Security

DDoS Attacks Explained

DDoS Attacks Explained

DDoS, it grabs the headlines for downing websites and servers internationally, companies spend a fortune trying to protect against it, but what are these cybercriminals actually targetting and why are they using DDoS?

Cybercriminals are increasingly using DDoS as smokescreen to perform illegal activities like data theft or extortion. Recently, an extortion gang called DD4BC used DDoS against financial and energy sector firms for bitcoins. It’s a serious threat and it is out there. We’re going to take a look a little deeper into what DDoS attacks actually are, the types of attacks and what can you do to better prepare yourself.

What is DDoS?

what is ddos image

First, let’s get some taxonomy out of the way, DoS stands for Denial of Service. An attempted activity to exhaust the resources available to a server, network, web application or any other online resource in such a way that legitimate users cannot access.

Multiple nodes or bots are used to flood the traffic towards a site in a distributed denial of service (DDoS) attack.

Bots are devices (PC’s, smartphones, etc) infected with malware that are controlled by a command and control server (BOT Master) which could be controlling a network of such infected devices. Such networks are called Botnet’s (short for Bot Networks).

Imagine if the unpatched webservers were compromised and made a part of the bot. They have massive bandwidth available to them and will definitely be the most attractive targets for the cybercriminals as a source of the DDoS attack. BOTNET’s can be hired easily from many hacking or underground (darkweb) websites where they are also referred to as Booters. Usually you will find such websites providing DDoS as a service. They can be put to a good use as well for testing how many connections the web application can handle before falling over. But most commonly they get used for all the wrong purposes.

DDoS attack

Types of attack

So what are the types of DDoS attacks that an organisation could face? They are divided into two main broad categories –

Network Layer Attacks – There are mainly two categories related to Network Layer attacks and they are – Flooding attacks and Amplification attacks.

Flooding attacks are mostly caused by exploiting TCP, UDP or ICMP and sending flood of traffic towards the network or infrastructure. Many tools are available on the internet to carry out such simple flooding attacks.

Amplification attacks are carried out by increasing (amplifying) the size of the flood using inherent vulnerabilities of either DNS or NTP.

Application Layer Attacks – Application layer attacks are increasingly popular as attacks look like legitimate requests, yet can cause denial of service exhausting the resources of the web servers. There are three broad categories of Application layer attacks – High-bandwidth, Low-bandwidth & Command injection attacks.

High-bandwidth attacks are carried out by bombarding the web application with GET and POST requests for the most resource intensive pages.

Low-bandwidth attacks are also called low and slow attacks as they initiate the requests to the application and do not tear the connection down. Only hundreds of such requests can bring the server down easily by exhausting all the resources.

Command Injection attacks take the advantage of vulnerabilities in the web application and may allow execution of commands that could wipe out the data or take over the machine.

Below are some of the stats for the DDoS attacks in Q1 2015 from the state of the internet report –

DDos figures

DDoS Infographic

ddos-global-threat-landscape-q2-2015-hires

(source Incapsula)

Digital Attack Maps

If you want to look at some real ongoing DDoS attacks then you may want to check some of the below websites:

Norse 

Arbor 

Kaspersky

What can you do about it?

So how can you protect yourself or your business?  Few tips to prepare yourself before the storm –

a) Always have a DDoS incident response plan ready in addition to other response strategies.

b) Keep all your systems patched up like routers, firewalls as they are ones going to be taking the brunt of the attack. They may not be able to avoid the attack but may give you more time before it starts affecting you.

c) Keep your contacts for ISP’s ready in case you haven’t got a DDoS mitigation in place and you may decide to blackhole the traffic instead. Blackholing traffic means taking all the incoming traffic away from yourself and dumping it. This will also take away your legitimate traffic but may protect your infrastructure for taking all the traffic.

The financial impact to the business (if the services were offline) and the organisational risk management strategy will decide whether you can justify the need for a DDoS mitigation solution. The most common DDoS mitigation strategies are as below –

Cloud-based services – You can find DDoS mitigation providers offering ‘always-on’ and ‘on-demand’. Always-on services as the name suggests will forward all your traffic to scrubbing centres that will clean the malicious traffic before it hits your web application. ‘On-demand’ as the name suggests will do the same when you are under attack and request the mitigation.

On-premise solution – Many DDoS mitigation providers have a dedicated hardware that you can have on site at the entry point from the ISP hand-off and all the traffic to your site will be first hitting the DDoS appliance before being forwarded to the rest of the infrastructure.

Hybrid solution – Some providers can provide you with the best of both solutions but they can be very expensive and more complicated requiring some amount of network changes.

For further reading on DDoS check out Akamai’s State of the internet  and Akamai guide to multi-layered security

Most Popular

To Top