A distributed denial of service (DDoS) attack is an intentional attempt to consume the resources of a network, website, service, or application. A tangible example is a large crowd of people blocking the entrance to a store, preventing anyone from entering. If no one can enter the store, service is denied.
A DDoS attack is successful in technology when users cannot obtain access to an application or service. DDoS attacks are usually temporary, maliciously denying access for a limited amount of time. Even for a short time, no access to a service can have a devastating effect on the bottom line.
There are different types of DDoS attacks, but generally, the goal is to send so many requests to a URL that it crashes under the demand. Other attacks may overwhelm a database with more queries than it can handle. Under any DDoS attack, previously available resources, such as bandwidth, memory, and CPU capacity, become fully utilized by the sheer number of requests inundating the system.
A DDoS attack is generally associated with websites, applications, or even an entire business taken entirely off-line. However, DDoS can be a smaller disruption, resulting in slower, inconvenient access to a service. Even these lesser attacks can damage long-term customer relations and prevent additional growth.
Types of DDoS Attacks
DDoS attacks primarily falling into one of these three categories:
- Volume-based attacks
A volume-based DDoS attack attempts to consume the bandwidth of its target completely. This could be the bandwidth from the Internet or the bandwidth within an internal network. The goal is to slow or completely stop traffic usually experienced by the target website or service.
Volume-based DDoS attacks are non-intrusive with the intent to bring down a targeted website or at least slow it down to where it is unusable. Congestion is the goal. Disruption is the result.
- Protocol or network-layer attacks
Network-layer DDoS attacks, also referred to as TCP State-Exhaustion attacks, are directed at connection points of a system. These infrastructure elements include application servers, load balancers, firewalls, DNS, and more.
Any entry point into a network can be the target of a network-layer DDoS attack. Like the example of a store entrance, if the DDoS attack can successfully block an entry point, service is denied, and success achieved.
This type of attack attempts to fully occupy the connection state tables included in the architecture of many entry point technologies. A DDoS attack within minutes can consume even high capacity devices with support for millions of connections.
- Application-layer attacks
Application-layer, or Layer-7, DDoS attacks target a specific aspect of an application. These attacks are challenging to detect and evade. A single source using minimal traffic is capable of attacking one component of an application.
These DDoS attacks have increased in popularity among hackers, making them the most prevalent DDoS attacks over the past few years. Since they execute using very few resources and with relatively low volume traffic, application-layer DDoS attacks are the deadliest of all DDoS attacks.
How to Identify DDoS attacks
Every website owner and internet-based business must become familiar with Distributed Denial of Service (DDoS) attacks. These threats are an integral part of the security landscape. Mitigating DDoS attacks can be challenging and time-consuming.
A DDoS attack can be challenging to spot since its symptoms resemble conditions observed in typical business environments. Networks experience the occasional downed server, an off-line service, or even something as simple as a cut cable or a router reset. Any one of these situations impairs traffic flow within a network. We have learned to live with these occasional outages.
When “the network is slow today,” you could be the victim of a malicious, targeted DDoS attack. IT should always conduct a network analysis when performance begins to drop. The source of the slowdown or outage may be more severe and require immediate action.
If the attack is an application-layer DDoS, it can be much more difficult to detect the root cause. External tools are needed to perform a detailed analysis of network packets. Behavioral analytics may be required to diagnose some attacks fully.
Without a comprehensive security solution in place at the time of the DDoS attack, the resulting damage will likely be more severe and long-term.
The Reasons for DDoS Attacks
A DDoS attack has the objective of preventing legitimate users from accessing a website or service. Any type of disruption caused by a DDoS attack will negatively impact a business’s success. Depending on the magnitude of the attack and the response time to stop it, the damage may be severe.
The motives behind DDoS attacks are the same as most other types of hacker generated attacks. Motivating factors include:
- Ideology– Hackers driven by ideology are referred to as “hacktivists”. They employ DDoS attacks targeting websites with content that is contrary to their own beliefs or ideologies.
- Simple boredom– Many hackers use readily available, prewritten scripts to create DDoS attacks. There is no rhyme or reason behind the attack. The hacker is merely bored and looking for something to do.
- Competitive feuds– Some businesses have used a DDoS attack to strategically take down a competitor’s website. An attack launched with this type of motivation will impede a competitor during key profit-generating events, e.g., Cyber Monday.
There are also more severe motivations, such as:
- Extortion– A DDoS attack can effectively freeze a business, stopping the flow of income. As the motivation behind ransomware, a DDoS attack can be used to extort money from a company.
- Cyber-warfare– More frequently than most people would like to believe, governments are behind DDoS attacks to block opposition websites and disrupt an enemy’s infrastructure.
Regardless of the reason, DDoS attacks are becoming the most common type of cyber threat. According to recent market research, DDoS attacks have increased rapidly over the past few years. In the past, DDoS attacks were large, with widespread impact. With current technology advances, DDoS attacks are trending smaller with shorter durations but significantly higher traffic and larger packet delivery sizes and volume.
Preventing DDoS Attacks
Several preventative measures can be taken to prevent a DDoS attack.
- Blocking countries with a history of DDoS attacks
A high percentage of all website attacks originate from only a few countries, namely, China, Russia, and Turkey. This includes all types of cyber-attacks, not just DDoS attacks. Likely, you do not have a significant number of customers living in these countries. A simple measure to prevent the majority of cyber-threats made against your business is to block access from these countries.
Firewalls have features allowing you to create and maintain a list of banned countries. Also, most Internet Service Providers (ISP) have tools to block unwelcomed website traffic. Not maintaining a list of countries that are known havens for hackers leaves you open to a high number of attacks. It is like you are inviting cyber-criminals to dinner.
- More closely monitor web traffic
There are many tools available that will provide information about website visits. You can see where a visit originated, pages viewed, how long a visitor stays on your site, and much more.
Monitor your website traffic and add suspicious visitors to a list of unwelcome guests, known as a blacklist. If you have banned a country, you can allow an exception if you know and trust the visitor. Watch and control the internet traffic coming to your website. Knowledge is a great defense.
- Add a Web Application Firewall (WAF)
A web application firewall (WAF) helps protect your web applications and APIs against DDoS attacks. With a WAF service, you set security rules that control how and what traffic reaches your applications. There are many aspects of a web application that are vulnerable to attack. You can select from a set of standard rules that will protect you against the most common cyber-threats. With a little help, you can add custom rules that apply to your specific needs.
The set of standard rules available in a WAF are updated frequently, keeping your protection current and leaving you safe against the ever-growing list of new threats. If you are dependent on a constant internet traffic flow to keep your business profitable, you need to add a web application firewall to your security solution.
An often-overlooked entry point for DDoS and other types of cyber-attacks is through third-party services and applications. You maintain a supply chain to keep your business functioning. That means you have network or website connections that are ideal access points for attacks.
“Businesses are no longer merely concerned with DDoS attacks on themselves, but attacks on the vast number of business partners, vendors, and suppliers on whom those businesses rely. One of the oldest adages in security is that a business is only as secure as its weakest link. In today’s environment (as evidenced by recent breaches), that weakest link can be, and frequently is, one of the third parties.”
Mike Overly, Cybersecurity Lawyer at Foley & Lardner LLP
Maintaining a secure website or network is a constant battle. When adding a third-party to your processes, thoroughly vet their offerings to ensure they are taking the necessary precautions to provide a safe and secure connection. With the complete security solution you create, you know you are not the weakest link. Be careful not to add one while building your supply chain.
The Growing Threat of DDoS Attacks
In the past, a DDoS attack would fit nicely within one of the three types described earlier. Today, DDoS attack types are being combined and used in concert to achieve higher goals and create more sophisticated and complex threats. Over time, DDoS has become more precise and more targeted. Smaller attacks are launched, making them more challenging to detect and prevent.
According to Frost & Sullivan, a growth strategy & research firm, DDoS attacks are “increasingly being utilized as a diversionary tactic for targeted persistent attacks.” DDoS attacks are used as a distraction tactic to divert the attention of security teams while the cyber-criminals deploy more advanced persistent attacks to steal intellectual property or financial data.
The battle against DDoS attacks is on-going. No winner will be declared. Both attacks and security practices will continue to evolve to address advancements made on both sides. Awareness is the best defense against a DDoS attack. Utilizing strong security measures and maintaining internet traffic awareness will help identify and mitigate DDoS attacks. DDoS attacks will continue, but with the right tools and mindset, the damage can be minimized.