A Distributed Denial-of-Service (DDoS) attack is an attempt to disrupt the normal traffic of a targeted server. This is done by overwhelming the server, service or network being targeted with a flood of internet traffic, ultimately slowing the server down or causing it to crash completely. Think of it as being like a traffic jam, which causes all the cars on a road to slow down or come to a stop. Instead of slowing or stopping vehicles, a DDoS attack slows or stops web traffic, causing a website or app to run sluggishly or crash completely.
How Do DDoS Attacks Work?
Network resources can only handle a finite number of requests, and servers have limited bandwidth. This means that the level of service will decline whenever the volume of traffic exceeds the limit of capacity.
Typically, the final goal of an attacker is to completely obstruct the web source’s normal operation. Additionally, the attacker might also demand that payment be made to end the attack. The attack could also be an attempt to discredit or damage a business’s reputation.
DDoS attacks are conducted using networks of machines, called bots, connected to the internet. These networks are made up of computers and other devices, such as Internet of Things (IoT) devices that are infected with malware. A collection of bots is called a botnet, and when one is created, the attacker can control an attack by giving each bot commands remotely.
When a server or network is targeted by a botnet, each bot sends queries to the IP address – this is what causes the server or network to become overwhelmed, which results in a DDoS attack on regular traffic. Due to each bot being a legitimate internet device, it can be hard to distinguish attack traffic from regular traffic.
Types of DDoS Attacks
Although the majority of DDoS attacks involve flooding a targeted device or network with traffic, there are three main types of attacks – within each type, there are also subtypes.
1. Volume-based (volumetric) attacks
A volumetric attack attempts to overrun a network’s bandwidth by sending a lot of traffic or requests to the target. These attacks aim to overwhelm the target in an effort to slow down or completely halt their services. The size of the request is typically in the hundreds of gigabits per second (Gbps). Recently, newer attacks have reached over one terabyte per second (Tbps).
Volumetric attacks are common because of the lower technical barrier to producing an excess volume of requests. Most of the time, attackers will use straightforward amplification tactics. When this type of tactic is used, traffic comes from a variety of sources, such as IP addresses or networks, which makes manual mitigation for volumetric attacks more challenging.
DNS amplification is one subtype of a volumetric attack. During this type of volumetric attack, the attackers make use of the functionality of open DNS servers. Once in, the attacker overwhelms the target server or servers with an excessive quantity of traffic – making the server and its surrounding infrastructure unreachable.
A UDP flood is another subtype of a volumetric attack. During this type of attack, the attacker sends an immense amount of User Datagram Protocol (UDP) packets to the targeted server – aiming to overwhelm the device’s capability to process the requests and respond. This can lead to the firewall that protects the targeted server becoming exhausted, resulting in a denial of service to legitimate traffic.
2. Protocol attacks
A protocol attack uses malicious connection requests that take advantage of protocol interactions to try, use and exhaust the capacity of different network infrastructure resources, including servers and firewalls.
SYN flood is one subtype of a protocol attack that seeks to completely exhaust the server’s resources in order to render it unavailable to legitimate traffic. Attackers can overwhelm all open ports on a server by sending initial connection request (SYN) packets frequently. As a result, the targeted device responds to legitimate traffic slowly or not at all.
Ping of death
Another subtype of protocol attack is called “ping of death.” When this type of attack occurs, the attacker sends a large packet of malicious data to the targeted server using a simple ping demand. What they send is significantly larger than what the server can handle and results in the server crashing, destabilizing or freezing.
3. Application layer attacks
The goal of an application layer attack is to exhaust the target’s resources in order to produce a denial-of-service. The focus of these attacks is to target the layer where web pages are created on the server. The cost of processing a single HTTP request is low on the client side, but the cost of responding on the target server’s end can be high. This is due to the server frequently loading multiple files and database queries to generate a web page. Application layer attacks are challenging to mitigate, as it is difficult to distinguish between malicious and legitimate traffic.
An HTTP flood attack is a subtype of an application layer attack that aims to overwhelm a target server with HTTP requests. Denial-of-service occurs when the target becomes saturated with requests and is no longer able to react to legitimate traffic.
Low-and-slow attacks also known as slow-rate attacks are another subtype of application layer attacks. This is a sneak attack on the targeted server that sends what appears to be legitimate traffic at an extremely slow rate – making it difficult to distinguish from regular traffic, resulting in this type of attack frequently going undetected for long periods of time.
Identifying a DDoS Attack
Although cybercriminals sometimes threaten targets prior to launching a DDoS attack, they frequently happen with no warning. Further, several hours can pass between the time security personnel detect a DDoS attack and the time they mitigate it. This can result in numerous hours of sluggish service or a crashed website or app, which can significantly impact site impressions and sales.
Here are some warning signs that a DDoS attack may be underway.
- Log analysis shows unusual spikes in traffic, but you are unable to identify any plausible explanations for them.
- You experience or begin receiving reports of slow site performance from customers. Additionally, if you use the same connection for your internal network, employees will also start to notice issues with slowness.
- Your server responds with a 503 unavailable error. When the volume of traffic declines, this error normally disappears. After some time, if it still persists, something is amiss.
- Certain IP addresses repeatedly request lots of connections in a short period of time.
- Internal users report slow access to files or can’t access them at all.
- Your mail system is overloaded with spam emails.
How To Mitigate DDoS Attacks
Differentiating between malicious and legitimate traffic is a key concern when mitigating a DDoS attack. Here are a few ways you can mitigate DDoS attacks.
Create a DDoS attack response plan
By being prepared for a DDoS attack before it occurs, you’ll know exactly what to do if an attack transpires. In your DDoS attack response plan, you should have a checklist with all the steps you need to take, who you need to contact and the tools you should be utilizing. Your response plan should also include the responsibilities of each person on your team. By assigning responsibilities early on, everyone on your team will know what to do when a DDoS attack has been identified. Having a response plan set could mitigate a DDoS attack before any permanent damage is done to your organization.
DDoS attacks disrupt the traffic of a targeted server by overwhelming the server with a flood of internet traffic. By continuously monitoring the traffic of your server or network with monitoring tools, you can identify whenever the traffic reaches a certain threshold by receiving an alert or notification. This tool not only helps you identify DDoS attacks early on but also helps you mitigate damage.
Because DDoS attacks use botnets to overwhelm a targeted server, rate limiting is useful in limiting the number of requests that a user or bot can make by measuring the amount of time between each request made from each IP address. When there are too many requests made in a certain time frame from a single IP address, the rate-limiting tool blocks them.