DDoS, short for "Distributed Denial-of-Service," is a form of cybercrime where attackers flood a server with massive internet traffic, rendering it inaccessible to legitimate users. These attacks can cause disruptions, financial losses, and damage a company's reputation.
Motivations behind DDoS attacks
DDoS attacks have various motives, and the perpetrators can range from disgruntled individuals to financially motivated criminals. Some attackers carry out DDoS attacks to make a statement, express disapproval or have fun by exploiting vulnerabilities. Others may target competitors, disrupting their online operations to gain a competitive advantage. In some cases, attackers resort to extortion, forcing companies to pay a hefty sum to reverse the damage caused by the attack.
Understanding DDoS attacks
The primary method employed in DDoS attacks is the use of botnets. Botnets are networks of compromised computers or devices controlled by the attacker. The attacker infects these devices with malware, turning them into bots. Once a botnet is established, the attacker can command it to flood the target's servers and devices with increased connection requests, surpassing their capacity to handle legitimate traffic.
Read more: What is a botnet?
Identifying a DDoS attack
Detecting a DDoS attack can be challenging due to the similarity of its symptoms to regular service issues. Users may experience slow upload or download speeds, inability to access websites, dropped internet connections, unusual media content, or excessive spam. Moreover, the duration and intensity of a DDoS attack can vary, lasting from a few hours to several months.
Types of DDoS attacks
DDoS attacks can target different parts of a network and are classified based on the network connection layers they exploit. The Open Systems Interconnection (OSI) model, which defines seven different layers, provides a framework to understand these attacks.
Volume-based or volumetric attacks
Volume-based attacks aim to overwhelm the victim's bandwidth and internet connection. These attacks exploit vulnerabilities in the Domain Name System (DNS). In this scenario, the attacker spoofs the target's address and sends a DNS name lookup request to an open DNS server. The response from the server is sent to the target, amplifying the attacker's initial query and overwhelming the target's resources.
Protocol attacks
Protocol attacks target the network's layers 3 and 4, exploiting web server or firewall weaknesses. One example of a protocol attack is the SYN flood, where the attacker overwhelms the target with a flood of requests, using spoofed source IP addresses. The targeted servers attempt to respond to each request, overwhelming their capacity and rendering them inaccessible.
Application-layer attacks
Application-layer attacks, also known as Layer 7 DDoS attacks, target the layer where web pages are generated in response to HTTP requests. These attacks exploit vulnerabilities in the server's ability to handle database queries and generate web pages.
Go deeper:
DDoS attack prevention and mitigation
Although it may not be possible to completely prevent DDoS attacks, organizations can take steps to reduce their impact. Regular risk assessments and audits can help identify vulnerabilities and develop strategies to minimize the effects of an attack. This involves understanding the parts of the network that are most vulnerable and implementing appropriate mitigation techniques.
Traffic differentiation
When faced with a suspected DDoS attack, organizations can use an Anycast network to scatter the malicious traffic across a distributed network of servers. This approach helps absorb the attack traffic, making it more manageable and reducing the impact on the target's resources.
Black hole routing
Black hole routing is another defensive strategy where network administrators or internet service providers create a route that directs all traffic, both good and bad, into a black hole or null route. This effectively drops the traffic from the network, minimizing its impact on the target.
Rate limiting
Implementing rate-limiting measures can help mitigate the impact of a DDoS attack by limiting the number of requests a server can accept within a specific time frame. While rate limiting alone may not be sufficient against sophisticated attacks, it can be a component of a mitigation strategy.
Firewalls and Web Application Firewalls (WAFs)
Organizations can deploy network firewalls to filter and block malicious traffic. A Web Application Firewall (WAF) acts as a reverse proxy for application-layer attacks, sitting between the internet and the organization's servers. A WAF can apply rules to filter requests and detect suspicious activity patterns, helping mitigate the impact of Layer 7 DDoS attacks.
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
