A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up highways, preventing regular traffic from arriving at its destination.
How does a DDoS attack work?
A DDoS attack uses a large number of compromised devices to overwhelm a target with fake traffic. This flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.
There are three types of DDoS attacks:
Volume-based DDoS Attacks
These attacks aim to saturate the bandwidth of the attacked network or service. Floods of incoming messages overwhelm the target’s infrastructure by consuming available bandwidth, thereby preventing access to legitimate users. Volume-based attacks include UDP floods and amplification attacks.
Protocol DDoS attacks
These attacks target the protocol weaknesses of the victim system. They typically consume actual server resources causing the server to crash. Protocol attack vectors include SYN floods, Ping of Death, Smurf DDoS, and more.
Application Layer DDoS
Application Layer attacks target web application packets to disrupt the process of applications running on servers. Attackers send a high volume of legitimate looking requests to a webservice which consumes resources and makes the application slow or unresponsive. HTTP flood attacks and Slowloris are examples of Application DDoS attacks.
Common DDoS attack vectors
A User Datagram Protocol (UDP) flood is a volumetric DDoS attack that exploits the UDP protocol. The UDP protocol is connectionless and does not require a three-way handshake like TCP connections. Attackers send a huge number of UDP packets to random ports on the victim system. These packets are non-existent services on the victim and will be unacknowledged. However, the victim keeps checking which application is supposed to receive the UDP packets on all the ports, thereby exhausting victim resources.
An ICMP (Internet Control Message Protocol) flood is a simple DDoS attack where the attacker sends a huge volume of ICMP echo request packets (pings) to the target, overloading network bandwidth. The goal is to overwhelm the target with responses and make it unreachable by congesting the network bandwidth.
A SYN flood attack exploits the TCP three-way handshake process. TCP connections begin with a SYN packet sent from the client to the server. The server acknowledges this with a SYN-ACK response and the client completes the connection with an ACK.
In a SYN flood, the attacker sends multitudes of SYN requests using fake IP addresses. This overwhelms the server with open connections in half-open state. These half open connections will eventually timeout but in the meantime new incoming SYN requests are ignored, denying service to legitimate users.
HTTP flooding mimics a legitimate connection by establishing a seemingly valid HTTP GET or POST requests to a web server. Attackers use botnets comprising of compromised devices to send a huge number of HTTP requests to target websites and web applications. This consumes web server resources like RAM, CPU, sockets leading to denial of service.
A DNS amplification attack is a reflective DDoS technique that exploits vulnerabilities in the DNS protocol. The attackerspoofs the IP address of the victim system and sends a DNS lookup request to an open DNS server. The DNS server sends its response to the target IP.
Since the DNS response is significantly larger than the request, the attacker amplifies the volume of traffic directed at the target. DNS amplification attacks can achieve mammoth bandwidth by exploiting thousands of open DNS resolvers.
Like DNS amplification, Network Time Protocol (NTP) amplification is a reflective DDoS attack. By sending small spoofed requests to vulnerable NTP servers, the attacker exploits the large responses from the server to flood the victim’s system. Misconfigured NTP servers that allow monlist commands are used to launch amplified DDoS attacks.
The Slowloris attack works at the application layer by holding numerous connections to the target web server open and sending partial HTTP requests very slowly. It tries to starve the HTTP server’s thread pool by causing many connections to remain in incomplete state for a long time. Ultimately this leads to resource exhaustion and denial of service.
Ping of Death
In a Ping of Death attack, the attacker sends malformed or oversized ping packets to crash or freeze the target system. This exploit works by confusing the victim system by sending bogus ICMP echo requests that exceed the maximum allowed packet size of 65,535 bytes. The oversized ping packets can crash or lock up the target computer.
DDoS attack tools
Attackers leverage a range of tools and botnets to launch DDoS attacks. Here are some common DDoS weapons:
Botnets are networks of infected computers controlled centrally by a cybercriminal. By infecting thousands of Internet-connected devices with malware, attackers can harvest an army of zombie devices to carry out massively distributed denial of service attacks. IoT botnets of compromised smart devices are a growing concern.
Stressers or booters are DDoS-for-hire services that provide on-demand network stress-testing and attack capabilities. These tools allow anyone to pay to flood a target with an overwhelming amount of junk traffic and launch DDoS attacks easily.
DDoS for Windows (DFWIN)
An open source DDoS tool available for the Windows OS that allows performing multiple types of Layer 7 DDoS attacks.
Low Orbit Ion Cannon (LOIC)
A popular open source stress test and denial-of-service attack application written in C#. Initially developed for network stress testing, LOIC has become infamous for its use in DDoS attacks by Anonymous hacktivists.
High Orbit Ion Cannon (HOIC)
An open source network stress tool and application layer DDoS attack tool based on LOIC. HOIC allows users to voluntarily contribute their computer’s bandwidth towards DDoS attacks on target websites.
|Stressers/Booters||DDoS for hire|
|DFWIN||Windows DDoS tool|
|LOIC||Open source stress tester|
|HOIC||Voluntary DDoS tool|
DDoS attack symptoms
When a system is hit by a DDoS attack, the impact can include:
- Unavailability of a website
- Drastic increase in bandwidth utilization
- Slow network performance
- Increase in odd traffic like UDP/ICMP floods
- Hike in inbound traffic from bot IPs
- Spike in HTTP error responses
- Excessive resource consumption
- Frequent spikes in CPU and memory usage
These symptoms indicate abnormal network conditions that can point to an ongoing DDoS attack.
DDoS attack prevention
Here are some key strategies to defend against DDoS attacks:
Enhance network bandwidth
Having excess capacity on network links allows absorbing DDoS floods without service outages. Overprovisioning bandwidth ensures legitimate traffic gets through despite attack floods.
Implement protocol filtering
Filtering uncommon protocols like ICMP and reducing timeouts for incomplete connections protects against protocol DDoS attacks like SYN floods.
Deploy intelligent DDoS mitigation
Specialized DDoS protection solutions perform traffic profiling to detect anomalies and apply intelligent rate limiting on attack traffic while allowing legitimate connections.
Enable blackhole routing
Blackholing or null routing redirects attack traffic to a dummy IP address, acting like a blackhole that absorbs all incoming traffic. This allows discarding DDoS floods near the network edge.
Perform stress tests
Ethical stress testing with tools like LOIC or Hping3 can reveal DDoS vulnerabilities in advance before real attacks strike. Proactively fixing weak spots improves resilience.
Block spoofed IP addresses
Attackers forge the source IP in DDoS packets to hide their identity. By allowing only valid IP ranges, spoofed DDoS floods can be stopped.
Cloud DDoS protection
Cloud-based scrubbing services provide DDoS protection by serving as a traffic proxy between the Internet and the protected target origin servers. Traffic is routed through scrubbing centers where sophisticated detection and mitigation techniques filter out DDoS attack traffic. This removes the burden of on-premise DDoS defense.
How cloud DDoS protection works
- Traffic is redirected to cloud scrubbing centers instead of the real servers.
- Sophisticated algorithms identify and filter out malicious attack traffic.
- Legitimate user traffic is forwarded to the origin servers.
- DDoS attacks are absorbed in the cloud without impacting services.
Key cloud DDoS protection features:
- Always on DDoS mitigation
- Zero day attack protection
- Global threat intelligence
- Multi-layered scrubbing
- Easy traffic redirection
- Real-time monitoring and reporting
Benefits of cloud DDoS protection
- No hardware costs – pay only for traffic scrubbed
- Offloads attack traffic far from the data center
- Absorbs even large volumetric DDoS attacks
- frees up valuable security team resources
- Easy and quick deployment, no network changes needed
- Flexible options from free to premium services
DDoS attackers employ a variety of techniques to overwhelm systems with malicious traffic and deny access to legitimate users. Understand the common DDoS attack vectors allows organizations to implement targeted safeguards against each threat. A multilayer strategy combining protocol filtering, traffic monitoring, IP blackholing and overflow capacity can mitigate most DDoS attacks on-premise. However, today’s massive and sophisticated DDoS assaults often require cloud-based scrubbing to defend Internet-facing resources reliably.