There are numerous cyber threats that internet users and network administrators need to be wary of, but for organizations whose services largely function online, one of the most important attacks to be aware of, due to their increasing prevalence - is Distributed Denial of Service (DDoS) attacks. But what is a denial-of-service attack, how do they work, and are there ways to prevent them?
Distributed Denial of Service: A definition
So, what is the meaning of DDoS? Sometimes called Distributed Network Attacks, this type of cyberattack takes advantage of the specific capacity limits that apply to any network resources – such as the infrastructure that enables a company’s website. The DDoS attack will send multiple requests to the attacked web resource – with the aim of exceeding the website’s capacity to handle multiple requests and prevent the website from functioning correctly. Typical targets for DDoS attacks include e-commerce sites and any organization offering online services.
How does DDoS Work?
An essential part of understanding DDoS attacks is learning how these attacks work. Network resources – such as web servers – have a finite limit to the number of requests that they can service simultaneously. In addition to the capacity limit of the server, the channel that connects the server to the Internet will also have a finite bandwidth or capacity. Whenever the number of requests exceeds the capacity limits of any component of the infrastructure, the level of service is likely to suffer.
Usually, the attacker’s aim in any DDoS attack example is to overwhelm the web resource’s server, preventing normal function and resulting in a total denial-of-service. The attacker may also request payment for stopping the attack. In some cases, a DDoS attack may even be an attempt to discredit or damage a competitor’s business.
To carry out the attack, the attacker seizes control of a network or device by infecting it with malware, creating a botnet. They then initiate the attack by sending specific instructions to the bots. In turn, the botnet begins issuing requests to the target server through its IP address, overwhelming it and causing the denial-of-service to its regular traffic.
DDoS Attack Examples: What are the different types of attacks?
Learning the DDoS meaning and how these attacks work is one step in preventing them, but it’s also crucial to understand that there are different types of DDoS attacks. This hinges on first outlining how network connections are formed.
The Open Systems Interconnection (OSI) model, developed by the International Organization for Standardization, defines seven distinct layers that make up internet network connections. These include the physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application layer.
The many DDoS attack examples differ by which connection layer they target. Below are some of the most common examples.
Application layer attacks
Sometimes called a layer 7 attack (because it targets the 7th (application) layer of the OSI model), these attacks exhaust the target server’s resources using DDoS websites. The 7th layer is where a server generates webpages in response to an HTTP request. Attackers execute numerous HTTP requests, overwhelming the target server as it responds by loading the numerous files and running the database queries required to create a web page.
HTTP flood
Think of these DDoS attacks as refreshing a web browser numerous times on many computers. This creates a “flood’ of HTTP requests, forcing a denial-of-service. The implementation of these attacks can be simple – using one URL with a narrow range of IP addresses – or complex, using an array of IP addresses and random URLs.
Protocol attacks
Often called state-exhaustion attacks, these DDoS attacks exploit vulnerabilities in the 3rd and 4th layers of the OSI model (the network and transport layers). These attacks create a denial-of-service by overwhelming server resources or network equipment resources, such as firewalls. There are several types of protocol attacks, including SYN floods. These exploit the TCP (Transmission Control Protocol) handshake, which allows two to establish a network connection, sending an unmanageable number of TCP “Initial Connection Requests” from fake IP addresses.
Volumetric attacks
These DDoS attack examples create a denial-of-service by using all the available bandwidth on a target server by sending huge amounts of data to create a surge in traffic on the server.
DNS amplification
This is a reflection-based attack where a request is sent to a DNS server from a spoofed IP address (the target server’s), prompting the DNS server to “call” the target back to verify the request. This action is amplified by using a botnet, quickly overwhelming the target server’s resources.
Identifying a DDoS attack
DDoS attacks can be difficult to identify because they may mimic conventional service issues and are increasingly sophisticated. However, there are certain signs that may suggest that a system or network has fallen victim to a DDoS attack. Some of these may include:
- A sudden surge in traffic originating from an unknown IP address
- A flood of traffic from numerous users who share specific similarities, like geolocation or web browser version
- An inexplicable increase in requests for a single page
- Unusual traffic patterns
- Slow network performance
- A service or website that suddenly goes offline for no reason
DDoS attack prevention and mitigation
While DDoS attacks can be challenging to detect, it is possible to implement several measures to try to prevent these types of cyberattacks and mitigate any damage in case of an attack. For users wondering how to prevent DDoS attacks, the key is to create an action plan for securing systems and mitigating damage in case of an attack. In general, it is beneficial to implement a solution like Kaspersky DDoS protection for businesses, which continuously analyses and redirects malicious traffic. Additionally, the following general advice can help further enhance your defenses:
- Assess the current system setup - including software, devices, servers, and networks - to identify security risks and potential threats, then implement measures to reduce these; conduct regular risk assessments.
- Keep all software and technology up to date to ensure they’re running the latest security patches.
- Develop a viable strategy for DDoS attack prevention, detection and mitigation.
- Ensure anyone involved in the attack prevention plan understands the DDoS attack meaning and their assigned roles.
In case of an attack, these actions may offer some mitigation:
- Anycast networks: Using an Anycast network to redistribute the traffic can help maintain server usability while the issue is being addressed, ensuring the server doesn’t need to be shut down completely.
- Black hole routing: In this scenario, a network administrator of the ISP reroutes all traffic from the target server into a black hole route (targeted IP address), dropping it from the network and preserving its integrity. However, this can be an extreme step to take as it also blocks legitimate traffic.
- Rate limiting: This limits how many requests a server can accept at any time. While it won’t be highly effective on its own, it can be useful as part of a larger strategy.
- Firewalls: Organizations can use Web Application Firewalls (WAF) to act as a reverse proxy to protect its servers. WAFs can be set with rules to filter traffic, and administrators can modify this in real time if they suspect a DDoS attack.
Related Articles and Links:
What is a Trojan Horse Virus? types and how to remove it
How to prevent DDoS attacks from ruining your next gaming session
Related Products and Services:
