Distributed Denial of Service Attacks (DDOS)

What Is a DDoS Attack?

A DDoS is a malicious attempt by an attacker aimed at disrupting the normal traffic of a target host, server, or network by overwhelming it with a flood of Internet traffic. In computing, Denial of Service (DoS) attacks refers to cyberattacks in which perpetrators seek to render a network resource or machine unavailable to users by disrupting the service temporarily or indefinitely.

Perpetrators of DDoS attacks use compromised devices (such as botnets or zombie computers) to execute attacks. In doing so, a perpetrator seeks to overwhelm a network’s surrounding infrastructure by overloading it with enormous amounts of requests, thereby limiting a network’s ability to address those requests.

Criminal perpetrators of such attacks often target services or high-profile web servers such as banks or sites with credit card payment getaways. The motivation behind such attacks varies, and criminals may be driven by an intention to steal, blackmail, or carry out revenge. What makes a DDoS or DoS quite puzzling is that the requests originate from multiple computers and flood a host’s system, which prevents it from differentiating between bad and legitimate requests.

Accomplishing a DDoS attack is reminiscent of having a group of people crowd the entrance of a shop. In such a scenario, legitimate buyers will have difficulties finding their way in, which will ultimately disrupt your trading. Imagine how hectic it would be for you to do business? With that in mind, let’s look back into the history of DDoS attacks, common types of DDoS attacks, potential targets, and how to brace yourself for the ultimate protection against them.

History of The DDoS

This malicious practice has been around for close to three decades. On September 6, 1996, in what is thought to be the first DoS attack, Panix was subjected to an SYN flood attack that crippled its services for days, even as hardware vendors struggled to figure out a defense. A year later in 1997, another DoS was made by Khan Smith during a DEF CON event in Las Vegas, a move that disrupted internet access in a local Strip for nearly an hour.

The resulting sample code that was released during the Las Vegas Strip attack laid the foundation for other online attacks years later on E-Trade, Sprint, Earthlink, among other corporations. Another historical DoS attack was demonstrated on March 5, 2018, when a customer of a U.S-based network provider, Arbor, became the subject of the largest DDoS attack ever recorded. The attack reached a record 1.7 TB per second, surpassing the previous record of 1.35 TB per second that had been recorded a few days earlier the same month. That record would later be surpassed in February 2020 when Amazon Web Services fell victim to a DoS attack that peaked at a volume of 2.3 TB per second.

Other Historical Demonstrations of DoS Attacks

• During June 2019 anti-extradition protests in Hongkong, Telegram (the messaging app) fell victim to a DDoS attack. The attack is believed to have originated from mainland China and was intended to stop protesters from coordinating their movements using the app.
• Across a two-day period that spanned from 6^th to 7^th September 2019, Wikipedia was subject to a DDoS attack in Germany and parts of Europe. During those 48 hours, social media users sought attention to the issue using the hashtag “#WikipediaDown.”

How Does A DDoS Attack Work?

DDoS attacks are executed using a network of machines with access to the Internet. A DDoS network will often comprise numerous computers (and other devices) that are corrupted with malware, enabling them to be controlled remotely by a criminal perpetrator. Every individual device or computer in a network is called a bot/zombie computer, and a network of such bots is referred to as a botnet.

Once a botnet has been assembled, a perpetrator will be able to accomplish a DDoS attack by remotely sending instructions to individual bots. Criminals use bots to target an individual’s or a company’s server, in which case every bot will send requests to the target server’s IP address. This in turn overwhelms the network, resulting in a denial-of-service to the intended traffic.

Attackers use DDoS attacks because they understand every bot represents a legitimate device connected to the internet, and the victim would struggle to differentiate the attack traffic from the normal one.

How Do You Detect A DDoS Attack?

The most common indicator of a DDoS attack is when a website or a service suddenly becomes too slow or completely unavailable. And whereas other factors such as a sudden spike in traffic can slow down a site or service, it is prudent to conduct an investigation. Nonetheless, the following signs can help you detect a DDoS attack on your server.

• A sudden surge in traffic from users with similar characteristics such as device types and location.
• An unrealistic amount of traffic that is originating from one IP address.
• When a single web page on your server receives shocking amounts of requests.
• Unnatural patterns of traffic, such as a spike in traffic during odd hours of the day.

There are numerous indicators of a DDoS attack: some signs vary depending on the type of attack, while others can point to the nature of the attack. Nevertheless, it is vital to do further investigation to ensure the server doesn’t incidentally block out requests from legitimate traffic.

Common Types of DDoS Attacks

What Are the Common Types of DDoS Attacks?

To understand how different DDOS attacks are coordinated, it is important to explore the making of a network connection. That’s because DDoS attacks target different components of a network, called layers. An internet connection network has multiple ‘layers,’ each with a unique purpose.

However, regardless of the layer targeted, a DDoS attack involves overloading a connection’s infrastructure with excess traffic. Criminal perpetrators can employ attack mechanisms that are based on factors such as the attack vectors available to them or can modify attacks based on the countermeasures put in place by the target server. That said, DDoS attacks can be divided into three categories, namely:

Application Layer Attacks

The purpose of this attack is to eliminate all defense resources the target server has to induce a denial of service. This attack is focused on preventing the web generation layer to deny delivery of responses to HTTP requests from legitimate traffic.

In such a scenario, users on the client-side will keep pressing the ‘refresh’ button on their browser over and over, but it would be fairly difficult for the server to generate HTTP requests because numerous computers are flooding it with requests. This results in a denial of service.

Protocol Attacks

Also referred to as a state-exhaustion attack, the purpose of this DDoS attack is to eliminate all server-based defense resources such as firewalls, network equipment, and load balancers. This results in the target server being inaccessible to the intended traffic.

Furthermore, the attack seeks to exploit the TCP handshake resource, which enables two computers to communicate and initiate a network connection. In such a scenario, a target that’s receiving too many requests will be able to generate the Initial Connection Request (TCP), but because the source IP address has been spoofed, the server will keep responding to every request and then waiting for the TCP handshake step to finalize a response, which never happens. Eventually, all the target’s resources would be exhausted.

Volumetric Attacks

This DDoS attacks category attempts to consume the bandwidth that exists between the target server and the Internet, hence inducing congestion. What happens is that an attacker uses a form of amplification that will have few requests sent an enormous amount of data to the target server.

Denial-Of-Service (DoS) Vs Distributed Denial-Of-Service (DDoS) Attacks

What is the difference between a DoS attack and a DDoS attack?

Generally, a DDoS involves a network of devices (botnets) that are remotely coordinated to threaten a single host by overloading it with an enormous number of requests that will stifle its capacity to address them. That is, the incoming traffic will originate from multiple sources (botnets) and flood the victim’s server, in which case, it becomes virtually impossible to prevent the attack as blocking one source won’t do the trick.

A denial-of-service (DoS) attack, on the other hand, refers to a server’s attack that originates from a single host. In a DoS attack, a criminal perpetrator uses one system to launch attacks against a remote server (the victim).

Notable Differences

• In a DoS attack, a single system will target the host, while in DDoS attacks, multiple systems are used.
• Packets of data are sent from one location in a DoS attack while in DDoS attacks, data packets are loaded and sent from multiple locations.
• DoS attacks are easy to block. On the contrary, DDoS attacks are complicated as multiple devices are used to send data.
• Examples of DoS attacks include Teardrop attacks and Buffer overflow attacks whereas examples of DDoS attacks include application-layer attacks and volumetric attacks.

Typical Targets for DDoS Attacks

What are the potential targets of DDoS attacks?

Unlike in the past, reports of DDoS attacks are commonplace nowadays. And specific industries have experienced an unprecedented number of such attacks lately. Experts say the attacks happen not because of too many vulnerable systems, but because there are too many vulnerable users. Some common targets include but are not limited to:

• Large financial institutions.
• Web 2.0 applications.
• Service providers.
• State financial regulatory entities.
• Technological infrastructure.
• Critical infrastructure such as gas, electricity, power grid facilities, among others.

DDoS Attack Statistics

DDoS attacks have spiked in recent times, due in part to the obvious financial motivation criminal perpetrators have. DDoS attacks have puzzled experts because of the sophistication involved. And on the low end, companies that are targeted often suffer financial or reputation damages. That said, the following is a highlight of the most recent and high-profile DDoS attacks.

• According to a 2019 report by NetScout, the year 2019 had a record 8.4 million DDoS attacks. This figure translates to 670,000 threats monthly and 23,000 attacks per day.
• As mentioned, the financial motivation is why DDoS attacks are so prevalent. And data obtained from a 2019 Annual Cyber Protection Study indicated that small-scale businesses and companies that fall victim to DDoS attacks could lose up to $100,000 and $2 million respectively.
• NetScout’s data shows a 64% rise in DDoS attacks that are aimed at wireless telecommunications providers.
• A 2019 Imperva Global DDoS vulnerability study indicated that India was the most attacked country, with 23% of all network layer DDoS attacks aimed at the region.
• Over 50% of DDoS attacks were successful in 2018. That means that one in two attacks resulted in an interruption of service delivery (denial-of-service).

According to the Cisco Network Index, an aggregated 15.4 million DDoS attacks are expected by 2023 worldwide.

How to Stay Safe from DDoS Attacks

The biggest hurdle in preventing DDoS attacks is differentiating between normal traffic from attack traffic. This hampers efforts to alleviate such attacks as organizations struggle to tell legitimate customers from attack traffic. Moreover, the goal of a cyber-attacker is to blend in, which further renders mitigation efforts inefficient.

Some entities opt for mitigation attempts that involve limiting or indiscriminately dropping traffic altogether. But the risk with such strategies is that you may throw away legitimate traffic. Some attackers also strive to circumvent countermeasures employed by the target.

And while companies should keep a watchful eye and advance protection mechanisms at all edges of the organization, here is a checklist to protect servers and networks from DDoS attack vulnerabilities.

• Use blackhole routing solutions to reroute traffic into a null funnel and drop it from the network.
• Use rate limiting to minimize the unit number of requests per server to mitigate denial-of-service.
• Use web application firewalls to mitigate application-layer attacks.
• Employ anti-DDoS security that detects anomalous intrusion in real-time, especially at the network and app layer level to prevent flood attacks.
• Use multifaceted IPS and firewall protection solutions to counter attacks.
• Install active systems in place to actively mitigate and counter-attack as soon as the system is under attack.

The Bottom Line

A Distributed Denial-of-Service (DDoS) attack refers to a malicious attempt by a criminal perpetrator that involves the disruption of normal traffic. The intended customers are denied service because the attack traffic overwhelms the service or network. DDoS attackers use infected computers (botnets) to remotely carry out instructions or sent multiple requests to a victim server. As such, the compromised sources of attack exhaust the server’s defense resources, resulting in clogging up the system, which subsequently creates a denial-of-service to the regular traffic.