A distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet in this era. When you hear about a website being “brought down by hackers,” it literally means it has become a victim of a DDoS attack. In short, this means that hackers have attempted to make a website, computer or server unavailable by flooding or crashing the website with too much traffic that blocks the access to the fundamentals.
What is really distributed denial-of-service attacks (DDoS)?
Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm them with more traffic than the server or network can accommodate. The goal is to render the website or service inoperable.
The traffic can consist of incoming messages, requests for connections, or fake packets. In some cases, the targeted victims are threatened with a DDoS attack or attacked at a low level. This may be combined with an extortion threat of a more devastating attack unless the company pays a cryptocurrency ransom. In 2015 and 2016, a criminal group called the Armada Collective repeatedly extorted banks, web host providers, and others in this way.
Examples of DDoS attacks
Here’s a bit of history and two notable attacks.
In 2000, Michael Calce, a 15-year-old boy who used the online name “Mafiaboy,” launched one of the first recorded DDoS attacks. Calce hacked into the computer networks of a number of universities. He used their servers to operate a DDoS attack that crashed several major websites, including CNN, E-Trade, eBay, and Yahoo. Calce was convicted of his crimes in the Montreal Youth Court. As an adult, he became a “white-hat hacker” identifying vulnerabilities in the computer systems of major companies.
More recently, in 2016, Dyn, a major domain name system provider — or DNS — was hit with a massive DDoS attack that took down major websites and services, including AirBnB, CNN, Netflix, PayPal, Spotify, Visa, Amazon, The New York Times, Reddit, and GitHub.
The gaming industry has also been a target of DDoS attacks, along with software and media companies.
DDoS attacks are sometimes done to divert the attention of the target organization. While the target organization focuses on the DDoS attack, the cybercriminal may pursue a primary motivation such as installing malicious software or stealing data.
DDoS attacks have been used as a weapon of choice of hacktivists, profit-motivated cybercriminals, nation states and even — particularly in the early years of DDoS attacks — computer whizzes seeking to make a grand gesture.
How do DDoS attacks work?
The theory behind a DDoS attack is simple, although attacks can range in their level of sophistication. Here’s the basic idea. A DDoS is a cyberattack on a server, service, website, or network floods it with Internet traffic. If the traffic overwhelms the target, its server, service, website, or network is rendered inoperable.
Network connections on the Internet consist of different layers of the Open Systems Interconnection (OS) model. Different types of DDoS attacks focus on particular layers. A few examples:
- Layer 3, the Network layer. Attacks are known as Smurf Attacks, ICMP Floods, and IP/ICMP Fragmentation.
- Layer 4, the Transport layer. Attacks include SYN Floods, UDP Floods, and TCP Connection Exhaustion.
- Layer 7, the Application layer. Mainly, HTTP-encrypted attacks.
A DDoS attack is launched from numerous compromised devices, often distributed globally in what is referred to as a botnet. It is distinct from other denial of service (DoS) attacks, in that it uses a single Internet-connected device (one network connection) to flood a target with malicious traffic. This nuance is the main reason for the existence of these two, somewhat different, definitions.
The primary way a DDoS is accomplished is through a network of remotely controlled, hacked computers or bots. These are often referred to as “zombie computers.” They form what is known as a “botnet” or network of bots. These are used to flood targeted websites, servers, and networks with more data than they can accommodate.
The botnets may send more connection requests than a server can handle or send overwhelming amounts of data that exceed the bandwidth capabilities of the targeted victim. Botnets can range from thousands to millions of computers controlled by cybercriminals. Cybercriminals use botnets for a variety of purposes, including sending spam and forms of malware such as ransomware. Your computer may be a part of a botnet, without you knowing it.
Increasingly, the millions of devices that constitute the ever-expanding Internet of Things (IoT) are being hacked and used to become part of the botnets used to deliver DDoS attacks. The security of devices that make up the Internet of Things is generally not as advanced as the security software found in computers and laptops. That can leave the devices vulnerable for cybercriminals to exploit in creating more expansive botnets.
The 2016 Dyn attack was accomplished through Mirai malware, which created a botnet of IoT devices, including cameras, smart televisions, printers and baby monitors. The Mirai botnet of Internet of Things devices may be even more dangerous than it first appeared. That’s because Mirai was the first open-source code botnet. That means the code used to create the botnet is available to cybercriminals who can mutate it and evolve it for use in future DDoS attacks.
Botnets are used to create an HTTP or HTTPS flood. The botnet of computers is used to send what appear to be legitimate HTTP or HTTPS requests to attack and overwhelm a webserver. HTTP — short for HyperText Transfer Protocol — is the protocol that controls how messages are formatted and transmitted. An HTTP request can be either a GET request or a POST request. Here’s the difference:
- A GET request is one where information is retrieved from a server.
- A POST request is one where information is requested to be uploaded and stored. This type of request requires greater use of resources by the targeted web server.
While HTTP floods using POST requests use more resources of the web server, HTTP floods using GET requests are simpler and easier to implement.
DDoS attacks can be purchased on black markets
Assembling the botnets necessary to conduct DDoS attacks can be time-consuming and difficult.
Cybercriminals have developed a business model that works this way: More sophisticated cybercriminals create botnets and sell or lease them to less sophisticated cybercriminals on the dark web — that part of the Internet where criminals can buy and sell goods such as botnets and stolen credit card numbers anonymously.
The dark web is usually accessed through the Tor browser, which provides an anonymous way to search the Internet. Botnets are leased on the dark web for as little as a couple of hundred dollars. Various dark web sites sell a wide range of illegal goods, services, and stolen data.
In some ways, these dark web sites operate like conventional online retailers. They may provide customer guarantees, discounts, and user ratings.
What are the symptoms of a DDoS attack?
DDoS attacks have definitive symptoms. The problem is, the symptoms are so much like other issues you might have with your computer — ranging from a virus to a slow Internet connection — that it can be hard to tell without professional diagnosis. The symptoms of a DDoS include:
- Slow access to files, either locally or remotely
- A long-term inability to access a particular website
- Internet disconnection
- Problems accessing all websites
- Excessive amount of spam emails
Most of these symptoms can be hard to identify as being unusual. Even so, if two or more occur over long periods of time, you might be a victim of a DDoS.
Types of DDoS attacks
DDoS attacks generally consist of attacks that fall into one or more categories, with some more sophisticated attacks combining attacks on different vectors. These are the categories:
A UDP flood, by definition, is any DDoS attack that floods a target with User Datagram Protocol (UDP) packets. The goal of the attack is to flood random ports on a remote host. This causes the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP ‘Destination Unreachable’ packet. This process saps host resources, which can ultimately lead to inaccessibility.
ICMP (Ping) Flood
Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies. This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will often attempt to respond with ICMP Echo Reply packets, resulting a significant overall system slowdown.
A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.
Ping of Death
A ping of death (“POD”) attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size – for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.
Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network. Slowloris does this by holding as many connections to the target web server open for as long as possible. It accomplishes this by creating connections to the target server, but sending only a partial request. Slowloris constantly sends more HTTP headers, but never completes a request. The targeted server keeps each of these false connections open. This eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.
In NTP amplification attacks, the perpetrator exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm a targeted server with UDP traffic. The attack is defined as an amplification assault because the query-to-response ratio in such scenarios is anywhere between 1:20 and 1:200 or more. This means that any attacker that obtains a list of open NTP servers (e.g., by a using tool like Metasploit or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-volume DDoS attack.
In an HTTP flood DDoS attack, the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server. The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to every single request.
Zero-day DDoS Attacks
The “Zero-day” definition encompasses all unknown or new attacks, exploiting vulnerabilities for which no patch has yet been released. The term is well-known amongst the members of the hacker community, where the practice of trading zero-day vulnerabilities has become a popular activity.
Here’s a closer look at different types of DDoS attacks.
TCP Connection Attacks
TCP Connection Attacks or SYN Floods exploit a vulnerability in the TCP connection sequence commonly referred to as the three-way handshake connection with the host and the server.
Here’s how. The targeted server receives a request to begin the handshake. In a SYN Flood, the handshake is never completed. That leaves the connected port as occupied and unavailable to process further requests. Meanwhile, the cybercriminal continues to send more and more requests overwhelming all open ports and shutting down the server.
Application layer attacks — sometimes referred to as Layer 7 attacks — target applications of the victim of the attack in a slower fashion. That way, they may initially appear as legitimate requests from users, until it is too late, and the victim is overwhelmed and unable to respond. These attacks are aimed at the layer where a server generates web pages and responds to http requests.
Often, Application level attacks are combined with other types of DDoS attacks targeting not only applications, but also the network and bandwidth. Application layer attacks are particularly threatening. Why? They’re inexpensive to operate and more difficult for companies to detect than attacks focused on the network layer.
Fragmentation Attacks are another common form of a DDoS attack. The cybercriminal exploits vulnerabilities in the datagram fragmentation process, in which IP datagrams are divided into smaller packets, transferred across a network, and then reassembled. In Fragmentation attacks, fake data packets unable to be reassembled, overwhelm the server.
In another form of Fragmentation attack called a Teardrop attack, the malware sent prevents the packets from being reassembled. The vulnerability exploited in Teardrop attacks has been patched in the newer versions of Windows, but users of outdated versions would still be vulnerable.
Volumetric Attacks are the most common form of DDoS attacks. They use a botnet to flood the network or server with traffic that appears legitimate, but overwhelms the network’s or server’s capabilities of processing the traffic.
Types of DDoS Amplification
In a DDoS Amplification attack, cybercriminals overwhelm a Domain Name System (DNS) server with what appear to be legitimate requests for service. Using various techniques, the cybercriminal is able to magnify DNS queries, through a botnet, into a huge amount of traffic aimed at the targeted network. This consumes the victim’s bandwidth.
A variation of a DDoS Amplification attack exploits Chargen, an old protocol developed in 1983. In this attack, small packets containing a spoofed IP of the targeted victim are sent to devices that operate Chargen and are part of the Internet of Things. For instance, many Internet-connected copiers and printers use this protocol. The devices then flood the target with User Datagram Protocol (UDP) packets, and the target is unable to process them.
DNS Reflection attacks are a type of DDoS attack that cybercriminals have used many times. The susceptibility to this type of attack is generally due to consumers or businesses having routers or other devices with DNS servers misconfigured to accept queries from anywhere instead of DNS servers properly configured to provide services only within a trusted domain.
The cybercriminals then send spoofed DNS queries that appear to come from the target’s network so when the DNS servers respond, they do so to the targeted address. The attack is magnified by querying large numbers of DNS servers.
Motivation behind DDoS attacks
DDoS attacks are quickly becoming the most prevalent type of cyber threat, growing rapidly in the past year in both number and volume according to recent market research. The trend is towards shorter attack duration, but bigger packet-per-second attack volume.
Attackers are primarily motivated by:
- Ideology – So called “hacktivists” use DDoS attacks as a means of targeting websites they disagree with ideologically.
- Business feuds – Businesses can use DDoS attacks to strategically take down competitor websites, e.g., to keep them from participating in a significant event, such as Cyber Monday.
- Boredom – Cyber vandals, a.k.a., “script-kiddies” use prewritten scripts to launch DDoS attacks. The perpetrators of these attacks are typically bored, would-be hackers looking for an adrenaline rush.
- Extortion – Perpetrators use DDoS attacks, or the threat of DDoS attacks as a means of extorting money from their targets.
- Cyber warfare – Government authorized DDoS attacks can be used to both cripple opposition websites and an enemy country’s infrastructure.LOIC (Low Orbit Ion Cannon) : an “entry-level” DoS attack tool used for cyber vandalism
Check out the DDoS Digital Attack Map
The Digital Attack Map was developed by Arbor Networks ATLAS global threat intelligence system. It uses data collected from more than 330 ISP customers anonymously sharing network traffic and attack information
Take a look at the Digital Attack Map. It enables you to see on a global map where DDoS attacks are occurring with information updated hourly.
How to protect yourself from Distributed Denial of Service attacks
Protecting yourself from a DDoS attack is a difficult task. Companies have to plan to defend and mitigate such attacks. Determining your vulnerabilities is an essential initial element of any protection protocol.
Method 1: Take quick action
The earlier a DDoS attack in progress is identified, the more readily the harm can be contained. Companies should use technology or anti-DDoS services that can assist you in recognizing legitimate spikes in network traffic and a DDoS attack.
If you find your company is under attack, you should notify your ISP provider as soon as possible to determine if your traffic can be re-routed. Having a backup ISP is also a good idea. Also, consider services that disperse the massive DDoS traffic among a network of servers rendering the attack ineffective.
Internet Service Providers will use Black Hole Routing which directs traffic into a null route sometimes referred to as a black hole when excessive traffic occurs thereby keeping the targeted website or network from crashing, but the drawback is that both legitimate and illegitimate traffic is rerouted in this fashion.
Method 2: Configure firewalls and routers
Firewalls and routers should be configured to reject bogus traffic and you should keep your routers and firewalls updated with the latest security patches. These remain your initial line of defense.
Application front end hardware which is integrated into the network before traffic reaches a server analyzes and screens data packets classifying the data as priority, regular or dangerous as they enter a system and can be used to block threatening data.
Method 3: Consider artificial intelligence
While present defenses of advanced firewalls and intrusion detection systems are common, AI is being used to develop new systems.
The systems that can quickly route Internet traffic to the cloud, where it’s analyzed, and malicious web traffic can be blocked before it reaches a company’s computers. Such AI programs could identify and defend against known DDoS indicative patterns. Plus, the self-learning capabilities of AI would help predict and identify future DDoS patterns.
Researchers are exploring the use of blockchain, the same technology behind Bitcoin and other cryptocurrencies to permit people to share their unused bandwidth to absorb the malicious traffic created in a DDoS attack and render it ineffective.
Method 4: Secure your Internet of Things devices
This one is for consumers. To keep your devices from becoming a part of a botnet, it’s smart to make sure your computers have trusted security software. It’s important to keep it updated with the latest security patches.
If you have IoT devices, you should make sure your devices are formatted for the maximum protection. Secure passwords should be used for all devices. Internet of Things devices have been vulnerable to weak passwords, with many devices operating with easily discovered default passwords. A strong firewall is also important.
Protecting your devices is an essential part of Cyber Safety.
Frequently Asked Questions (FAQs)
Q: What happens during a DDoS attack?
A: During a DDoS attack the distributed computers – botnet – spam the target with as many data requests as possible.
Q: Are DDoS attacks illegal?
A: Yes, it is illegal to use DDoS techniques to disrupt a target without permission. It’s a good practice to set up a DDoS drill so you can practice your Incident Response plan for DDoS attacks, which is a legal use of DDoS.
Q: In a DDoS attack, what communications channel is commonly used to orchestrate the attack?
A: HTTP, DNS, and TCP/IP requests are common protocols used for DDoS attacks.