A DDoS attack is a Denial of Service attack that comes from multiple sources. In this kind of cyberattack, the attacker will disrupt network services, usually by flooding a targeted machine with requests. The system becomes overloaded, and so legitimate traffic or communications can’t get through. As a Distributed Denial of Service attack does this from multiple sources, the number of incoming requests can be greater, and it’s much harder to stop the attack in its tracks. This article will cover the topic of DDoS attacks in greater detail.
Understanding DDoS attacks
The first Denial of Service attacks were experienced in the 1990’s, and yet these kinds of cyberattack are still a common threat today. Distributed Denial of Service attacks are more serious than Denial of Service attacks, and will be a lot harder to mitigate.
A DDoS attack will use more than one unique IP address, and these addresses can come from thousands of machines which an attacker has control over. This is known as a DDoS botnet. By using a botnet, a single attacker has the might of hundreds or thousands of endpoints to launch its attack. These machines could be anything from mobile phones to CCTV cameras, (as seen in the famous case of the Mirai botnet). Most victims wouldn’t even know that their devices have been hacked and could be used as part of a DDoS attack.
The attacker calls on the botnet with a remote command, and all of the bots will start sending requests to a single target system. Although each request on its own would probably go unnoticed and definitely do no harm, because there are so many bots targeting the victim, the system becomes overloaded, and can stop working altogether.
From the target business’ perspective, these requests are coming from “ordinary” users, who are impossible to distinguish from their regular traffic. That means in order to stop the malicious incoming requests, they generally need to cut off the legitimate traffic, too.
What kinds of DDoS attack are there?
There are many different kinds of DDoS attack, with many experts counting more than 20 types to look out for. They generally fall into three main categories:
Volume: These are the traditional kind of DDoS attacks we’ve been discussing. A huge number of fake requests are sent to overwhelm a server or a specific website. You will use bits-per-second to measure the size of a volume-based attack.
Protocol: In contrast, these attacks are measured in packets-per-second, and these send whole packets to network infrastructures or the tools that manage these network infrastructures. One famous example is SYN floods.
Application: These target the application layer, and are aimed at specific web applications, making them tough to mitigate. Each request will be maliciously crafted by the attacker, and these are measured by requests-per-second.
To make these attacks more difficult to spot and mitigate, attackers are known to use techniques like spoofing their IP address so you can’t find the true source location, obfuscating the address so it looks like it came from the victim or somewhere else, and even amplifying the attack to make it larger, by tricking an online service into responding to the fake request – overwhelming them even more.
What does a DDoS attack look like?
As IT professionals, recognizing the signs of a DDoS attack is really important, both to inform your IT users of what’s going on, and also to quickly make smart moves to solve the problem. Unfortunately, it’s not always easy to spot a DDoS attack, especially if the requests look like they are coming from legitimate sources.
Look out for a rush of traffic that’s coming from an unexpected location, perhaps somewhere that you don’t have an existing customer-base, or a large swathe of traffic coming from the same place. You also might notice that all of the spike in traffic is coming from the same OS and web browser – which is not typical of “real” users. Other signs include traffic that’s sending requests to a single server, port or application, or coming in waves that you can time consistently.
What can you do to stop a DDoS attack?
That’s the million-dollar question! Once a DDoS attack has begun, it’s tough to stop it in its tracks without blocking all HTTP requests, which would mean certain downtime. This might be necessary in order to prevent the server from crashing altogether.
Preventive measures are a smart move for protecting against DDoS attacks, and if you’re working in client environments, these will be incredibly important.
Leverage a CDN solution: These are global scrubbing centers that use a port protocol to “clean” your traffic to ensure volume-based attacks can’t make it through. They can also share your load equally across distributed servers making it harder for attackers to target them all at once.
Visitor identification technology: This kind of solution can tell the difference between legitimate website visitors and botnet traffic. Malicious traffic can be blocked before it reaches the site. Remember, there are risks of legitimate user requests being blocked.
Monitor visitor behavior: The more you know about your visitors, the better, helping you to understand safe and unsafe traffic behavior. You can even enforce specific tasks before allowing a suspicious request through, such as cookie challenges and CAPTCHAs.
Bump your network security: Firewalls and IDS can scan traffic before allowing it into the network, and web security tools can block abnormal traffic, and search for traffic that has known attack patterns. Network segmentation can ensure one breach doesn’t impact the whole business.
Ultimately, you’ll want to make sure that you have continuous monitoring of all network traffic so that you can spot the earliest warning signs of a DDoS attack. Sometimes, attackers will launch a low-volume attack for a short period of time as a test run, so it’s important to stay vigilant.