August 06, 2019
What Is a DDoS Attack?
The meaning of a “DDoS attack”
A DDoS or distributed denial of service attack is a type of cyberattack in which the attackers use a large number of internet-connected devices to target a server or system. This is carried out with the intent of overloading the target to prevent it from working properly.
A DDoS attack typically involves flooding the bandwidth or resources of a targeted system with superfluous data requests, effectively halting its operations. This overload can occur when:
- too many people attempt to access a website simultaneously
- one computer sends too many requests to another computer or server that cannot handle the traffic
- when one computer sends malicious data packets to another computer or server
DoS vs. DDoS Attacks
The key difference between these two attacks is that a Denial of Service (DoS) is all about attacking with a single computer that is used to flood a server. In contrast, the DDoS definition is all about a distributed attack which springs from multiple locations and devices. By increasing the number of source machines, the number of requests is multiplied, which escalates the attack power.
The flood of incoming traffic from multiple sources can force a network to crash. Because DDoS attacks originate from multiple sources, they are often the most difficult to detect and shut down.
How to identify a DDoS attack
DDoS attacks typically target high-profile web servers such as those belonging to banks, telecommunications or credit card companies. Attacks may transpire as revenge, blackmail, or activism techniques. The main object of a DoS or DDoS attack is to deprive legitimate users of a service or resource.
There are several signs to look out for when diagnosing a possible DoS attack:
- Unusually slow network performance
- Large spikes in traffic coming from a single IP or IP range
- A flood of traffic from users that share a similar technology stack e.g. browser, device, location
- Endpoint request surges
- Unnatural traffic patterns that don’t match the time of day
Although these are just a few examples, they cover some of the most common scenarios.
What are some common types of DDoS attacks?
The most common type of DDoS attack involves flooding a network server with requests and overloading it with traffic to overwhelm the server, rendering it unavailable to legitimate users.
There are two main types of DDoS attacks:
Buffer overflow attacks
This type of DDoS attack takes up all available hard disk space, memory, or CPU time. It often results in sluggish behavior, system crashes, or other behaviors harmful to the server, resulting in denial-of-service.
In this DDoS attack a malicious actor will overwhelm a targeted server with packets, which are small segments of a larger message. This will ultimately result in denial-of-service — these flood attacks are only successful if the malicious actor has more bandwidth than their target does.
Where do DDoS attacks strike in the OSI model?
When it comes to securing digital assets it’s always important to approach their security with a multi-layered approach. Protecting against distributed denial of service attacks is no different. DDoS attacks can also occur across the open systems interconnection (OSI) model which reinforces this need to have security steps in place at each level. However, there are some layers of the OSI model that are commonly attacked.
Layer 7: Application layer attacks
Application layer attacks are among the most common due to their increased exposure compared to other layers — this is where applications access the network services.
One of the common application layer distributed denial of service attacks is an HTTP flood. In its simplest form an HTTP flood is similar to constantly refreshing a web page over and over again on multiple endpoints at the same time. These requests then flood the server and overwhelm it, with the eventual goal of crashing the application.
Layers 3 & 4: Protocol attacks
Layers 3 & 4 are targeted DDoS attacks to confuse and block data at a protocol layer. These attacks are designed to stop and break up data transmission.
“SYN” is short for “synchronization” in networking — SYN Flood attacks exploit the transmission control protocol (TCP) handshake. This string of communications, in which two computers create a network connection, is targeted by threat actors by sending a large number of TCP “Initial Connection Request” SYN packets with spoofed source IP addresses.
The targeted machine responds to each connection request and then waits idly for the next and final step in the handshake. But this final step never occurs, exhausting the target’s resources in the process.
Volumetric attacks are DDoS attacks that aim to generate congestion by exhausting all of the available bandwidth between the target and the Internet at large. An abundant amount of data is sent to the target via a form of amplification or some other means of creating an enormous amount of traffic (e.g. a request from a botnet).
Imagine if someone were to call a restaurant, requesting, “I’ll have one of everything on your menu. Please call me back and then repeat my entire order,” with the callback number belonging to the victim. This is similar to how the DDoS attack known as DNS amplification works; with very little effort on the attackers part, a long response is generated and sent to the victim.
By sending a request to an open DNS server with a spoofed IP address — the IP address of the victim — the target IP address will then receive a response from the server.
Hackers for hire: DDoS services
Over the years “As a Service” attack services have increased on the Dark Web, and malicious actors are now able to hire hackers to carry out a DDoS attack for them. These require minimal technical knowledge other than how to access the Dark Web and how to pay for these services. The rest is left to the hackers/bots carrying out the attacks.
Back in July 2020 Wired Magazine reported that “DDoS-For-Hire” Is Fueling a New Wave of Attacks. In 2021 a record number of DDoS attacks were observed according to the Kaspersky DDoS attacks in Q4 2021 report.
As a result, DDoS mitigation is essential for managed service providers (MSPs) to both understand and deploy in order to successfully protect your clients.
How to ensure DDoS attack prevention
DDoS attacks can prove to be costly to businesses – in lost revenue, downtime, and reputation.
To avoid becoming a victim of a DoS or DDoS attack, MSPs need to take steps for DDoS prevention to protect your customers. Here are a few technical deployments you can install:
- Blackhole routing
- Rate limiting
- Web application firewall
- Network diffusion
DDoS mitigation best practices
- Enroll in a DDoS protection service that detects abnormal traffic flows and redirects traffic away from client networks
- Create a Disaster Recovery Plan to ensure proper communication, mitigation, and recovery of data in case of an attack
- Secure all endpoint connections
- Install a firewall and restrict traffic
- Evaluate your clients’ security settings and follow security best practices
Distributed denial-of-service attack prevention is not an easy feat — and the frequency of DDoS attacks is growing as it becomes easier to execute. Staying vigilant and implementing strict security practices can prevent MSP clients’ businesses from falling victim to these costly cyberattacks.
To learn more about protecting you and your customers from cyberattacks see our Cyber Resiliency Guide.