Single-point Failure
What is DDoS?
Distributed Denial of Service. DDoS is a type of cyberattack that tries to make a website or network resource unavailable. An attacker coordinates the use of hundreds or thousands of devices across the internet to send an overwhelming amount of unwanted to the target, which could be a company’s website or network.
Almost any type of internet-facing connected device could be a potential DDoS resource: Internet of Things (IoT) devices, smartphones, personal computers, and powerful servers.
| Internet of Things (IoT) devices | |
| distributed DoS | smartphones |
| personal computers | |
| powerful servers |
Packets of data are used to communicate on the internet. A DDoS sends unwanted packets, which can be very large packets with lots of data, small packets very rapidly, or packets that require extra processing. It can also make the targeted device waste time waiting for a response that never comes. The target is kept so busy dealing with malicious packets and improper communication methods that there is little or no time left to respond to normal incoming requests – so legitimate users are denied service.
Why DDoS?
Understand the motivations of attackers
Attackers have different reasons for denial of service attacks including: hacktivism, script kiddies, financial manipulation, extortion, digital warfare, and harming competition.
- Hacktivism: To damage the reputation of a company or to make a political statement, hacktivists deface or block access to digital properties, conduct virtual sit-ins, and gather intelligence. One of their tactics is denial of service.
- Script kiddies: To expand and demonstrate their digital prowess, young developers download free tools and develop their own. An example is an enterprising 12-year-old who targeted a /24 subnet, posted a tutorial on YouTube and coordinated a communal attack with other minors on STEAM and IRC.
- Stock prices: Financial services firms have been a prominent target for economically and ideologically motivated criminals. Complex campaigns can adversely affect public perception of the targeted enterprise as well the perception of market participants (i.e., investors). The result can halt trading on an exchange or influence a company’s stock price.
- Extortion: DD4BC initiated small attacks and sent ominous emails threatening a larger attack – with a payout demanded via email to prevent an attack that would take down the site. Copycats followed, often with empty threats, hoping to capitalize on the fears of their targets. More recently, memcached attacks were turned into extortion with threats embedded in the attack payloads.
- State-sponsored: DDoS attacks are an inexpensive way for nations to disrupt the operations of an enemy, or for state-sponsored actors to hush free speech. Attacks launched by beteen nation-state actors could disrupt infrastructure such as hospitals and utilities.
- Competitors: While business competitors may seek to interfere with the operations of a competiting business, attacks are more common among another sort of competitor: gamers. There’s a long history of gamers using denial of service attacks targeted at a fellow user to kick that player off a platform temporarily – or to take down an entire rival gaming platform.
What are the types of DDoS attacks?
Learn the difference between botnets and reflectionDDoS can be launched in two very different ways. With a botnet, the attacker must first infect and control many devices with malware. With reflection methods, an attacker does not need to control the resources, and instead uses the normal behavior of common Internet protocols and software to cause devices to send unwanted data to the attacker’s target.
Spotlight: Botnet attack | Spotlight: Reflection attack The largest DDoS attack Akamai has mitigated was fueled by a reflector, memcached. This reflection and amplification attack targeted one of our software clients and exceeded 1 Tbps. Memcached was developed to act as a distributed memory caching system. Since the protocol uses an insecure internet protocol, and carries the potential for tremendous amplification, it has the key traits of a powerful reflection-based attack vector. |
Azure DDoS Protection
Pro Plan - CloudFlare
$20 per month
Types of DDoS attacks
Due to insecurities and misconfigured systems widely available online, criminals have several ways to build a distributed denial-of-service attack. Different DDoS attacks can use varying methods to target many different components of a network connection. While nearly all DDoS attacks focus on overwhelming the target device or network, attacks can be generally divided into three categories.
Application Attacks focus on a specific service or application by attempting to exhaust the resources used by the target. These attacks often target the applications that generate web pages and deliver the responses to requests.
Application-level attacks take advantage of the imbalanced in traffic volume of the client-server model to cause a high load to the service with little effort from the client-side. While a single request is usually resource-wise cheap to execute, it can be expensive for the target server to respond to.
HTTP flood is one of these types of attacks. It utilises a large number of HTTP requests to flood the server to prevent normal users from being able to access the web application.
A Memcached reflection attack is quite a recent method of DDoS which attempts to overload the victim with spoofed requests to a vulnerable UDP Memcached server. Similarly to other amplification attacks, it works by sending small initial requests to which the Memcached server responds with a much larger amount of data.
Protocol Attacks concentrate on exhausting the capacity of web application servers or intermediate resources like firewalls and load balancers. These attacks utilize weaknesses in different types of protocols to render the target inaccessible to normal traffic.
SYN flood is one form of protocol attack that uses a succession of SYN requests. It works by breaking the normal synchronise-acknowledge-acknowledge exchange by either simply never responding to the server or by spoofing the originating IP. This causes the server to wait and binds resources to the open connections.
Volumetric Attacks rely on a high amount of traffic to a targeted network to overwhelm its bandwidth capacity. These attacks work to flood the target to slow down or halt their services entirely. The severity of this type of attack depends on the volume the attacker can generate, often ranging from 100’s of Gbps up to over 1 Tbps.
DNS amplification attacks use insecure DNS servers to reflect and amplify traffic to obfuscate the origin of the attack and increase its effectiveness. The attacker uses a large number of small requests to query for very large DNS records while reflecting the responses to the intended victim by forging the return IP address.
NTP amplification is another reflection-based attack that abuses the Network Time Protocol. It exploits the disparity in bandwidth costs between the attacker and the target that causes small queries to result in large responses.
Common mitigation tactics
The effectiveness of a DDoS attack in disrupting services depends on the scale of the attack and the readiness of the target to mitigate it. Most mitigation strategies, aside from offsite protective services, rely on preventative internet infrastructure solutions.
Rate-limiting
Rate limiting the number of connections that a single client can open within a certain amount of time can mitigate potential DDoS attacks pre-emptively. In normal use, a web browser can open 5 to 7 TCP connections to a single website when loading all assets to display the page. In contrast, DDoS attacks often go way beyond this to maximise the effect. As such, anything above 10 concurrent connections could be considered unusual.
For rate-limiting, a load balancer can be a useful first line of defence against DDOS. As an example, HAProxy, which is primarily a load balancer proxy for TCP and HTTP, is also capable of act as a traffic regulator. HAProxy can be used to protect against DDoS attacks by denying or redirecting connections based on a variety of identifiers such as IP, URL or cookies.
Web Application Firewall
Another possible way of preparing against possible DDoS attacks is configuring a Web Application Firewall or WAF. When used as a reverse proxy, WAF can protect the targeted server from certain types of malicious traffic and assist in mitigating application-layer DDoS. Abusive traffic can be mitigated by filtering requests according to DDoS identifying rules depending on the type of abuse the target is receiving. The important feature of an effective WAF is giving the service administrator the ability to quickly implement custom rules to mitigate the attack.
Blackhole routing
One of the simplest countermeasures to mitigating a DDoS attack is routing the flood of connections to a “black hole” by discarding all data. Blackhole routing is an option available to all network administrators and this type of mitigation is often employed by ISPs. The internet network infrastructure providers may not be able to otherwise handle the incoming traffic without becoming overwhelmed. Therefore, the affected network provider may need to blackhole all traffic to the targeted IP address to protect other users on the network while effectively taking the target’s site off-line.
DDoS protection services
The most effective way of mitigating DDoS attacks is simply having more capacity to handle incoming data than the cybercriminals can muster. Any single server or service is unlikely to be able to accomplish this alone, therefore, having a helping hand from an external DDoS protection service, such as Cloudflare, can be extremely useful. Cloudflare is already famous for its extensive networking services providing Content Delivery Networking and domain name servers but they also offer DDoS protection. Cloudflare’s Anycast network absorbs distributed attack traffic by dispersing it geographically to the point where the traffic is absorbed by the network.
This type of network diffusion relies on the efficiency and capacity of the network needs to be larger than the DDoS attack. For example. Cloudflare reports having the network capacity for 25 Tbps which is an order of magnitude greater than the currently largest DDoS attack on the record.
Securing against exploits
Most important step all server administrators should take is making sure their services are secure and cannot be used in DDoS attacks. Part of this is periodically scanning the servers for possible malware as well as keeping the services up to date on the latest security patches.
Summary
Distributed denial-of-service attacks can seem like hacker magic, but once you understand the mechanics, the mysticism disappears. Although DDoS has become unfortunately common, it’s still quite rare for individual service providers or SMEs to come under attack. However, not at least considering mitigation methods before the first attack occurs will leave your services exposed to more disruptive effect than would otherwise be the case.
The unfortunate truth is, there is always someone willing to go to extreme lengths to object or simply cause trouble. As with any type of bullying, not giving the attackers the satisfaction of having disrupted your operations beyond a minor nuisance, they will soon lose interest. By preparing accordingly, anything can be weathered.