDoS) attack occurs when multiple machines attack a target together, disrupting the normal flow of the targeted server, service, or network by flooding the target or its surrounding infrastructure with a flood of Internet traffic.
DDoS allows exponentially more requests to be sent to a target, thereby increasing attack power. It also increases the difficulty of attribution because the true source of the attack is harder to identify.
DDoS attacks can be devastating to online businesses, so understanding how they work and how to mitigate them quickly is critical.
The motivations for carrying out DDoS attacks vary widely, as do the types of individuals and organizations carrying out DDoS attacks. Some attacks are carried out by disgruntled individuals and hacktivists who want to take down a company's servers just to make a statement, exploit a bug, or express their displeasure in some way.
Other DDoS attacks are financially motivated, such as when a competitor disrupts or shuts down another business's online operations in order to steal business. Others involve extortion, in which perpetrators attack a company and install ransomware on its servers, then force them to pay large sums of money to recover their losses.
2. How does a DDoS attack work?
DDoS attacks are designed to flood a targeted target's devices, services, and networks with fake Internet traffic, rendering them inaccessible or useless to legitimate users.
While a simple denial-of-service attack involves one "attacking" computer and one victim, DDoS relies on a swarm of infected or "robot" computers capable of performing tasks simultaneously. These botnets are groups of hijacked internet-connected devices capable of carrying out large-scale attacks. Attackers exploit security gaps or device weaknesses to take control of large numbers of devices using command and control software. Once in control, the attackers can order their botnet to DDoS the target. In this case, the infected device is also the victim of the attack.
Botnets of infected devices may also be rented out to other would-be attackers. Typically, botnets are used for "attack for hire" services, allowing unskilled users to launch DDoS attacks.
In a DDoS attack, cybercriminals take advantage of normal behavior occurring between network devices and servers, usually targeting network devices that establish connections to the Internet. So attackers focus on edge network devices (eg routers, switches) rather than individual servers. A DDoS attack floods the network pipe (bandwidth) or the equipment providing that bandwidth.
3. How to identify a DDoS attack?
The best way to detect and identify DDoS attacks is through network traffic monitoring and analysis. Network traffic can be monitored through firewalls or intrusion detection systems. Administrators can even set up rules to create alerts and identify traffic sources when abnormal traffic loads are detected or to drop network packets that meet certain criteria.
Symptoms of a DoS attack can resemble non-malicious availability issues, such as technical problems with a particular network or system administrator performing maintenance. But the following symptoms may indicate a DoS or DDoS attack:
Network performance is unusually slow
Certain web services and/or websites are unavailable
can't access any sites
An IP address making an unusually large number of requests in a limited amount of time
The server responded with a 404 error due to a service outage
Log analysis shows a significant increase in network traffic
Strange traffic patterns, such as spikes or unusual patterns at odd times of day
4. Main types of DDoS attacks
DDoS and network layer attacks are complex and varied. Due to the growing online marketplace, attackers can now carry out DDoS attacks with little or no knowledge of networks and cyberattacks. Attack tools and services are readily accessible, making the pool of possible attacks larger than ever.
Below are four of the most common and sophisticated DDoS attacks currently targeting organizations.
Application, layer 7 DDoS attack
Application DDoS attacks allow DDoS attacks by attacking resource exhaustion using the well-known Hypertext Transfer Protocol (HTTP) as well as HTTPS, SMTP, FTP, VOIP, and other application protocols with exploitable weaknesses. Much like attacks against network resources, attacks against application resources come in many forms, including flood attacks and "low and slow" attacks.
volume attack or volume based attack
Volumetric attacks and reflection/amplification attacks exploit differences in request and response ratios in certain technical protocols. The attacker sends packets to the reflector server, whose source IP address is spoofed as the victim's IP, thereby indirectly flooding the victim with response packets, a common example is a reflective DNS amplification attack.
SSL/TLS and encryption attacks
Attackers use the SSL/TLS protocol to mask and further complicate attack traffic in network and application-level threats. Many security solutions use passive engines for SSL/TLS attack protection, which means that they cannot effectively distinguish between encrypted attack traffic and encrypted legitimate traffic, but can only limit the request rate. Stopping such attacks requires DDoS mitigation, combining automated machine learning-based detection and mitigation capabilities with comprehensive protection for any infrastructure—on-premises, private and public clouds.
Web DDoS Tsunami Attack
Web DDoS Tsunami attacks combine application-layer attack vectors, leveraging new tools to create sophisticated attacks that are more difficult to detect and mitigate with traditional methods.
5. How to prevent DDoS attacks
To prevent DDoS attacks, organizations should consider several key capabilities to mitigate DDoS attacks, ensure service availability, and minimize false positives. Utilizing behavior-based techniques, understanding the pros and cons of different DDoS deployment options, and being able to mitigate a range of DDoS attack vectors is critical to preventing DDoS attacks.
The following features are critical to preventing DDoS attacks:
automation
With today's dynamic and automated DDoS attacks, organizations don't want to rely on manual protection. The service does not require any customer intervention and has a fully automated attack lifecycle (data collection, attack detection, traffic diversion and attack mitigation) ensuring better quality protection.
Behavior Based Protection
DDoS mitigation solutions that block attacks without affecting legitimate traffic are key. Solutions that leverage machine learning and behavior-based algorithms to understand what constitutes legitimate behavior and automatically block malicious attacks are critical. This increases protection accuracy. and minimize false positives.
Cleaning Capabilities and Global Network
DDoS attacks are increasing in number, severity, sophistication and persistence. If faced with massive or simultaneous attacks, cloud DDoS services should provide a strong global security network that can be scaled to Tbps-level mitigation capabilities and have a dedicated scrubbing center to isolate clean traffic from DDoS attack traffic.
Various Deployment Options
Flexibility in deployment models is critical so organizations can tailor their DDoS mitigation services to suit their needs, budget, network topology and threat profile. The appropriate deployment model (hybrid, on-demand, or always-on cloud protection) will vary based on network topology, application hosting environment, and sensitivity to latency and latency.
Comprehensive protection against a range of attack vectors
The threat landscape is constantly changing, and the DDoS mitigation solutions that offer the broadest protection are not limited to network layer attack protection, but also include protection against the above attack vectors.
6. How to Mitigate DDoS Attacks
There are several important steps and measures organizations can follow to mitigate DDoS attacks. This includes timely communication with internal stakeholders and third-party providers, attack analysis, activation of basic countermeasures (such as rate limiting), and more advanced DDoS mitigation protection and analysis.
Below are the five steps you need to follow to mitigate a DDoS attack.
Step 1: Remind Key Stakeholders
Inform key stakeholders within the organization of the attack and the steps being taken to mitigate it.
Examples of key stakeholders include CISOs, Security Operations Centers (SoCs), IT directors, operations managers, business managers of affected services, etc.
Key information should include:
Which assets (applications, services, servers, etc.) are affected
Impact on Users and Customers
What steps are being taken to mitigate the attack
Step 2: Notify Your Security Vendor
You also need to alert your security provider and activate their measures to help mitigate the attack.
Your security provider may be your Internet Service Provider (ISP), web hosting provider, or dedicated security service provider. Each provider type has different capabilities and scope of services. Your ISP may help you minimize malicious web traffic reaching your network, while your web hosting provider may help you minimize application impact and scale your services accordingly. Likewise, security services often have specialized tools to deal with DDoS attacks.
Step 3: Initiate Countermeasures
If you already have anti-DDoS countermeasures in place, activate them.
One approach is to implement IP-based access control lists (aCls) to block all traffic from attack sources. This is done at the network router level and can usually be done by your networking team or ISP. This is a useful approach if the attack is coming from a single source or a small number of attack sources. But this method may not help if the attack is coming from a large number of IP addresses.
If the target of the attack is an application-based or web-based service, you can limit the number of concurrent application connections. This method is called rate limiting and is usually the method favored by web hosting providers and CDNs. Note that this method is prone to false positives, since it cannot distinguish between malicious and legitimate user traffic.
A dedicated DDoS protection tool will give you the widest coverage of DDoS attacks. DDoS protection can be deployed as an appliance in the data center, as a cloud-based scrubbing service, or as a hybrid solution combining hardware appliances and cloud services.
Step 4: Monitor Attack Progress
Throughout the attack, monitor the progress of the attack to understand its development.
This should include:
What type of DDoS attack is it? Is it a network-level flood or an application-layer attack?
What are its attack characteristics? How big is the attack in terms of bits per second and packets per second?
Is the attack coming from a single IP source or multiple sources? Can you identify them?
What does the attack pattern look like? Is it a single sustained flood or a burst attack? Does it involve a single protocol or multiple attack vectors?
Did the target of the attack stay the same, or did the attacker change targets over time?
Tracking the progress of an attack can also help you adjust your defenses to stop the attack.
Step 5: Evaluate Defense Performance
Finally, as the attack evolves and the countermeasures are launched, evaluate their effectiveness. Your security vendor should document a service level agreement committing to its service obligations. Make sure they meet SLAs and if they have an impact on your operations.