WFY BUREAU UK:
DDoS Attack Explained
A DDoS Attack, short for Distributed Denial-of-Service Attack, is a cybercrime where an assailant inundates a server with internet traffic to prevent users from accessing connected online services and sites.
Motivations for conducting DDoS attacks vary greatly, as do the types of individuals and organisations eager to engage in this form of cyberattack. Some attacks are carried out by disgruntled individuals and hacktivists aiming to bring down a company’s servers merely to make a statement, exploit cyber vulnerabilities for amusement, or express disapproval.
Other distributed denial-of-service attacks have financial motives, such as a competitor disrupting or disabling another business’s online operations to gain an advantage. There are also instances of extortion, where perpetrators target a company, install hostage or ransomware on their servers, and demand a substantial sum to undo the damage.
DDoS attacks are increasing, and even the largest global companies are not immune to being targeted. The largest attack in history occurred in February 2020, targeting none other than Amazon Web Services (AWS), surpassing a previous attack on GitHub two years earlier. The repercussions of DDoS attacks include a decrease in legitimate traffic, lost business, and damage to reputation.
As the Internet of Things (IoT) continues to expand and the number of remote employees working from home increases, the number of devices connected to networks will also rise. The security of each IoT device may not always keep pace, leaving the network vulnerable to attacks. Therefore, the significance of DDoS protection and mitigation cannot be overstated.
How do DDoS Attacks Function?
A DDoS attack aims to overwhelm the devices, services, and network of its target by flooding them with fake internet traffic, rendering them inaccessible or useless for legitimate users.
DoS vs. DDoS
A distributed denial-of-service (DoS) attack is a subcategory of the broader denial-of-service (DoS) attack. In a DoS attack, the attacker uses a single internet connection to bombard a target with fake requests or attempts to exploit a cybersecurity vulnerability. DDoS attacks are on a larger scale, employing thousands or even millions of connected devices to achieve their objectives. The sheer volume of devices used makes DDoS attacks significantly more challenging to combat.
Botnets are the primary method through which distributed denial-of-service attacks are carried out. The attacker hacks into computers or other devices and installs malicious code, or malware, known as a bot. These infected devices form a network called a botnet. The attacker then commands the botnet to overwhelm the victim’s servers and devices with more connection requests than they can handle.
Understanding DDoS Attacks: Attack Indicators and Identification
One of the main challenges in identifying a DDoS attack is that the symptoms often resemble typical service issues. Many symptoms, such as slow upload or download speeds, website unavailability, dropped internet connections, unusual media or content, or excessive spam, are encountered in everyday technology use.
Furthermore, a DDoS attack can persist for hours or even months, and the intensity of the attack can vary.
Types of DDoS Attacks
Different attacks target various components of a network and are classified based on the network connection layers they exploit. An internet connection consists of seven distinct “layers,” as defined by the Open Systems Interconnection (OSI) model created by the International Organization for Standardization. This model enables different computer systems to communicate effectively.
Volume-Based or Volumetric Attacks
This type of attack aims to saturate the available bandwidth between the victim and the wider internet. An example of a volume-based attack is DNS amplification. In this scenario, the attacker spoofs the target’s address and sends a DNS name lookup request to an open DNS server using the spoofed address.
When the DNS server responds with the DNS record, it is sent to the target instead, resulting in an amplification of the attacker’s initial small query.
Protocol attacks consume all the available capacity of web servers or other resources, such as firewalls. They exploit weaknesses in Layers 3 and 4 of the OSI protocol stack to render the target inaccessible.
A SYN flood is an example of a protocol attack where the attacker overwhelms the target with a vast number of Transmission Control Protocol (TCP) handshake requests using spoofed source Internet Protocol (IP) addresses. The targeted servers try to respond to each connection request, but the final handshake never occurs, overwhelming the target in the process.
These attacks also aim to exhaust or overwhelm the target’s resources but are challenging to identify as malicious. Commonly known as Layer 7 DDoS attacks, they target the layer where web pages are generated in response to Hypertext Transfer Protocol (HTTP) requests.
In this form of attack, the attacker forces the victim’s server to handle a higher volume than usual. An HTTP flood is an example of an application-layer attack, similar to refreshing a web browser simultaneously on multiple computers. This inundation of HTTP requests overwhelms the server, resulting in a DDoS.
Preventing DDoS Attacks
While it is challenging to avoid DDoS attacks completely due to their detection complexity, organisations can plan a response when these attacks occur, as prevention is not always possible.
Once a suspected attack is underway, organisations have several options to mitigate its effects.
Regular risk assessments and audits of devices, servers, and networks are essential for organisations. Although it is impossible to entirely prevent a DDoS attack, having a comprehensive understanding of the strengths and vulnerabilities of hardware and software assets is crucial. Identifying the most vulnerable segments of a network helps determine the appropriate strategies to minimise the damage and disruption caused by a DDoS attack.
If an organisation suspects a DDoS attack, it is crucial to determine the quality or source of the abnormal traffic. Completely shutting off traffic is not feasible, as it would affect legitimate connections along with the malicious ones. Implementing an Anycast network can help disperse the attack traffic across a network of distributed servers, allowing for better absorption and manageability of the traffic.
Black Hole Routing
Black hole routing is another defence strategy where a network administrator or an organisation’s internet service provider creates a black hole route and directs traffic into it. This approach routes all traffic, both good and bad, to a null route, effectively dropping it from the network. However, this method can be extreme, as it also stops legitimate traffic, potentially leading to business losses.
Mitigating DDoS attacks can involve limiting the number of requests a server can accept within a specific time frame. While this measure alone may not be sufficient against more sophisticated attacks, it can be a component of a multi-faceted approach.
To mitigate the impact of application-layer or Layer 7 attacks, organisations can employ a Web Application Firewall (WAF). A WAF acts as a reverse proxy, sitting between the internet and a company’s servers. By creating a set of rules, organisations can filter requests and modify them based on observed patterns of suspicious activity conducted by the DDoS.
If an organisation suspects a DDoS attack, determining the quality or source of the abnormal traffic becomes one of the initial steps. However, completely blocking all traffic is not a viable solution, as it would disrupt legitimate connections as well. Instead, organisations can opt for an Anycast network approach, dispersing the malicious traffic across a network of distributed servers. This enables the network to absorb the traffic more effectively and handle it in a manageable manner.
Another defensive measure is black hole routing, where a network administrator or internet service provider establishes a black hole route and directs traffic towards it. This effectively drops all traffic, both legitimate and malicious, from the network. It should be noted that this approach can be extreme, as it may result in the loss of legitimate traffic and a potential business impact.
Rate limiting is another technique used to mitigate DDoS attacks by restricting the number of requests a server can accept within a specific time frame. While this method alone may not suffice against more advanced attacks, it can be part of a comprehensive defence strategy.
Implementing a Web Application Firewall (WAF) can help mitigate the impact of application-layer or Layer 7 attacks. By acting as a reverse proxy between the internet and a company’s servers, a WAF allows organisations to create rules that filter and manage requests. These rules can be adjusted based on observed patterns of suspicious activity associated with the DDoS. In summary, when facing a suspected DDoS attack, organisations should conduct a risk assessment to understand their vulnerabilities. By differentiating traffic and utilising techniques such as Anycast networks, black hole routing, rate limiting, and Web Application Firewalls, organisations can enhance their ability to detect and mitigate DDoS attacks effectively.
–WFY BUREAU UK