What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.
What are the goals of DDoS attacks?
The motivation behind a DDoS attack is to render the target unable to provide its intended service. For example, overwhelming a company’s website with traffic so that legitimate users are unable to access it. The intent is not necessarily to infiltrate the system’s or resource’s security or compromise its integrity. DDoS attacks are primarily concerned with availability, not confidentiality or integrity. However, by shutting down or degrading access to a resource, tremendous damage can still be inflicted especially if the system or resource is required to perform critical functions or conduct regular business.
Common DDoS attack vectors
There are several main classes of DDoS attacks:
Volume-based attacks
Volume-based attacks aim to saturate the bandwidth of the target. This is achieved by generating a high amount of traffic from multiple sources directed at the target. The incoming traffic essentially overloads the target’s bandwidth capacity. Typical volume-based attacks may involve:
- UDP floods – leveraging spoofed UDP packets
- ICMP floods – leveraging ICMP Echo Request packets
- Other spoofed packet flooding
Volume-based attacks focus on consuming available bandwidth leading to network saturation. Bandwidth consumption makes it difficult for legitimate users to access the service.
Protocol attacks
Protocol attacks target the weakness in the inherent mechanisms of certain protocols. Attacks exploit the stateless and arbitrary nature of things like TCP connections and established sessions. Example protocol attacks include:
- SYN flood – sending succession of SYN requests to a target. Target system allocates resources for each SYN received.
- ACK flood – sending spoofed ACK packets to target system. Target checks for valid connection for each ACK.
- TCP connection flood – initiating a large number of TCP connections within a short period of time to overwhelm the target.
For protocol attacks, built-in flaws in legitimate protocols are leveraged to overwhelm targets.
Application layer attacks
Application layer attacks target web server and application resources specifically like databases and APIs. The goal is to crash the software, delay execution, or deplete resources like memory, CPU, disk space etc. Common methods include:
- HTTP flood – Flooding target sites with valid HTTP requests
- Slowloris – Opening multiple connections to web server and slowly sending partial HTTP requests
- GET/POST floods – Bombarding sites with valid GET or POST requests
- DNS query flood – Overwhelming DNS servers with lookup requests
Application-layer attacks consume resources or crash applications at the layer where users interact directly.
DDoS attack process
Conducting a DDoS typically involves 3 main steps:
1. Building the botnet
To generate a powerful flood of traffic to the target, an attacker needs access to many systems that can attack simultaneously. This is achieved by building a botnet – a network of machines infected with malware that allows them to be controlled remotely. By compromising many devices and turning them into bots, the attacker can launch coordinated strikes on demand.
Common ways to build large botnets:
- Exploiting vulnerabilities – Unpatched systems are susceptible to malware infection. Attackers actively scan for weaknesses to break in.
- Malware infections – Botnet malware spreads through phishing, drive-by downloads or by tricking users into installing it.
- Internet of Things – Many IoT devices have poor security controls making them prime targets.
2. Command and control
Once a botnet is available, the attacker can control it via command and control (C&C) mechanisms:
- Centralized – Bots connect back to a central C&C server to receive commands
- Peer-to-peer – Bots form decentralized, peer-to-peer networks to distribute commands
- Hybrid – Combination of centralized and P2P topologies
Command and control allows the attacker to update malware and issue specific instructions like targeting a particular system and when to initiate an attack.
3. Launching the attack
When the attacker is ready, they can launch a DDoS attack on demand by issuing commands to the botnet through the C&C channels. Key steps may include:
- Selecting the target – The victim system or service to bombard
- Choosing an attack type – Volumetric, protocol, application layer etc
- Determining the duration – How long to sustain the attack
- Executing on botnet – Sending commands to botnet to start the flood
By leveraging the distributed resources of the botnet, massive floods can be generated. As bots receive commands, they begin executing the desired DDoS attack against the specified target in a coordinated strike.
DDoS attack tools
There are purpose-built DDoS tools and bots used by attackers to conduct attacks more easily:
DDoS-for-hire services
Illegal DDoS services allow customers to essentially “rent” access to pre-built botnets and platforms to initiate attacks on demand. Customers can specify targets and purchase attacks for fees, often paid in cryptocurrency. Some examples of DDoS booter/stresser services include:
- Booter.xyz
- Ragebooter
- Stressthem.to
- Downthem.org
Booter services lower the barrier for conducting powerful DDoS attacks. However, using them still constitutes a serious crime.
DDoS bot malware
Malware tools like the following allow attackers to more easily build and control botnets for executing DDoS attacks:
- Mirai – Targets IoT devices and propagates via Telnet/SSH brute force attacks
- Qbot – Includes DDoS attack functionality along with other modular features
- Muhstik – Self-propagating botnet agent used for DDoS attacks
Malware streamlines infecting devices and turning them into participant bots in large DDoS swarms. Variants are continuously developed and enhanced by attackers.
DDoS scripts/tools
Script kiddies can launch smaller scale attacks using simple DDoS scripts and tools like:
- HOIC – Open source DDoS tool used for HTTP, UDP and TCP flooding
- LOIC – Similar to HOIC. Known for simplicity and many users during Anonymous attacks
- XOIC – Enhanced version of LOIC for executing more potent DDoS attacks
Attack scripts allow novice users to participate in DDoS activities, though at lower sophistication.
DDoS attack symptoms
Active DDoS attacks can produce a variety of observable symptoms:
- Unavailability of websites and web-based services
- Dramatic surges in bandwidth utilization and network traffic
- Increased consumption of computational and memory resources
- Widespread failed connection attempts and timeouts
- Service degradation and slow performance
The specific effects depend on the avenue of attack. But the results typically involve system/service disruption, site crashes, response delays and resource consumption.
DDoS defense techniques
There are a variety of defensive strategies and mechanisms that can help mitigate the effects of DDoS activity:
Network ingress/egress filtering
IP address filtering at network edges can help block spoofed packets from bogus sources. For example ingress filtering discards packets with source addresses not matching what’s expected from an edge network.
Overprovisioning bandwidth
Maintaining excess bandwidth makes it more difficult for volumetric floods to saturate connectivity. The extra capacity provides headroom to absorb spikes in traffic.
Load balancers
Load balancers distribute traffic across multiple servers. This prevents any single system from being overwhelmed by high volumes.
Rate limiting
Setting thresholds to limit traffic rates can help prevent spikes that may signify DDoS attacks. Traffic exceeding defined rates is dropped or managed separately.
Blackhole routing
Blackholing refers to diverting attack traffic towards a null route so it’s discarded before reaching protected systems. This is like a network-level sinkhole.
Web application firewalls (WAFs)
A WAF inspects traffic and can detect anomalies, aggression, protocol abuses and apply threat detection rules to help mitigate application layer attacks.
DDoS mitigation services
Cloud based scrubbing services absorb and filter out attack traffic before it reaches networks. Traffic is routed through scrubbing centers as a reverse proxy shield.
Legal implications of DDoS
DDoS attacks have serious legal ramifications. Participating in them in any capacity can lead to civil and criminal liability:
- Federal and state cybercrime laws – Applies to actually conducting attacks and intentionally damaging systems.
- CFAA – Covers unauthorized access and transmission of code for damaging computers.
- Wiretap Act – Intercepting and re-transmitting network traffic illegally.
- ACMA – Damaging systems, denial of service and unauthorized access offenses.
Penalties can include hefty fines and imprisonment for offenders. The law views DDoS as a serious form of malicious hacking. Defenses like good faith, authorization or “just following orders” generally do not hold up in court.
Ethical implications
DDoS attacks also raise ethical concerns:
- Intentional disruption denies access to users, causes financial damage
- Consumes public resources like network bandwidth unfairly
- May threaten reliability of critical systems like healthcare sites
- Exploits compromised machines without owners consent
- Breaks implicit social contract of reasonable internet use
Though motivations may differ, DDoS inherently involves compromising ethics like universality, harm, public goods and ownership. The malicious methods and damages outweigh any moral defense for this kind of attack.
The future of DDoS
DDoS attacks will continue evolving as new trends emerge:
Internet of Things integration
The growing IoT landscape provides a vast pool of devices susceptible to exploitation in large botnets. Attackers are already targeting things like connected cameras and DVRs.
Increasing size and frequency
Available bandwidth and number of vulnerable hosts allows attacks to scale up in size and occur more often. Attacks exceeding 1 Tbps are already visible and will continue growing.
New reflective techniques
Attackers experiment with abusing different protocols and services to achieve amplified reflection attacks using things like CLDAP, DNSSEC, ARMS, SNMP etc.
As-a-Service model
The increasing accessibility of DDoS-for-hire booter services allows novice attackers to rent powerful attacks with little technical knowledge.
Higher costs
With cheap high bandwidth availability, survivability will require overprovisioning resources and leveraging mitigation services driving costs higher.
DDoS shows no signs of abating. As the landscape shifts, new attack avenues leverage emergent weaknesses. Defenders must also evolve as the stakes continue escalating.
Conclusion
DDoS involves utilizing swarms of distributed bots to overwhelm targets with floods of malicious traffic. Attackers exploit vulnerabilities to build large botnets, control them via C&C systems and overwhelm bandwidth, resources and applications through coordinated assaults. As bandwidth and vulnerable devices proliferate, these attacks become easier to conduct and increasingly damaging. DDoS capabilities also continue advancing to leverage new techniques and increasing magnitude. However, by understanding exactly how DDoS works and deploying layered defense systems, organizations can mitigate the impact of attacks and maintain availability of critical infrastructure. Though challenging, combating the DDoS threat is imperative as it grows in sophistication.