What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.
What are the goals of a DDoS attack?
The purpose of a DDoS attack is to render the target inaccessible, whether it’s a website, web-based service or application, online account access, online gaming or any other internet-connected system. By flooding the target with more requests than it can accommodate, attackers cause an overload condition that results in the denial of service to legitimate users. The impact can range from minor annoyance to major disruption, depending on the intensity and duration of attack traffic, the resources and bandwidth available to the target, and other technical and environmental factors. A successful DDoS attack inflicts damage to operations and revenue for business targets, and may also have regulatory compliance implications.
How does a DDoS attack work?
DDoS attacks are based on the concept of leveraging multiple sources of malicious Internet traffic to create an avalanche effect against a target. This involves three essential components:
Attack Vectors
Attack vectors are the different sources used to generate the distributed denial of service. On the Internet, they may include:
– Botnets – networks of compromised, remotely controlled systems running specialized DDoS malware. Botnets provide attackers with large armies of strike systems, often numbering in the tens or hundreds of thousands. Compromised machines may include poorly secured consumer PCs, web servers, IoT/embedded devices and more.
– Reflective amplification attacks – where small requests elicit large responses from services such as DNS and NTP servers. The responses are directed at the target, overwhelming it through sheer volume.
– Application layer attacks – targeting the upper OSI layers (HTTP, HTTPS, DNS, etc) with the goal of exhausting server resources. Methods used may include low bandwidth attacks, SSL renegotiation, and Java XML parser attacks.
Handlers
Handlers (also called booters or stressers) are internet-based DDoS-for-hire services that provide attackers with access to pre-configured attack vectors. Booter services lower the technical threshold for DDoS capabilities, allowing perpetrators to pay nominal fees in cryptocurrency to have powerful DDoS resources at their fingertips.
Target
The victim of a DDoS attack is the designated target, which may be any internet-connected computer, server, service, application, commercial website, government website or network infrastructure component. Targets are generally identified through domain name, URL or IP address.
DDoS Attack Process
The following provides a high-level overview of the DDoS attack process:
– Reconnaissance – The attacker seeks to identify vulnerabilities in the target’s environment that may be leveraged for the DDoS attack. Recon may include port scanning, footprint mapping, version identification, reviewing WHOIS data and more.
– Weaponization – In this phase, the attacker prepares the attack vectors to be used in the DDoS campaign. This may involve infecting systems with Trojans to build botnets, identifying vulnerable servers to leverage for amplification, registering with booter services, etc.
– Delivery – The attacker initiates the flood of DDoS traffic against the target from the previously configured attack vectors. Traffic flooding may involve multiple attack vectors and hundreds of gigabits per second (Gbps) of malicious traffic or more.
– Execution – The target experiences a spike in incoming malicious traffic exceeding available bandwidth resources. Legitimate traffic is unable to get through, resulting in denial of service and outage conditions.
– Amplification – For maximum damage potential, attackers leverage methods that amplify bandwidth, including reflective amplification attacks that exploit misconfigured DNS and other servers. A small inbound packet can generate a large outbound response, overwhelming targets.
Major DDoS attack types
There are numerous methods for inflicting DDoS attacks, broadly categorized by the OSI model layer they target. Major DDoS attack types include:
Volumetric attacks
– ICMP floods – leveraging botnets to bombard systems with ping requests using the Internet Control Message Protocol (ICMP), overwhelming network resources.
– UDP floods – leveraging botnets to send high volumes of User Datagram Protocol (UDP) packets to saturate bandwidth. UDP supports broadcasting, which amplifies the flood.
– NTP amplification – exploiting vulnerable Network Time Protocol (NTP) servers to reflect responses that are much larger than the requests.
– DNS amplification – similar to NTP amplification, leveraging misconfigured Domain Name System (DNS) servers to reflect high volumes of traffic.
TCP state-exhaustion attacks
– SYN Floods – sending continuous TCP connection requests to exhaust a target’s resource pool for session initialization. SYN cookies may mitigate SYN Floods.
– ACK Floods – flooding targets with spoofed ACK packets to disrupt TCP request-response processes.
– FIN/RST Floods – similar to ACK attacks, but using TCP FIN and RST packets instead.
Application Layer (L7) attacks
– HTTP Floods – inundating targets with HTTP requests from botnets and other vectors.
– Slowloris – slowly sending partial HTTP requests to monopolize web server resources.
– Brute force – continuously guessing user credentials via logon interfaces.
– DNS query floods – sending high volumes of DNS lookup requests.
| Attack Type | Description |
|---|---|
| Volumetric Attacks | Flood networks with high volumes of malicious traffic |
| TCP State-Exhaustion Attacks | Disrupt stateful TCP workflows |
| Application Layer Attacks | Target web servers and applications |
DDoS attack tools
To conduct DDoS campaigns, attackers leverage an array of easy-to-use attack tools that provide preconfigured vectors and traffic flooding capabilities. Major DDoS tools include:
– LOIC – An open source DDoS tool used to flood networks and perform TCP/UDP/HTTP attacks
– HOIC – Similar to LOIC, HOIC provides a simple interface for multiple DDoS attack types
– Dirt Jumper – Malware that turns Linux systems into DDoS bots controlled via IRC
– Trinoo – historic DDoS malware that utilized master-slave architecture
– Stacheldract – DDoS malware that can flood networks via UDP, ICMP and other protocols
In addition to malware implants, managed DDoS services like booters and stressers are commonly leveraged for straightforward DDoS capabilities.
DDoS impact and damages
Successful DDoS attacks levy a number of detrimental effects against targets, including:
– Service unavailability – Websites, applications, APIs and other resources are rendered inaccessible
– Lost revenue – Outages directly correlate to lost sales, damage to brand reputation and slipping market share
– Lost productivity – Operations and business processes are interrupted by service interruptions
– Negative customer experiences – Users and customers are unable to access services during outages
– Compliance violations – DDoS attacks may result in audit deficiencies and regulatory non-compliance
According to research, the average cost of a single DDoS attack exceeds $120,000. For larger enterprises subject to major DDoS campaigns, damages can tally in the millions. Beyond direct costs, long term consequences may include loss of customer trust, damaged brand reputation, devaluation of trade names and more.
DDoS mitigation
Defending against DDoS campaigns requires layered mitigation capabilities:
Cloud Scrubbing Services
Specialized DDoS protection services divert attack traffic to scrubbing centers, which filter out malicious packets before forwarding legitimate traffic to the customer.
On-premise Detection and Mitigation
Intelligent DDoS protection devices (IPS, ADC) are deployed locally to detect and mitigate attacks onsite before they overwhelm internet connectivity.
Network Design
Improved network engineering, redundancy, capacity and traffic management helps mitigate the impacts of DDoS.
Application Design
Well designed application infrastructure provides effective resource allocation and load balancing to better withstand high traffic spikes.
Access Control
Strong authentication mechanisms help prevent account compromise and application layer attacks.
| Mitigation Type | Method |
|---|---|
| Cloud Scrubbing | Filter traffic at cloud scrubbing centers |
| On-premise Protection | Detect and filter on-site via IPS and ADC |
| Network Design | Improve capacity, redundancy and routing |
| Application Design | Ensure effective load balancing & resource allocation |
| Access Control | Adopt strong authentication practices |
Conclusion
DDoS attackers leverage a wide spectrum of tactics to overwhelm and interrupt online business operations. Attack methods continue advancing in complexity, presenting an evolving threat landscape. By implementing layered protections both locally and in the cloud, while adhering to best practices in network operations and application design, organizations can effectively counter the DDoS threat. Though challenging to combat, a robust, multi-faceted strategy can prevent DDoS campaigns from inflicting major business disruption.