A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.
What is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack is a coordinated cyberattack on a server, service, website, or network that floods it with Internet traffic. The attack overwhelms the target’s resources so that it cannot respond or be accessed by legitimate users.
The goal of a DDoS attack is to render the target inoperable. By flooding the target with more requests than it can accommodate, the attacker causes slowness or unavailability of services to authorized users. DDoS attacks do not typically damage data or infrastructure, but they can cost organizations in lost revenue or productivity during an outage.
DDoS attacks have grown exponentially in frequency, size and complexity in recent years. Some major DDoS attacks have included:
– In February 2022, a massive DDoS attack in Ukraine disrupted service to banks and websites before Russia invaded.
– In 2016, a DDoS attack utilizing the Mirai botnet affected DNS provider Dyn and major sites including Twitter, Netflix, Reddit, Spotify and others.
– In 2013, attackers targeted content delivery network Cloudflare and slowed traffic across the Internet.
– In 2010, “Operation Payback” launched by the hacktivist group Anonymous used the LOIC tool to take down sites of organizations opposed to WikiLeaks.
How Does a DDoS Attack Work?
Distributed Denial of Service attacks work by utilizing multiple compromised systems to target a single system. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.
To conduct a DDoS attack, an attacker begins by exploiting vulnerabilities on other computers and servers around the globe using malware. The compromised machines become part of a botnet, which is a collection of internet-connected devices controlled by a hacker without the device owner’s knowledge.
Botnets may consist of home computers, corporate servers, and Internet of Things (IoT) or mobile devices. These machines are usually geographically dispersed. Once infected, they can be triggered on command to simultaneously barrage the target with traffic.
The attacker controls the botnet using command and control (C&C) software, unseen by the device owner. When the hacker initiates an attack, the C&C software instructs the botnet machines to send requests to the target until it cannot handle the traffic volume or crashes.
Main Types of DDoS Attacks
There are several main types of DDoS attacks, which are categorized by the kind of traffic or requests used to overwhelm the target:
– Volumetric Attacks: This type of DDoS aims to saturate the bandwidth of the target. Attackers send a continuous stream of malicious requests to a web server or network device. These requests may include UDP floods, ICMP floods, or other amplified attacks.
– Protocol Attacks: These attacks target the network layer by sending a flood of malicious requests that abuse protocols like SYN floods, ACK floods, and TCP FIN floods to consume resources.
– Application Layer Attacks: Slowloris, GET/POST floods and other application attacks target web servers and applications by exhausting resources on the server, such as sockets or threads.
– Permanent Denial of Service Attacks: PDoS attacks differ from DDoS in that they permanently disable a system or piece of hardware, such as bricking IoT devices with firmware modifications.
Main Causes of DDoS Attacks
DDoS attacks have multiple motives and many possible perpetrators. However, there are some primary reasons why attackers unleash DDoS attacks:
Cybercrime and Extortion
One of the top causes of DDoS attacks is cybercriminals attempting extortion. By flooding sites or networks with traffic and disrupting operations, attackers aim to force target organizations to pay a ransom to stop the attack.
Criminal groups may threaten a company with a dedicated DDoS attack against them unless the ransom is paid. The frequency of ransom DDoS (RDoS) attacks has risen dramatically, targeting organizations in many industries including finance, retail, gambling, and healthcare.
Ransom demands in extortion DDoS attacks range from a few hundred to tens of thousands of dollars in cryptocurrency payments. Criminals conduct DDoS for ransom schemes because it can be highly effective at compelling victims to pay, given the revenue loss businesses suffer during downtime.
Hacktivism
Hacktivists launch DDoS attacks for political or social reasons, often related to freedom of speech conflicts. Groups like Anonymous have coordinated DDoS campaigns against government agencies, corporations, and organizations that aim to silence or censor speech.
In these activist-motivated attacks, participants voluntarily allow their devices to become part of the botnet to overwhelm targets through grassroots action. Attacks for hacktivist purposes tend to be episodic to draw attention to a cause, rather than for continuous extortion.
Cyberwarfare
Nation-states are increasingly using DDoS attacks as a cyberweapon against enemy governments, infrastructure or corporations. Large-scale DDoS attacks have crippled networks during times of geopolitical conflict.
In cyberwarfare, the two main goals are to damage infrastructure or to reduce public morale. DDoS attacks on government sites demonstrate power and weaken confidence in leadership. Attacks on infrastructure such as power grids or water systems disrupt vital services.
State-sponsored DDoS attacks are also used for electronic espionage. Floods of traffic can cause networks to reset connections, during which encryption keys can be stolen. DDoS can also serve as a diversion tactic while other spyware or malware infiltrates a target network.
Disgruntled Insiders
While external hackers cause many DDoS attacks, disgruntled employees or former staff also unleash DDoS attacks from the inside. Insiders may attack networks as revenge for perceived mistreatment or termination. Their knowledge of internal IT systems facilitates more coordinated attacks that target vulnerabilities.
Compromised credentials provide access to control panels and source code. So even lower-skilled insiders can inflict serious harm. Internal attacks also tend to last longer since there is less suspicion of staff until evidence of an attack emerges.
Advantages for Attackers
The rise of DDoS-for-hire services has also contributed to the prevalence of attacks. Individuals can now easily pay to rent a botnet and bombard targets chosen through a web interface. DDoS is inexpensive and uncomplicated relative to other cybercrimes.
Attackers also like DDoS because it is harder to trace to a source compared to other online attacks. Law enforcement has difficulty tracking down attackers who utilize botnets with thousands of constantly changing nodes. And attackers can cover their tracks by routing attacks through intermediate servers.
The availability of more powerful botnets increases attackers’ impact. The rise of insecure IoT devices provides millions of vulnerable endpoints to enslave for attacks. New reflection and amplification techniques also increase the scale of traffic floods.
Preventing DDoS Attacks
While DDoS attacks cannot be completely prevented given their nature, organizations can take measures to deter and mitigate them. A combination of advanced monitoring, proactive compliance, and emergency response planning enables minimizing downtime. Key precautions include:
Monitoring Traffic
Monitoring for abnormalities in incoming traffic can provide warning of an impending large-scale DDoS attack or help identify an attack underway. Sudden surges in traffic, unusual concentrations of requests from regions, or suspicious spikes at odd hours may indicate DDoS botnets mobilizing.
Reinforcing Capacity
Scaling bandwidth and IT infrastructure provides more headroom to absorb DDoS floods without severe slowdowns. Working with upstream ISPs to increase capacity prevents bottlenecks for incoming traffic. Load balancing distributes requests across servers.
Filtering Traffic
Security teams should filter incoming traffic to identify and block known malicious IP addresses and suspicious packets. Routers and firewalls can help halt denial of service traffic. However, on-premise solutions may still allow traffic floods to cause congestion outside the perimeter.
Utilizing Cloud Mitigation
Cloud-based DDoS mitigation services can scrub attack traffic in massive scrubbing centers before it hits an organization’s network perimeter. These services identify and filter out bad traffic while allowing good user traffic to pass through to the target site or network.
Limiting Exposure
Reducing surface vulnerabilities also limits impact. Removing unnecessary ports and services, patching vulnerabilities quickly, requiring strong passwords and 2-factor authentication, and locking down infrastructure helps reduce risks.
Creating Emergency Plans
DDoS response plans allow faster decision making and reaction in the event an attack succeeds in disrupting services. Emergency procedures should delegate roles to IT teams and executives, methods to assess damage, protocols for contacting providers or law enforcement, and communication plans internally and externally.
Conclusion
DDoS attacks remain a potent threat to organizations as the size, complexity, and frequency continue to increase each year. By compromising internet-connected machines globally, hackers can now easily harness massive botnets to overwhelm targets.
Cybercriminals conduct most DDoS attacks for the purposes of extortion, aiming to force ransom payments from companies by disrupting revenue-generating online services. However, hacktivists, nation-states, and insiders also unleash disruptive floods of traffic for their own reasons.
There is no single solution for preventing DDoS attacks entirely. But organizations can take measures to deter, detect, and better withstand DDoS events when they occur through a combination of monitoring, hardening defenses, increasing capacity, filtering traffic, utilizing cloud scrubbing and preparing an emergency response plan.