DDoS attacks: Definition, examples, techniques, and how to defend them – Source: www.csoonline.com

What is a DDoS attack?

A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a digital service to be delivered. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is that available internet bandwidth, CPU, and RAM capacity becomes overwhelmed.

The impact of a DDoS attack can range from a minor annoyance to an entire business being taken offline. In use for over 20 years, DDoS attacks continue to grow and evolve. Netscout reports that it observed over 13 million DDoS attacks in 2023 alone.

What is DoS

Denial of service (DoS) is what it sounds like: Thwarting access to virtually anything from servers, devices, and services to networks, applications, and even specific transactions within applications.

What is the difference between DoS and DDoS?

The difference between DoS and DDoS is a matter of scale. In both cases, the aim is to knock the target system offline with more requests for data than the system can handle, but in a DoS attack, one system sends the malicious data or requests, whereas a DDoS attack comes from multiple systems.

Distributed attacks can cause much more damage than an attack originating from a single machine, as the defending company needs to block large numbers of IP addresses.

Common motives behind DDoS attacks

As an attack method, DDoS is a blunt instrument. Unlike infiltration, DDoS doesn’t net an attacker any private data or control over any of the target’s infrastructure. It just knocks infrastructure offline. But in a world where having a web presence is a must for just about any business, a DDoS attack can be a destructive weapon.

There are four main motives behind DDoS attacks:

• Taking rivals offline: The Mirai botnet, used in the DDoS attack against DNS provider Dyn, was designed as a weapon in a war among Minecraft server providers. Today, the gaming industry remains a primary target of DDoS attacks. As Netscout noted in its most recent DDoS Threat Intelligence Report: “The allure of attacking the gaming industry lies in its substantial financial value and the goal of disrupting competitors.”
• Geopolitics: Politically motivated groups “increasingly are using DDoS as a tool to target those ideologically opposed to them,” Netscout noted. For example, in Peru DDoS attacks spiked after nationwide protests in December. Moreover, DDoS groups are “executing attacks that seamlessly transcend national borders,” according to Netscout. The pro-Russia hacktivist group NoName057(16), for example, targeted not just Ukraine, but countries that support Ukraine.
• Financial gain: While a DDoS attack isn’t a ransomware attack, DDoS attackers sometimes contact their victims with a promise to turn off the firehose of packets in exchange for Bitcoins. Or, DDoS attackers may receive finanical incentives from someone who wants to take your website out. Tools called bootersand stressersare available on the dark web that essentially provide DDoS-as-a-service to interested customers, offering access to readymade botnets at the click of a button, for a price.
• As a diversion: DDoS attacks can also be used as a distraction to keep an organization’s limited incident response resources engaged while perpetrating a different, more stealthier attack in another part of the infrastructure simultaneously. This could lead to delays in discovering other compromises. For example, an online banking service could be hit with a DDoS to prevent users from accessing accounts, thereby delaying them from noticing that money had been transferred out of those accounts.

How do DDoS attacks work?

DDoS botnets are the core of any DDoS attack. A botnet consists of hundreds or thousands of machines, called zombiesor bots, that a malicious hacker has control over. The attackers harvest these systems by identifying vulnerable systems they can infect with malware through phishing attacks, malvertising attacks, and other mass infection techniques. Infected machines range from ordinary home or office PCs to IoT devices — the Mirai botnet famously marshalled an army of hacked CCTV cameras — and their owners almost certainly don’t know they’ve been compromised, as they continue to function normally in most respects.

The infected machines await a remote command from a command-and-control server that is used to initiate and control the attack and is often itself a hacked machine. Once unleashed, the bots attempt to access a resource or service the victim has available online. Individually, the traffic directed by each bot would be harmless. But because there are so many of them, the requests often overwhelm the target system’s capacities — and because the bots are generally ordinary computers distributed across the internet, it can be difficult or impossible to block out their traffic without cutting off legitimate users at the same time.

Types of DDoS attacks

There are three primary classes of DDoS attacks, distinguished mainly by the type of traffic they lob at victims’ systems:

1. Volume-based attacks use massive amounts of bogus traffic to overwhelm a resource such as a website or server. They include ICMP, UDP, and spoofed-packet flood attacks. The size of a volume-based attack is measured in bits per second (bps).
2. Protocol or network-layer attacks send large numbers of packets to targeted network infrastructures and infrastructure management tools. These protocol attacks include SYN floods and Smurf DDoS, among others, and their size is measured in packets per second (PPS).
3. Application-layer attacks are conducted by flooding applications, such as web apps over HTTP/S, with maliciously crafted requests. The size of application-layer attacks is measured in requests per second (RPS).

Techniques used in DDoS attacks

Techniques common to all types of DDoS attacks include:

• Spoofing: An attacker “spoofs” an IP packet when they change or obfuscate information in its header to indicate a different source IP address. Because the victim can’t see the packet’s real source, it can’t block attacks coming from that source.
• Reflection: An attacker may use the intended victim’s IP address as the source IP address in packets sent to third-party systems, which will then reply back to the victim. This makes it even harder for the victim to understand where the attack is coming from.
• Amplification: This is an extension of reflection, in which the response packets sent to the victim by the third-party systems are larger in size than the attackers’ packets that triggered the responses. This exploits certain features in protocols such as DNS, NTP, and SSDP, allowing attackers to leverage open servers on the internet to amplify the amount of traffic they can generate.

All three techniques can be combined into what’s known as a reflection or amplification DDoS attack, which has become increasingly common.

How to identify DDoS attacks

DDoS attacks can be difficult to diagnose. Afterall, the attacks superficially resemble a flood of traffic from legitimate requests from legitimate users. But there are ways you can distinguish the artificial traffic from a DDoS attack from the more “natural” traffic you’d expect to get from real users.

DDoS attack symptoms to watch for:

• Despite spoofing or distribution techniques, many DDoS attacks will originate from a restricted range of IP addresses or from a single country or region — perhaps a region that you don’t ordinarily see much traffic from.
• Similarly, you might notice that all the traffic is coming from the same kind of client, with the same OS and web browser showing up in its HTTP requests, instead of showing the diversity you’d expect from real visitors.
• The traffic might hammer away at a single server, network port, or web page, rather than be evenly distributed across your site.
• The traffic could come in regularly timed waves or patterns.

How to stop a DDoS attack

Mitigating a DDoS attack is difficult because, as previously noted, some attacks take the form of web traffic of the same kind that legitimate visitors would generate. It would be easy to “stop” a DDoS attack on your website simply by blocking all HTTP requests, and indeed doing so may be necessary to keep your server from crashing. But doing that also blocks anyone else from visiting your website, which means your attackers have achieved their goals.

If you can distinguish DDoS traffic from legitimate traffic as described in the previous section, that can help mitigate the attack while keeping your services at least partially online: For instance, if you know the attack traffic is coming from Eastern European sources, you can block IP addresses from that geographic region. A good preventative technique is to shut down any publicly exposed services that you aren’t using. Services that might be vulnerable to application-layer attacks can be turned off without affecting your ability to serve web pages.

In general, though, the best way to mitigate against DDoS attacks is to simply have the capacity to withstand large amounts of inbound traffic. Depending on your situation, that might mean beefing up your own network, or making use of a content delivery network (CDN), a service that is designed to accommodate huge amounts of traffic and that has built-in DDoS defenses.

Your network service provider might have its own mitigation services you can use, but a new strategy observed in 2024 is to keep attacks under the thresholds where the automatic traffic filtering solutions of ISPs kick in. Even smaller DDoS attacks can take down applications not designed to handle a lot of traffic, for example industrial devices exposed to the internet for remote management purposes.

Is DDoS illegal?

Yes, DDoS is illegal. Most anti-cybercrime laws, in the US, the UK, and elsewhere, are fairly broadly drawn and criminalize any act that impairs the operation of a computer or online service, rather than specifying particular techniques. Also, the act of hacking into a computer to make it part of a botnet is itself illegal.

You might see a counterargument that goes something like this: It’s not illegal to send web traffic or requests over the internet to a server, and so therefore DDoS attacks, which are just aggregating an overwhelming amount of web traffic, cannot be deemed a crime. This is a fundamental misunderstanding of the law, however.

Simulating a DDoS attack with the consent of the target organization for the purposes of stress-testing their network is legal, however.

DDoS attack examples

October 2016: A DDoS attack on DNS provider Dyn knocked out internet access to most of the US East Coast and almost took down the internet. This remains one of the most infamous DDoS attacks of all time.

March 2014: Project management software provider Basecamp was taken offline by a DDoS attack after refusing to pay a ransom.

February 2004: A DDoS attack famously took the SCO Group’s website offline. At the time, the company was frequently in the news for lawsuits relating to its claiming to own the rights to Linux, leading to speculation that open-source advocates were responsible for the attack.