It grabs media headlines for taking down website, companies and organisations internationally, Businesses spend vast sums of money trying to protect against it and its roots are buried far into deepest darkest channels of the internet. It’s one of the biggest risks to online outlets worldwide, but how much do you actually know about DDoS, and how could it affect your business?
You’ll have likely heard DDoS banded around in relation to high profile website attacks, but what effects does a DDoS attack actually have on websites, its systems and users and is it really as serious as the media have made out?
A security expert looks deeper into what DDoS attacks actually are, the types of attacks and what can you do to better prepare your company.
What is DDoS
First, let’s get some taxonomy out of the way, DoS stands for Denial of Service. An attempted activity to exhaust the resources available to a server, network, web application or any other online resource in such a way that legitimate users cannot access.
Multiple nodes or bots are used to flood the traffic towards a site in a distributed denial of service (DDoS) attack.
Bots are devices (PC’s, smartphones, etc) infected with malware that are controlled by a command and control server (BOT Master) which could be controlling a network of such infected devices. Such networks are called Botnet’s (short for Bot Networks).
Imagine if the unpatched webservers were compromised and made a part of the bot. They have massive bandwidth available to them and will definitely be the most attractive targets for the cybercriminals as a source of the DDoS attack. BOTNET’s can be hired easily from many hacking or underground (darkweb) websites where they are also referred to as Booters. Usually you will find such websites providing DDoS as a service. They can be put to a good use as well for testing how many connections the web application can handle before falling over. But most commonly they get used for all the wrong purposes.
Types of attack
So what are the types of DDoS attacks that an organisation could face? Here are some of the most common ways of flooding a system.
Network Layer Attacks – There are mainly two categories related to Network Layer attacks and they are – Flooding attacks and Amplification attacks. Flooding attacks are mostly caused by exploiting TCP, UDP or ICMP and sending flood of traffic towards the network or infrastructure. Many tools are available on the internet to carry out such simple flooding attacks.
Amplification attacks are carried out by increasing (amplifying) the size of the flood using inherent vulnerabilities of either DNS or NTP.
Application Layer Attacks – Application layer attacks are increasingly popular as attacks look like legitimate requests, yet can cause denial of service exhausting the resources of the web servers. There are three broad categories of Application layer attacks – High-bandwidth, Low-bandwidth & Command injection attacks.
High-bandwidth attacks are carried out by bombarding the web application with GET and POST requests for the most resource intensive pages.
Low-bandwidth attacks are also called low and slow attacks as they initiate the requests to the application and do not tear the connection down. Only hundreds of such requests can bring the server down easily by exhausting all the resources.
Command Injection attacks take the advantage of vulnerabilities in the web application and may allow execution of commands that could wipe out the data or take over the machine.
Below are some of the stats for the DDoS attacks in Q1 2015 from the state of the internet report –
Digital Attack Maps
If you want to look at some real ongoing DDoS attacks then you may want to check some of the below websites:
What can you do about it?
So how can you protect yourself? The financial impact to the business (if the services were offline) and the organisation risk management strategy will decide whether you can justify the need for a DDoS mitigation solution. The most common DDoS mitigation strategies are as below –
Cloud-based services – You can find DDoS mitigation providers offering ‘always-on’ and ‘on-demand’. Always-on services as the name suggests will forward all your traffic to scrubbing centres that will clean the malicious traffic before it hits your web application. ‘On-demand’ as the name suggests will do the same when you are under attack and request the mitigation.
On-premise solution – Many DDoS mitigation providers have a dedicated hardware that you can have on site at the entry point from the ISP hand-off and all the traffic to your site will be first hitting the DDoS appliance before being forwarded to the rest of the infrastructure.
Hybrid solution – Some providers can provide you with the best of both solutions but they can be very expensive and more complicated requiring some amount of network changes.