In a distributed denial of service (DDoS) attack, massive amounts of illegitimate traffic is sent to a specific website or server to overwhelm its bandwidth and cause it to shut down. At their core, DDoS attacks work by overwhelming a target system or network with a large volume of requests from multiple sources.
These requests can originate from an array of different devices, including computers, smartphones, and even internet-connected household appliances like smart TVs. These devices are collectively referred to as a botnet when used for a DDoS attack.
In the last 12 months, there has been a significant increase in the frequency and severity of distributed denial-of-service (DDoS) attacks, with many organizations struggling to keep up with their growing complexity.
Some recent prominent attacks include the attack on Amazon in February 2020 DDoS attack that peaked at 2.3 terabits per second (Tbps) and an attack on Russia’s Yandex in late 2021 that reached 21.8 million web page requests per second. A distributed denial-of-service attack also hit Microsoft’s Azure cloud service in the second half of 2021.
In 2022, some of the attacks were political, focusing on Russia’s war in Ukraine. According to Kaspersky, the pro-Russian group Killnet was responsible for several DDoS attacks directed at Estonia, Lithuania, the U.S. Electronic Federal Tax Payment System, and the U.S. Congress website.
Most DDoS attacks exploit common vulnerabilities in the target system’s firewall or other security measures. And the severity of DDoS attacks can vary widely, from simple website defacement to the complete shutdown of an entire network.
As a result, targeted organizations lose revenue, suffer reputational damage, and may even face legal or regulatory consequences due to DDoS attacks. According to the Ponemon Institute, it costs an average of $22,000 per minute, with an attack that lasts an hour costing approximately $1 million USD.
Also see: Best DDoS Protection Services for 2023
Why are DDoS Attacks so Prevalent?
Despite significant advances in cybersecurity, DDoS attacks are still common due to several key factors.
- Growing complexity and interconnectedness of modern networks: The growing complexity and interconnectedness of modern networks and the rapid growth in connected devices mean there are always new potential attack vectors for malicious actors to exploit.
- Reactive and outdated security measures: Many organizations still rely on reactive and outdated security measures, such as traditional firewalls and antivirus, leaving them vulnerable to DDoS attacks.
- Use in cyberwar: Some organizations, including governments and military entities, also use DDoS attacks as a tool for cyberwarfare to disrupt critical digital infrastructure, such as with the Russia-Ukraine conflict.
- Lucrative source of income: Cybercriminals often use DDoS attacks to act as a smokescreen while hackers quietly steal sensitive data from a network or install ransomware that takes the system hostage until a ransom is paid.
- Growth in DDoS as a service: As DDoS attacks become more common, many hackers are offering DDoS-as-a-service tools, which allow attackers to launch sophisticated DDoS attacks with little to no technical knowledge.
Also see: 5 Best Practices for DDoS Mitigation
How Do DDoS Attacks Work?
Before launching any kind of attack, attackers typically need to gain access to multiple systems by exploiting vulnerabilities or stealing credentials from unsuspecting victims. Once they have control over those systems, they can use them as part of their botnet — a network of compromised computers that can be used for malicious activities.
Creating a botnet involves several steps. First, attackers must find vulnerable systems that can be compromised using exploits such as phishing emails or malicious links.
Once they have gained access to these systems, they will install malware on them, which gives them remote access and control over those machines. This malware also allows them to turn these computers into “zombies” or “bots” which can then be used for nefarious purposes, such as launching DDoS attacks or sending spam emails.
The attacker then uses these bots to form a network, which they can use to amplify their efforts when attacking another system or network. They may also use the bots in the botnet for other malicious activities, such as stealing confidential data or extorting money from victims by threatening them with data deletion or leakage.
DDoS Attack Categories
All DDoS attacks involve overwhelming the target system, network, or application with a flood of malicious traffic. However, DDoS attacks can be categorized into three main types based on the open systems interconnection (OSI) layer they target.
Application layer attacks
DDoS application layer attacks take advantage of the seventh layer of the OSI model, the application layer, to deny service to legitimate users. These attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests.
The attacker’s goal is to exhaust the target’s resources and bandwidth, making it impossible for legitimate users to access the website or service. To accomplish this, attackers may employ techniques such as slowloris attacks, which send incomplete requests to keep connections open and consume additional server resources. Or they may use HTTP floods, where thousands of requests per second are sent to overwhelm the target’s capacity. Additionally, attackers may use Layer 7 DDoS attacks to exploit vulnerabilities in web applications, such as SQL injections or cross-site scripting (XSS).
DDoS protocol attacks mainly take advantage of the OSI model’s weaknesses in Layer 3 and 4, namely the network layer and transport layer.
At the network layer (Layer 3), attackers flood their targets with bogus packets to jam up their networks. This technique is referred to as a “denial-of-service” attack because it effectively denies legitimate users access to the target’s network. Examples of such methods include IP spoofing and ICMP flooding.
With IP spoofing, attackers send data packets with forged source IP addresses. These packets will be accepted by the target but cannot be replied to, leading to an increase in traffic and resource exhaustion on the server side as it processes them. ICMP flooding requires attackers to send a high volume of small data packets or pings that contain no actual data except for control messages meant to elicit responses from their intended victim.
At the transport layer (Layer 4), attackers gain access to various protocols like TCP or UDP, which they can use to launch numerous connection attempts or initiate malicious transactions that may cause instability or depletion of available resources on the server side.
Common examples include SYN floods, which involve sending multiple incomplete connection requests with falsified source IPs. This floods both incoming ports used for connecting and outgoing ports used for transmitting data out of its victims’ servers, resulting in heightened latency and service disruptions.
Another example is DNS (Domain Name System) amplification attacks, which involve sending massive amounts of DNS lookups queries using spoofed source IP addresses. This causes those requests to be relayed through unsuspecting third-party DNS servers, which respond with excessively large answers back toward their intended victim’s servers, thus exhausting their resources due to the sheer volume.
DDoS volumetric attacks, also known as bandwidth consumption attacks, use a variety of methods to flood the target system with an overwhelming amount of traffic. The goal is to consume all available bandwidth between the target and the larger internet in order to create a bottleneck and prevent legitimate traffic from reaching its destination. Malicious actors can do this by sending massive amounts of data or requests from a botnet.
One example of a volumetric attack is DNS amplification, which works by making a request to an open DNS server with a spoofed IP address. This means the server will respond back to the victim’s IP address, even though they never made the request in the first place. A good analogy is someone calling a restaurant and ordering the entire menu and then asking them to call back and repeat the entire order – but where the callback number given is, in fact, the restaurant’s number.
So while it requires little effort on the part of the attacker to generate this traffic, it can quickly overwhelm network resources and cause performance issues or even downtime for legitimate users.
Also see: Top Enterprise Networking Companies
How to Know You Are Under a DDoS Attack
Not all sudden spikes in network activity or latency necessarily indicate you are under a DDoS attack. However, there are some telltale signs to look out for if you suspect you may be under attack:
- Sudden and prolonged spikes in traffic coming from a single source or IP address could indicate malicious actors are attempting to overwhelm your server resources.
- Unusual traffic patterns or sources that do not align with usual user behavior, such as requests at odd times of the day or from unfamiliar countries.
- Incomplete or malformed requests that make no sense or that cannot be completed by your server can indicate malicious activity.
- A sudden decrease in website performance, such as slower page loading speeds, increased error rates, and difficulty accessing certain websites or services.
- Slowness or unresponsiveness in specific services or applications can be due to a flood of illegitimate requests consuming all available resources on the server.
- Unexpected reboots of servers can be due to an overload of traffic from malicious attackers attempting to crash your systems and get access to private data stored on them.
- Unusually high amounts of data being exchanged between you and other networks can be due to large amounts of malicious packets being sent from various sources simultaneously.
DDoS Attack Mitigation Strategies
Mitigation pivots on the adoption of basic preparation, response, and recovery principles.
DDoS attack preparation
Some actions and best practices to prepare for DDoS attacks include:
- Install firewalls and intrusion detection systems (IDS).
- Implement secure protocols.
- Update and patch software and systems regularly.
- Segment the network and implement zero-trust network access (ZTNA).
- Use load balancers.
- Implement infrastructure over-provisioning and hardening.
- Invest in DDoS, monitoring, detection, and protection services.
- Create a DDoS playbook.
DDoS attack response
When you are under a DDoS attack, your immediate response should be to:
- Inform Your ISP or a Third-Party DDoS Protection Service: This will allow them to respond and help you mitigate the attack.
- Characterize the Attack: There are several DDoS attacks, each with specific characteristics and impacts. To respond appropriately to each episode, you need to accurately characterize the attack to determine the appropriate course of action.
- Attempt Traceback: You may be able to track the source of the attack and identify the attacker, which can help you get law enforcement involved.
- Implement Tolerance and Mitigation: You will need to stop the attack at its source and protect your network from further attack or damage. You can implement various tolerance and mitigation strategies such as rate limiting or filtering, DDoS-specific firewalls, and anti-DDoS software.
DDoS attack recovery
After a DDoS attack has settled, it is vital to look back and reflect on the events leading up to the attack, your response and how future attacks could be prevented or handled more effectively. Recovery measures may include:
- Security updates
- Tweaking network and infrastructure configurations
- Revising your DDoS playbook
- Staff retraining
- Monitoring for any residual effects
Also see: Steps to Building a Zero Trust Network
DDoS Software Solutions
Dozens of DDoS software solutions and protection services can help you prevent, detect, and mitigate DDoS attacks more effectively. Some of the most popular include:
- Project Shield
- AWS Shield
- Imperva DDoS Protection
By implementing these software solutions and services, as well as adopting DDoS best practices and strategies, you can effectively protect your network from DDoS attacks and keep your systems, data, and services safe from malicious intruders.