A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its destination.
What is a DDoS attack?
A DDoS attack uses a large number of compromised devices to target and overwhelm a website or online service. These compromised devices form a botnet that is controlled by a hacker. The botnet overwhelms the target with traffic, causing it to crash due to the scale of incoming requests. This denies access to legitimate users who are trying to reach the website or service.
DDoS attacks work by flooding the target with more requests than it can handle. This overwhelms the server resources of the target, disrupting access for legitimate users. The goal is to cause maximum disruption to an organization’s online presence and ability to serve its users.
There are three main types of DDoS attacks:
- Volume-based attacks – This floods the network layer with a high volume of TCP, UDP and ICMP packets to saturate the bandwidth.
- Protocol attacks – This sends non-standard protocols or malformed packets to exhaust server resources.
- Application layer attacks – This overloads applications by sending a flood of requests to crash the application.
Attack vectors used in DDoS attacks include direct flooding, amplification, reflection and botnets. Direct flooding involves using botnets to send large amounts of traffic directly to the target. Amplification uses public services to reflect and amplify a small attack into a larger one. Reflection conceals the source of the attack by using spoofed IP addresses. Botnets infect thousands of computers to carry out coordinated attacks.
Can a DDoS attack be stopped?
There are methods and tools available to help prevent, mitigate and stop a DDoS attack:
- Blackhole routing – This diverts attack traffic towards a “black hole” to absorb the malicious traffic.
- Rate limiting – This restricts the amount of traffic from certain IP addresses or subnets.
- Web application firewalls (WAF) – A WAF can filter, monitor, and block HTTP traffic to and from a web application.
- DDoS mitigation services – These services absorb the attack traffic on behalf of the target and are provisioned for high traffic volumes.
- IP reputation monitoring – This can identify botnet IPs and block them.
If a DDoS attack is detected in its early stages, it may be possible to stop it by blocking the originating IPs or disabling certain ports and protocols. However, if the attack is more advanced, the only recourse may be to work with a mitigation service or content delivery network (CDN) that has the bandwidth to absorb the excess traffic volume.
The key is to have DDoS prevention plans in place before an attack occurs. Once an attack is underway, defending against it becomes exponentially more difficult. Organizations need to have layered DDoS defense capabilities in place to combat attacks at different layers – network, application and database. DDoS protection requires a hybrid on-premise and cloud based solution. When choosing a mitigation service, ensure it offers scrubbing capacity across a globally distributed network of scrubbing centers.
How to remove a DDoS attack
Here are the key steps to effectively respond to and remove an ongoing DDoS attack:
- Detect the attack – Monitor for abnormal spikes in website traffic to identify the attack. Analyze traffic patterns to characterize the attack.
- reroute Traffic – Divert incoming traffic towards scrubbing centers or a Web application firewall that can filter malicious packets. This helps reduce load on the target.
- Block Attackers – Identify the attacking IPs and subnets and add filters to block them. Rate limit traffic from suspicious geolocations.
- Increase Capacity – Provision additional bandwidth and capacity from hosting provider or mitigation service to improve the ability to withstand volume attacks. Deploy extra servers if needed.
- Stop Amplification – If the attack is using amplification techniques, block access to the public servers being abused. Disable or patch vulnerable ports and services.
- Inform Users – Update users through social media and support channels that performance issues are being caused by a DDoS attack which is being handled.
- Trace Source – Analyze logs to trace the attack back to its source network. Identify compromised hosts. Work with ISPs to shut down botnets.
- Thwart Future Attacks – Install updated DDoS prevention tools. Contract managed detection and mitigation services. Develop traffic baseline to help quickly identify the next attack.
The key steps come down to quickly detecting the attack, blocking malicious traffic, increasing capacity to withstand the attack, tracing back to the source, and updating defenses. Expert assistance from DDoS mitigation services may be needed to fully stop a large volume DDoS attack.
How to protect against DDoS attacks
Here are best practices to help prevent and minimize the impact of DDoS attacks:
- Conduct Risk Assessment – Identify critical assets, vulnerabilities and potential attack vectors to understand the risk landscape.
- Develop Incident Response Plan – Have an action plan ready to implement if an attack occurs. Include communication protocols and playbooks.
- Implement Layered Defenses – Use a combination of firewalls, IPS, anti-DDoS solutions and Web Application Firewalls (WAFs) for defense in depth.
- Contract DDoS Mitigation Service – Have a third-party mitigation service ready to instantly absorb extraordinary attack traffic if required.
- Monitor Traffic Patterns – Track inbound traffic and bandwidth usage to detect any anomalies indicating the start of an attack.
- Harden Public-facing Systems – Close unused ports, enable only required services, ensure error handling is robust.
- Maintain Adequate Bandwidth – Provision bandwidth headroom above peak utilization to withstand sudden spikes during attacks.
- Establish Load Balancing – Distribute traffic across multiple servers. Ensure critical systems have backup servers ready if needed.
- Educate Employees – Update staff on how to identify and respond to DDoS attacks through training.
Simply having a DDoS mitigation service contract alone is less than ideal since attacks can overwhelm the mitigation service before appropriate rules are put in place. The best protection combines on-premise and cloud-based DDoS protection across network and application layers, and having mitigation capacity ready on standby.
Conclusion
DDoS attacks aim to disrupt operations and deny user access by saturating network infrastructure with malicious traffic. They leverage botnets to bombard targets from distributed sources. While DDoS attacks can often be stopped, the key is having proactive defenses in place. An effective anti-DDoS strategy requires integrated on-premise security controls combined with cloud-based protections. During an active DDoS attack, traffic scrubbing capacity from a mitigation service may be needed to counteract the high traffic volumes. The ultimate goal should be minimizing business disruption and loss of user productivity from DDoS attacks through a resilient, multi-layered defense.