A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming it with a flood of internet traffic. DDoS attacks accomplish this by leveraging multiple compromised computer systems as sources of attack traffic. Victims of DDoS attacks include banks, news websites, government agencies and other organizations. A DDoS attack can be very disruptive and result in website crashes and slow network performance.
What is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack is a coordinated cyberattack on a target’s online infrastructure intended to overwhelm it with internet traffic and render it inaccessible to legitimate users. DDoS attacks work by leveraging armies of compromised computers, known as botnets, to flood the bandwidth and resources of their targets. By leveraging these hijacked devices, DDoS attacks can generate huge volumes of traffic that is difficult to block or filter since it originates from many different sources rather than a single identifiable source.
DDoS attacks typically target high-profile organizations and companies such as banks, government agencies, news websites and other institutions. By flooding and overwhelming their networks or web infrastructure with traffic, attackers can effectively take down and shut down their online operations and services, often for prolonged periods. This can costs organizations revenue, reputation and productivity.
Common targets of DDoS attacks
- Banks and financial institutions
- News and media websites
- Government institutions
- Retailers and ecommerce sites
- Gaming platforms and networks
- Cloud service providers
How Do DDoS Attacks Work?
DDoS attacks work by leveraging botnets – networks of compromised computers infected with malicious software and controlled by a hacker without the owners’ knowledge. These botnets can range from a few dozen devices to over a hundred thousand.
With a large botnet at their disposal, the attacker can order the botnet to simultaneously send requests to the target’s server, network or website. Individually, these requests appear legitimate and harmless. However, the sheer volume of requests generated by a botnet can overwhelm the target’s bandwidth, overload their servers or clog their pipelines – preventing legitimate users from accessing their site or service.
Some common DDoS attack vectors include:
Volume Based Attacks
Volume based DDoS attacks aim to saturate the bandwidth of their target with massive amounts of junk traffic. This traffic floods the network or server with requests that appear legitimate but are superfluous. Examples include UDP floods, ICMP floods and other spoofed-packet floods.
Protocol Attacks
Protocol attacks target the weaknesses in network protocols like TCP and HTTP. They consume actual server resources or force servers to crash. Examples include SYN floods, ACK floods, HTTP POST floods and more.
Application Layer Attacks
Application layer attacks target web applications by depleting server resources via malformed requests and queries. This causes the application to crash or stall. Examples include low-and-slow attacks, GET/POST floods and more.
Common DDoS Attack Tools
DDoS attackers have access to diverse toolkits and botnets to execute attacks. Here are some common examples:
- LOIC – The Low Orbit Ion Cannon is a popular open source network stress tool used to overwhelm targets with TCP, UDP and HTTP requests.
- HOIC – The High Orbit Ion Cannon is a network stress tool based on LOIC but allows users to donate their bandwidth to a common DDoS attack.
- SYN Flood – Sends a continuous stream of TCP SYN requests to a target to consume bandwidth and resources.
- Ping Flood – Overwhelms a target with ICMP echo requests (pings).
- Botnets – Networks of malware-compromised computers that can be orchestrated for DDoS attacks.
- NTP Amplification – Exploits misconfigured NTP servers to magnify the amount of traffic directed at a target.
DDoS Attack Process
Launching a DDoS attack often involves 3 main steps:
1. Building the Botnet
The attacker identifies vulnerable devices across the internet and infects them with malware without the owners’ consent. This could be done by exploiting unpatched vulnerabilities or sending malware via phishing emails. The infected devices then become part of the attacker’s botnet, which they can orchestrate at will.
2. Identifying a Target
The attacker selects a suitable target, often a high profile company, business or organization. The goal is to disrupt their operations by rendering their website or network inaccessible with the DDoS assault.
3. Launching the Attack
At the designated time, the attacker uses command and control software to order all the compromised bots to begin barraging the target with traffic. This overwhelms the target’s network infrastructure and disrupts access for legitimate users.
DDoS Attack Impact
DDoS attacks can severely disrupt an organization’s ability to serve its users and customers. Impacts include:
- Website downtime and slow network performance
- Prevention of legitimate access and loss of customers
- Revenue and productivity losses due to disruption of operations
- Reputational damage and loss of consumer trust and confidence
- Costs incurred from response and recovery efforts
The larger the target business, the more devastating a DDoS attack can be. Attacks lasting several days can result in significant financial and reputational damage.
Defending Against DDoS
There are several best practices organizations should follow to defend against the threat of DDoS attacks:
Have DDoS protection services
Specialized third party DDoS mitigation services can provide on-demand network traffic scrubbing to deal with large attacks. These services maintain massive bandwidth capacities across global networks to absorb and filter attack traffic before it reaches the target.
Perform network monitoring
Monitoring bandwidth usage on network links can help quickly detect abnormal traffic spikes indicative of a DDoS assault. Threshold alerting mechanisms can notify staff promptly.
Maintain website caching
Web caching mechanisms for dynamic content helps reduce load on servers and improves website performance. This provides some tolerance against not-too-overwhelming attacks.
Have an incident response plan
A concrete DDoS response plan documenting roles, strategies and third party contacts helps organizations react quickly against an onslaught and minimize disruption.
Apply latest security patches
Keeping website applications, servers and network devices up-to-date on latest software patches blocks common infection vectors used to build botnets.
Legal Implications
Launching DDoS attacks and building botnets using compromised systems without authorization are illegal activities under computer hacking laws like the U.S. Computer Fraud and Abuse Act.
Attackers in the U.S. can face federal charges leading to hefty fines and multi-year prison sentences if caught and successfully prosecuted. The availability of underground DDoS services and the use of bitcoin also makes it challenging for law enforcement to track attackers.
Understanding the legal consequences can help deter individuals from getting involved in orchestrating or contributing to DDoS attacks.
Famous DDoS Attacks
Some of the largest and most disruptive DDoS attacks include:
GitHub DDoS Attack (2018)
- Targeted the software development platform GitHub
- Peaked at record 1.3 Tbps via memcached reflection
- Took down GitHub for around 10 minutes
Dyn Cyberattack (2016)
- Targeted DNS provider Dyn disrupting access to major sites like Twitter, Netflix, Reddit
- Comprised of tens of millions of IP addresses from Mirai botnet
- Disrupted users in US and Europe over multiple waves of assault
Spamhaus DDoS Attack (2013)
- Hit anti-spam blacklisting service with 300 Gbps via DNS reflection
- One of largest network layer attacks monitored at the time
- Service maintained operations but users experienced slowness
Yahoo DDoS Attack (2000)
- Bombarded Yahoo servers with over 1 Gbps of traffic
- Persisted for about 2 hours and largely inaccessible worldwide
- First publicized example of a major DDoS assault
These and similar large-scale attacks attracted massive media coverage and brought DDoS into the public spotlight as a disruptive cyber threat.
DDoS Attack Methods
There are multiple technical methods by which DDoS attacks overwhelm and bombard their targets.
| Attack Type | Description |
|---|---|
| UDP Flood | Sends high volumes of spoofed UDP packets to random ports on a victim server using a botnet |
| ICMP Flood | Inundates target with spoofed ICMP echo requests (pings) from multiple sources |
| HTTP Flood | Bombards web servers with seemingly legitimate HTTP GET and POST requests |
| Slowloris | Opens multiple connections to web server and sends partial HTTP requests very slowly |
| SYN Flood | Sends continual stream of TCP SYN packets, each triggering a new connection request |
These represent just some common DDoS vectors. Attackers are continually evolving new methodologies and strategies.
Conclusion
DDoS attacks have grown as a major threat undermining the availability and continuity of key online services and infrastructure. The threat landscape continues to rapidly evolve as botnets grow larger and attacks become more sophisticated.
Organizations need to implement robust DDoS protections like traffic scrubbing services, and maintain actionable incident response plans. Lawmakers also need to ensure adequate legal deterrence for individuals who engage in orchestrating or contributing to these disruptive assaults.
With cybercriminals motivated to capitalize on the power of botnets and vulnerable IoT devices, organizations will need to remain vigilant and adapt their defenses against DDoS attacks.
