What is a DDoS Attack?
A DDoS attack, or Distributed Denial of Service attack, is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.
How Do DDoS Attacks Work?
There are two common forms of DDoS attacks:
Volume-Based Attacks
Volume-based attacks focus on consuming available bandwidth by generating a large volume of traffic coming from multiple sources (hence the distributed nature of this attack). These attacks can be carried out by sending large amounts of normal legitimate traffic, such as TCP, UDP or ICMP requests, to overwhelm the target. They can also be performed by sending malformed or invalid packets designed to crash or slow down the recipient system.
Volume attacks can saturate target bandwidth with garbage traffic, cause network delays and ultimately lead to a denial of service to end users, websites or applications. Some examples of volume-based attacks include UDP floods, ICMP floods and spoofed-packet attacks.
Application Layer Attacks
Application-layer attacks specifically target web servers and applications. Rather than overwhelming the network itself, application layer attacks focus on disrupting logical processes and functions running on servers and apps. This can be achieved by forcing resource exhaustion, crashing services, exploiting vulnerabilities or other means.
Application layer attacks typically involve seemingly legitimate session-based sets of requests designed to consume inordinate amounts of resources or crash applications – such as via slowloris-style attacks or SYN floods. In some cases, malformed requests containing junk data are used to elicit errors in applications, databases and operating systems.
Common DDoS Attack Vectors and Techniques
There are many different ways DDoS attacks can be carried out, but some common vectors and techniques include:
UDP Flood
A User Datagram Protocol (UDP) flood aims to overwhelm the target with a huge amount of UDP packets, exceeding the processing limits of the recipient system. The source IP addresses are usually spoofed. UDP itself is a protocol used for establishing low latency and loss tolerating connections, but in a flood scenario, the large traffic volume slows down networks and systems as they struggle to close down and respond to the overwhelming bogus connections.
ICMP Flood
An Internet Control Message Protocol (ICMP) flood similarly abuses inherent network protocols – in this case, ICMP. Attackers saturate targets with ICMP echo requests (pings) containing the spoofed source IP of the victim. This results in the victim system getting bogged down sending replies to the spoofed requests.
HTTP Flood
Hypertext Transfer Protocol (HTTP) floods focus on web servers and applications. These attacks use seemingly legitimate HTTP GET or POST requests to consume excessive resources and slow down or crash the recipient. Rather than using raw TCP or UDP packets, HTTP floods appear as valid requests from real users.
DNS Amplification
With DNS amplification attacks, perpetrators abuse the Domain Name System (DNS) protocol. By sending DNS name lookup requests with spoofed source IPs to misconfigured DNS servers, attackers elicit a significantly larger response directed to the spoofed IP (the victim). This leverages DNS functionality to amplify and direct an overwhelming traffic volume at targets.
Slowloris
Slowloris establishes multiple partial HTTP connections to tie up a web server’s resources. It does not rely on high volumes but rather abuses HTTP to consume connection slots and sockets leading to resource starvation with modest traffic levels. All connections remain held open by periodically sending partial HTTP requests.
SYN Flood
A SYN flood exploits the TCP three-way handshake process. TCP connections begin with a synchronization (SYN) request from a client. The server responds with a SYN-ACK acknowledging the SYN and the client concludes the handshake with an ACK.
In a SYN flood, the attacker sends repeated SYN requests without concluding the handshake. This results in open half-connections tying up the target’s resources waiting for final ACKs that never arrive.
DDoS Attack Motivations
There are many different motivations behind launching a DDoS attack, but some of the major reasons include:
Financial Gain
Cybercriminals will threaten companies with attack unless they pay a ransom. The attackers will demonstrate their capabilities with limited strikes before demanding money to avoid persistent disruption. These extortion strategies can be quite lucrative for perpetrators.
Business Competition
By taking out a competitor website with DDoS attacks, some believe it improves their own standing. However, this form of cyber sabotage is hardly restricted to business competition. Attackers with political, social or ideological agendas can have similar motivations.
Revenge or Retribution
Angry former employees or dissatisfied customers may initiate attacks against organizations or individuals who they have a grudge against. These acts can be attempts at payback over a slight or mistreatment, whether real or perceived.
Ideological Motives
Hacktivists and cyber protest groups often employ DDoS techniques against targets they view as opponents or threats to their ideology, beliefs or values. Anonymous and other hacktivist collectives have claimed responsibility for many such attacks.
Protest
Alongside hacktivism, DDoS attacks may also occur as forms of protest by groups who believe it helps publicize their message or garners support for their cause. While potentially illegal, attackers may view it as a modern sit-in.
Cyberwarfare
There are frequent suspicions and accusations of nation states using DDoS techniques to tactically take down adversaries as a component of hybrid warfare. Powerful DDoS attacks have also occurred coinciding with international conflicts.
Malicious Intent or Vandalism
Some DDoS attacks amount to virtual graffiti or vandalism, driven by mischief and thrill-seeking. While motivations are not always apparent, some perpetrators simply enjoy being disruptive and causing havoc.
DDoS Attack Statistics and Trends
Some key statistics and trends around DDoS attacks:
- In Q2 2022, there was a 15% increase in DDoS attacks compared to Q1 according to Nokia Deepfield.
- The largest DDoS attack recorded to date reached 17.2 million requests per second (RPS) and 2.3 terabits-per-second (Tbps) of traffic.
- Mid-sized attacks between 1-10 Gbps accounted for around 84% of DDoS events in H1 2022.
- Ransom DDoS extortion attempts increased by 25% YoY in 2021 per N-able research.
- Industries most targeted by DDoS include technology, telecoms, fintech, education, public sector and gaming.
- Application-layer DDoS attacks that exploit HTTP and DNS grew significantly in 2021.
- 5G networks may usher in an era of more powerful DDoS capabilities reaching Terabit scales.
- Expect continued growth in IoT DDoS attacks that leverage smart devices as attack nodes.
The increasing size, complexity, frequency and variety of DDoS attacks points to the persistent threat they pose. Organizations of all types must take them seriously and implement layered defenses.
DDoS Attack Prevention Tips
While robust technical solutions are required, there are also several preparatory best practices entities can employ:
Know Your Network
Gain visibility into traffic patterns and bandwidth needs during normal operations. This establishes a baseline to help quickly spot anomalies that may signal DDoS activity.
Overprovision Bandwidth
Maintain spare capacity to absorb sudden spikes in traffic often associated with volumetric DDoS attacks. Having bandwidth to spare lessens the impact of flooding attempts.
Implement Access Lists
ACLs and firewall policies that limit traffic to required services and known IPs can reduce exposure to some DDoS tactics. However, ACLs alone are not sufficient.
Employ Proxy Servers
Proxies can mask originating server IPs and provide upstream scrubbing of incoming traffic before passing it on. This obscures targets and filters out various attack traffic.
Maintain DDoS Response Plan
Have a DDoS attack response plan with defined roles, strategies and third-party support contacts. Know how you will react, investigate and mitigate attacks.
Enlist Cloud DDoS Protection
Cloud-based DDoS protection services offer on-demand capacity to absorb large attacks away from corporate infrastructure and rapid assistance activating defenses.
Pursue Multilayered Defenses
No single tool alone can fully protect against today’s complex DDoS threat landscape. Deploy layered defenses for the best chance to maintain online availability.
DDoS Attack Defense and Mitigation Solutions
Thwarting DDoS attacks requires advanced defensive systems and techniques including:
Traffic Scrubbing
DDoS scrubbing services remove attack traffic at upstream scrubbing centers while allowing legitimate system requests to pass through to endpoints.
Blackhole Filtering
Network routers can automatically redirect traffic destined to targets during attacks to blacklist filters that simply discard all related packets.
DDoS Mitigation Networks
Specialized overlay networks provide alterative traffic paths around congested areas that occur during floods, improving connectivity.
Rate Limiting
Rate limiting restricts the amount of traffic able to be sent from specific source IPs. This caps bandwidth available to those IPs for DoS participation.
Intrusion Prevention Systems
Network IPS devices can identify and block malicious traffic payloads and application requests typical of DDoS activity.
Web Application Firewalls
WAFs understand HTTP patterns and enforce policies that filter high-risk requests and application attacks seeking to tie up resources.
BGP Flowspec
The internet routing protocol BGP can have flowspec rules enabled to automatically reroute suspicious traffic to scrubbers and circumvent congestion.
TCP SYN Cookies
SYN cookie mechanisms minimize the impact of SYN floods by replacing conventional three-way handshakes with stateless cookie challenges to verify origin.
Conclusion
DDoS describes myriad techniques for disrupting online assets by directing massive streams of junk traffic and malicious requests at targets. Perpetrators have diverse motivations but all DDoS attacks degrade performance and availability of websites, applications and networks.
Defending against DDoS requires detailed knowledge of normal traffic, spare capacity, layered security and specialized mitigation solutions. A blend of on-premise and cloud-based defenses provides optimal protection against the growing threat of DDoS disruption. Maintaining comprehensive preparedness and response strategies continues to be imperative for organizations operating online.
