One of the most common types of these malicious acts is DDoS attacks. While the word is familiar to experts, beginners in the cyber space may have a hard time figuring it out. With the increase in cyber attacks, there are many words used to describe some offensives and it is important to understand what DDoS means.
In this article, we will consider the following:
- What is DDoS?
- How does it work
- Some examples of successful DDoS attacks?
- How to Identify a DDoS attack
- Types of DDoS attacks
- Strategies for stopping a DDos
What is DDoS?
DDoS: which stands for distributed denial-of-service.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
It is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to a network.
DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.
In lay man view , we can say that DDOS attack is an attempt to divert normal access to the targeted server or computer where information is stored with a false notation of huge traffic making it impossible for a normal computer to access the server and get information.
As we all know, when traffic is high at a specific time things won’t be easily accessible, that’s the summary of DDOS attacks a hacker trying to disrupt normal traffic to the server by using a high volume of traffic from other devices to access such servers which will result in a breakdown.
How Does DDoS Work?
DDoS attacks are carried out with networks of Internet-connected machines.
These networks consist of computers and other devices (such as IoT devices) which have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred to as bots (or zombies), and a group of bots is called botnets.
Once a botnet has been established, the attacker is able to direct an attack by sending remote instructions to each bot.
When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-service to normal traffic.
Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.
The diagram below is an illustration of how traffic has been affected where the RED VEHICLES represent botnet interrupting flow of the normal traffic which is colored BLUE .
Examples of DDoS Attacks
Yesterday, it was reported that Killnet launched a DDoS attack on an unnamed italian website. The attack was in response to what the group called a false accusation.
Panix, the third-oldest ISP in the world, was the target of what is thought to be the first DDoS attack. On September 6, 1996, Panix was subject to a SYN flood attack, which brought down its services for several days while hardware vendors, notably Cisco, figured out a proper defense.
Another early demonstration of the DDoS attack was made by Khan C. Smith in 1997 during a DEF CON event, disrupting internet access to the Las Vegas Strip for over an hour. The release of sample code during the event led to online attacks by Sprint, EarthLink, E-Trade, and other major corporations in the year to follow.
In September 2017, Google Cloud experienced an attack with a peak volume of 2.54 terabits per second. On March 5, 2018, an unnamed customer of the US-based service provider Arbor Networks fell victim to the largest DDoS to that date, reaching a peak of about 1.7 terabits per second.
The previous record had been set a few days earlier, on March 1, 2018, when GitHub was hit by an attack of 1.35 terabits per second. In February 2020, Amazon Web Services experienced an attack with a peak volume of 2.3 terabits per second.
In July of 2021, CDN Provider Cloud flare boasted of protecting its client from a DDoS attack from a global Mirai botnet that was up to 17.2 million requests per second. Russian DDoS prevention provider Yandex said it blocked a HTTP pipelining DDoS attack on Sept. 5. 2021 that originated from unpatched Mikrotik networking gear.
How to Identify a DDoS Attack?
The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. But since a number of causes such a legitimate spike in traffic can create similar performance issues, further investigation is usually required. Traffic analytics tools can help you spot some of these telltale signs of a DDoS attack:
- Suspicious amounts of traffic originating from a single IP address or IP range
- A flood of traffic from users who share a single behavioral profile, such as device type, geolocation, or web browser version
- An unexplained surge in requests to a single page or endpoint
- Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g. a spike every 10 minutes)
- There are other, more specific signs of DDoS attack that can vary depending on the type of attack.
What are the Types of DDoS Attacks?
1. Application layer attacks
Sometimes referred to as a layer 7 (APPLICATION LAYER: LIKE WHAT YOU SEE IN BROWSER “THE WEBPAGE IS THE APPLICATION LAYER” ) DDoS attack (in reference to the 7th layer of the OSI model), the goal of these attacks is to exhaust the target’s resources to create a denial-of-service.
The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is computationally cheap to execute on the client side, but it can be expensive for the target server to respond to, as the server often loads multiple files and runs database queries in order to create a web page.
Layer 7 attacks are difficult to defend against, since it can be hard to differentiate malicious traffic from legitimate traffic.
2. Protocol attacks
Protocol attacks, also known as state-exhaustion attacks, cause a service disruption by over-consuming server resources and/or the resources of network equipment like firewalls and load balancers.
Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible.
This protocol layer is the network layer (third layer of the OSI model) and transport layer (fourth layer of the OSI model) this layer is concerned with the transferring (using IP address) and synchronization (TCP or UDP mode) of data in the network.
3. DNS attacks
By making a request for an open DNS (Domain name server) with a Parodied IP address (the IP address of the victim), the target IP address will then receive a response from the DNS server, multiple requests from the DNS and the IP address of the victim will lead to DDoS.
Strategies for Stopping a DDoS attack?
The key concern in mitigating a DDoS attack is differentiating between attack traffic and normal traffic.
With Current Internet Usage, DDoS traffic comes in many forms. Traffic can vary in design from un-spoofed single source attacks to complex and adaptive multi-vector attacks.
A multi-vector DDoS attack uses different attack pathways to overwhelm a target in different ways, potentially distracting mitigation efforts on any one path.
An attack that targets multiple layers of the protocol stack at the same time, such as a DNS amplification (targeting layers 3/4) coupled with an APPLICATION ATTACK(targeting layer 7) is an example of multi-vector DDoS.
Mitigating a multi-vector DDoS attack requires a variety of strategies in order to counter different trajectories.
Limiting the number of requests a server will accept over a certain time window is also a way of mitigating denial-of-service attacks.
While rate limiting is useful in slowing web scrapers from stealing content and for mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively.
Nevertheless, rate limiting is a useful component in an effective DDoS mitigation strategy. Learn about Cloud flare rate limiting
Web Application Firewall:
A Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By putting a WAF between the Internet and an origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic.
By filtering requests based on a series of rules used to identify DDoS tools, layer 7 attacks can be impeded. One key value of an effective WAF is the ability to quickly implement custom rules in response to an attack. Learn more about Cloud flare’s WAF.
Any cast network diffusion
This mitigation approach uses an Anycast network to scatter attack traffic across a network of distributed servers to the point where the traffic is absorbed by the network.
Like channeling a rushing river down separate smaller channels, this approach spreads the impact of the distributed attack traffic to the point where it becomes manageable, diffusing any disruptive capability.
The reliability of an Anycast network to mitigate a DDoS attack is dependent on the size of the attack and the size and efficiency of the network. An important part of the DDoS mitigation implemented by Cloud flare is the use of an Anycast distributed network.
In this article, we discussed what DDoS attacks are, how they work, and went over some examples of such campaigns. The write-up also highlighted some key factors that could help in identifying such cyber offensives.
The piece closed by outlining common types of DDoS and strategies to prevent them. This guide is mainly for educational purposes and should not be construed as a motivation to carry out malicious acts.