A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.
How does a DDoS attack work?
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source. Most DDoS attacks use a botnet – a network of zombie computers to which the attacker has access. Devices become part of a botnet after they’ve been infected with malicious code, often distributed through phishing campaigns or drive-by downloads. The attacker can then command the devices to flood a target with requests in an attempt to overwhelm and disable it.
DDoS attacks often utilize common protocols including the following:
- UDP flood – A type of DDoS attack in which the perpetrator sends a large number of UDP packets to random ports on the remote host in an attempt to overwhelm it. UDP protocols are connectionless and do not require a response from the destination computer. When a large number of UDP packets are sent, the target system has to check each one to see if it’s a valid request. These checks use up bandwidth and system resources.
- ICMP flood – The attacker overwhelms random ICMP packets to the target, which is forced to respond with ICMP error messages, saturating its Internet connection.
- SYN flood – The attacker sends successive SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
- HTTP flood – The attacker overwhelms a website by sending an extraordinary number of standard HTTP requests, consuming the site’s available HTTP connections and resources.
Other common DDoS vectors include DNS amplification attacks, teardrop attacks, and Ping of Death attacks. The net result is that the target site or server becomes overloaded and is unable to respond or is slowed to a crawl.
What are the stages of a DDoS attack?
DDoS attacks typically involve three key stages:
- Reconnaissance – The attacker seeks out and identifies potential weaknesses or vulnerabilities in the target’s infrastructure that could be exploited in a denial-of-service attack.
- Weaponization – The attacker develops or gains access to resources that can be used to perform an attack, such as a botnet or a network of compromised devices.
- Assault – The attack is launched, flooding the target with bogus requests and traffic in an attempt to overwhelm and disable it.
In the reconnaissance phase, the attacker actively gathers information about the intended target’s infrastructure and defenses, looking for weaknesses that can be exploited. The attacker may scan the target’s systems, perform network sniffing, access configuration files, perform vulnerability scans, etc. to uncover possibilities. For example, they may look for potential amplification vectors that could be used to maximize the attack’s impact.
During weaponization, the attacker readies the resources needed to carry out the denial-of-service flood. This commonly involves compromising computers using malware and assembling them into a botnet. The size of the botnet determines the magnitude or scale of the attack. Attackers may continue expanding their resources until they are satisfied they have enough firepower to be effective.
In the final assault phase, the attacker triggers the compromised devices to begin flooding the target with traffic. Sustained high volumes of bogus requests overwhelm the target’s capacity to respond, rendering it unreachable or unusable for legitimate users. Depending on the goal, a DDoS attack may last for minutes, hours or multiple days.
What are the impacts of a DDoS attack?
A successful DDoS attack can have devastating consequences for its victim:
- The target is unable to provide normal service, access is denied to legitimate users
- Reputational damage, loss of customer trust and revenue
- Website downtime and loss of productivity
- Consumes large amounts of bandwidth, impacting connectivity for the network as a whole
- Overwhelmed devices may crash or be damaged
- May mask or distract from a more damaging secondary attack, such as data theft
Organizations impacted by DDoS attacks include key infrastructure providers, commercial sites, media outlets, government agencies, DNS providers, and many others. Even a short-term outage can result in significant financial losses for a business. Attacks exceeding 1 Tbps are becoming increasingly common.
In addition to overwhelming network resources, DDoS attacks may also achieve their goals by:
- Crashing DNS servers or network infrastructure devices like routers by exploiting vulnerabilities
- Exhausting state-full resources like firewall and application database connections
- Fragmenting network packets and disrupting hosts, applications, and services
- Triggering auto-scaling policies in cloud environments, generating significant additional expenses
What are common DDoS attack tools?
There are many tools available that allow even unskilled attackers to mount and carry out DDoS attacks. Examples include:
- LOIC – Stands for Low Orbit Ion Cannon, a free DDoS tool coded by Praetox Technologies. It allows users to flood targets with HTTP, UDP, or TCP requests.
- HOIC – High Orbit Ion Cannon is an updated version of LOIC that allows users to control a voluntary botnet to overwhelm targets.
- Trinoo – A toolkit that allows users to launch DDoS attacks via UDP flood. It utilizies a client and handler system.
- TFN2K – An early Windows-based DDoS tool that allowed for various attack types via TCP, UDP, ICMP, and more. Similar to Trinoo but more versatile.
- Metasploit – A penetration testing framework that contains DDoS modules and can be used maliciously.
- XOIC – Created as an updated iteration of LOIC that allows users to control the intensity and duration of attacks.
In addition to purpose-built DDoS tools, botnets are commonly used to carry out DDoS attacks. Botnets are networks of computers infected with malware, allowing them to be controlled remotely by an attacker. The massive size of some botnets enables powerful DDoS attacks – for example, the Mirai botnet overwhelmed targets with floods up to 1.2 Tbps.
How can organizations defend against DDoS attacks?
While challenging, organizations can take steps to protect themselves against DDoS attacks through a solid defensive strategy:
- Monitor for unusual spikes in traffic to stay alert for attacks as early as possible.
- Work with upstream providers to install filters that can block attack traffic.
- Increase bandwidth to make infrastructure less susceptible to overload.
- Use traffic profiling to establish baselines for normal vs. abnormal traffic.
- Over-provision resources to be able to absorb some attack volume without disruption.
- Deploy anti-DDoS mitigation services either on-premise or from cloud providers.
- Improve system and application resiliency against abnormal requests.
- Refine ACLs, enact rate limiting, and tighten firewall policies.
- Monitor botnet communications to detect compromised devices.
A hybrid model combining on-premise and cloud-based DDoS protection is an effective modern strategy. DDoS mitigation services can also be helpful by cleaning and filtering incoming traffic before it hits the target. With multiple redundant layers, impact can be minimized when attacks occur.
What are the legal implications of DDoS attacks?
DDoS attacks are illegal. They frequently cross state and national boundaries, making prosecution complex. However, legal options exist to pursue cybercriminals who engage in denial-of-service activities:
- In the United States, DDoS attacks may be prosecuted under federal law as a felony under the Computer Fraud and Abuse Act.
- Perpetrators may face additional charges linked to compromised devices use in the attacks, including hacking, computer trespass, privacy violations, etc.
- Victims can pursue civil litigation to recover costs related to system damage, lost revenue, and other attack impacts.
- Working through law enforcement, attackers’ extradition to the United States for prosecution may be possible depending on their location and applicable treaties.
- Alternately, foreign governments may prosecute local attackers under their own cybercrime laws.
Organizations should work with knowledgeable legal counsel to explore options. Thorough forensic investigation and tracing the attack to its source are important prerequisites for prosecution. Law enforcement agencies like the FBI may become involved in cases where critical infrastructure is targeted or severe harm is caused.
Conclusion
DDoS techniques allow malicious actors to cripple target organizations by overwhelming their networks and infrastructure with bogus traffic. By leveraging botnets comprising thousands or even millions of compromised devices, attackers can rain down massive volumes of requests that exceed victims’ capacity to respond. While there are defensive strategies, DDoS attacks remain a severe threat given their low barriers to entry and the extensive damage they inflict. A layered security approach is key to minimizing harm, along with vigilance, prevention, and response planning.