General security

DDoS Attacks 101

Dan Virgillito
March 19, 2019 by
Dan Virgillito

Cybercrime is expected to cost businesses over $8 trillion over the next three years, according to the findings of a study by Juniper Research. But while large-scale phishing and ransomware attempts have many companies worried over internet security, there’s another type of cyberattack that’s on the rise — and it's increasingly used by adversaries to wreak havoc. We are referring, of course, to DDoS attacks.

Distributed Denial of Service (DDoS) attacks is one of the oldest attack methods in existence. They can cripple a company’s network and/or website servers long enough to set it back considerably, or even cause it to cease operations for the period of the attack and some time afterwards. For a multitude of industry verticals — be it e-commerce, banking or healthcare — a well-executed DDoS attack can become the cause of financial loss, reputation damage and business shutdown.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

But how much do you really understand DDoS attacks? Knowing they’re a type of cyberattack or about their potential to cause damage is half the battle, so keep reading to find out how they work, who’s at risk and what can be done to detect and mitigate them.

What Is a DDoS Attack?

DDoS attacks are malicious attempts to distort the normal traffic patterns of a service, network or server by overburdening the target with a flood of Web traffic. A DDoS attack increases in effectiveness by leveraging multiple compromised servers — collectively labelled as a botnet — as sources of malicious traffic. Attack devices can include PCs and other Internet-capable resources such as Internet-of-Things devices.

DDoS attacks can occur to businesses of all sizes at any time and place, and in 2018, the number of attacks experienced by companies around the world skyrocketed. Recent examples of a successful DDoS attack include a high-profile one on GitHub. The coding repository went offline because of an attack that scaled to 1.3Tbps.

What Happens During a DDoS Attack?

DDoS requires adversaries to gain access to a group of machines in order to launch an attack. PCs and other machines (like smartphones) are infected with malicious software, with the attack turning each one into a zombie device or bot. The adversary then gains remote control over the bots, creating a group which is known as a botnet. Once a botnet is created, the attacker is able to instruct the individual bots by sending updated directions to each machine through the remote-control method.

When a botnet targets the network or service of a victim, each bot reacts by sending multiple requests to the victim, potentially causing the target’s machine to overflow capacity, leading to a denial of service to usual traffic. Because every bot is a legitimate machine, filtering the malicious flow from normal traffic can be difficult.

What Are the Different Types of DDoS Attacks?

The base of a DDoS attack can significantly vary, but most attacks will be generally classified into one of the following three categories.

Volume-Based DDoS attacks

These attacks try to consume all available bandwidth between the target network/server and the rest of the Internet. Examples of volume-based DDoS attack vectors include DNS amplification, ICMP floods, NTP amplification and more.

Protocol-Based DDoS attacks

Also known as TCP State-Exhaustion attacks, protocol DDoS attacks aim to consume the state table capacity of infrastructure components like load balancers and firewalls, as well as the connection state tables in Web application servers. Attack vectors in this category include Ping of Death, SYN Flood and more.

Application Layer DDoS attacks

Application layer attacks attempt to exhaust the resources of a service or application at Layer 7 (components present in the seventh layer of the OSI model). This is usually done by attacking the layer at the point where Web pages are created and transferred in response to a  HTTP-related request. Examples of application layer attacks include DNSQF (DNS Query Flood), HTTP Flooding and attacks targeting other software vulnerabilities.

What Are Some Common DDoS Attack Tools?

There are several tools that can be used to launch a DDoS attack. Some of them serve a legitimate purpose, as network engineers and security researchers may at times use them to test their companies’ defense mechanisms. Others are designed to attack a specific layer of an application stack. Below is a compilation of the most commonly used ones.

HULK (HTTP Unbearable Load King)

This DDoS attack tool creates a unique request for every request received to disrupt the flow of traffic to the victim’s server. It has a readily available list of random user agents that it leverages to avoid detection through known patterns. In addition, it utilizes referrer forgery in some instances and is capable of bypassing caching engines to impact a system’s resource pool directly.

LOIC (Low Orbit Ion Cannon)

This is an open-source application that can be used to launch a DDoS on smaller networks. The attack is performed by sending HTTP, TCP or UDP requests to the target server. LOIC was made popular by the renowned group Anonymous, who used it to disrupt the networks of many prominent organizations. Users just need to know the IP address or URL of the server, and the tool will do the rest of the job.

HOIC (High Orbit Ion Cannon)

This is another popular tool for setting up a DDoS attack program. HOIC uses the HTTP protocol to perform a targeted attack that is challenging to detect and mitigate. The software, however, requires a minimum of 50 users working on their individual machines to launch a coordinated attack botnet.

What Can Be Done to Detect a DDoS Attack?

The least companies could do is make sure they’re aware of ongoing DDoS attacks. There are several integrations that point toward an attack of such nature, such as a SIEM solution showcasing a huge variation in traffic. For example, if a network typically receives 10,000 visitors on Friday evening, it may be a cause for alarm if it suddenly gets 50,000 pings from various sources.

It’s also worth keeping a close eye on any email accounts hosted on a company’s server and the comments area of any sites running on that system. A dramatic increase in time-to-live (TTL) ping request timeouts, 503 errors and IP address requests could indicate that the time has come to shore up defenses.

What’s the Best Way to Protect a Company From DDoS Attacks?

Unfortunately, not much can be done to stop a network, server or website DDoS attack once it targets a victim. However, there are steps businesses can take to mitigate and even prevent Distributed-Denial-of-Service attacks.

  • Bandwidth monitoring: This mitigation method involves the implementation of a tool that identifies unusual spikes in Internet traffic. High-growth organizations may surpass their bandwidth limits a few times per week, but for most companies, system overload is an indication of an attack
  • WAF (Web Application Firewall): WAF is ideal for mitigating Layer 7 attacks. By placing a Web application firewall between a server and the internet, it may function as a “reverse proxy” to protect the targeted server from different types of malicious requests. By using a series of rules to filter the requests, WAF can prevent or reduce the effectiveness of Layer 7 DDoS
  • Black Hole routing: Another great solution for mitigating a DDoS attack program is black hole routing. It requires admins to set up a black hole route and direct traffic towards it. Both malicious and legitimate traffic is routed to a black hole or null route and then removed from the network. When a server is experiencing a DDoS attack, the security person may send all its incoming and outgoing traffic into a black hole as a line of defense

Alternatively, firms can look into a DDoS mitigation service to protect against attacks. This may increase costs by few hundred dollars a month, but if they wait too long or until an intrusion is detected, they may have to pay much more for the service and wait longer before mitigation happens.

Final Verdict

DDoS attacks are powerful stealth weapons that can shutter an organization. As time goes by, attack methodologies are expected to continue to evolve even more complications and intensity. For doing business as usual, companies need to complement resource availability with a vigilant mitigation approach where they routinely assess the threat landscape and take preventive measures to defend against these attacks.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

 

Sources

  1. Cybercrime to Cost Global Business Over $8 Trillion in the Next 5 Years, Juniper Research
  2. Maximum DDoS attack volumes increased by 75% in Q3 2018, shows Link11’s latest DDoS Report, Link11
  3. GitHub hit with massive 1.35 Tbps DDoS attack, could be world's largest, TechRepublic
Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.