DDoS stands for Distributed denial-of-service. The purpose behind DDoS attacks might be to blackmail or to disrupt a rival business. Also, it might be a protest; DDoS attacks are frequently associated with hacktivist groups or as part of a nation-state-backed campaign for political or even quasi-military aims. The 2007 attack on Estonia was a DDoS attack.
However, the term "distributed" is used because these attacks come from many compromised computers or devices. This type of attack is very effective for sites without enough protection. Its main aim is to interrupt the normal operation of the application or site.
Also, DDoS attacks can be used to steal data. These are used as a diversion to allow hackers to launch other exploits against their targets. These attacks are not limited to online applications or websites. Any internet-connected device is at risk, warned by Tim Bandos, vice president of cybersecurity at Digital Guardian.
So it can attack critical national infrastructure, including power and transportation, and the internet of things (IoT) devices. Let’s learn more about DDoS attacks and how to stay protected from them.
Difference between DoS and DDoS Attacks
DoS stands for Denial of Service, and DDoS stands for Distributed Denial of Service. These two are quite similar. The difference between the scales is the only thing that differentiates them. Single DoS attacks are made from only one source, while DDoS (distributed) attacks are made from multiple locations and multiple loT devices, often spoofed.
How does a DDoS Attack Work?
As per Barracuda's Allen, only DDoS attacks work by overflowing a service with more of something than it can handle until the service gives up. But it cannot be that simple. For taking advantage of the weaknesses, DDoS attacks have been created in many forms.
These attacks can be short bursts of malicious requests on vulnerable endpoints such as search functions. DDoS attacks use an army of a botnet which generally consists of compromised IoT devices, websites, and computers.
The botnet attacks the target when a DDoS attack is launched and then depletes the application resources. When a DDoS attack is successful, it will prevent a user from accessing a website or slow it down enough to increase bounce rate, resulting in financial losses and performance issues.
Types of DDoS Attacks
A DDoS attack ranges from accidental to genuine users overwhelming the resources of popular sites. Simple attacks include the 'Ping of Death' that sends more data to the host than the Ping protocol allows, which will manipulate TCP connection handshakes.
Sophisticated attacks, such as TCP SYN, might attack the network while a second exploit goes after the applications that will attempt to disable them or degrade their performance.
According to James Smith, head of penetration testing at Bridewell Consulting, there are three common forms of DDoS attacks and that are:
- Volumetric attacks
- Protocol attacks
- Application (layer) attacks
He further states that these attacks deplete resources in one way or another.
UDP amplification attacks are the largest, most damaging, and dangerous attacks since they are proof-able. According to Corey Nachreiner, chief technology officer at WatchGuard Technologies, small UDP requests can generate large bandwidth attacks. For example, it can magnify the traffic of one host by a factor of 10,000 or more.
What Happens During a DDoS Attack?
A DDoS attack depletes the server resources and increases website load time. When a DDoS attacks a website, it slows down the performance and may crash the server entirely by overwhelming the server's resources such as CPU, memory, or even the entire network. Many DDoS attacks usually originated from a hacker-controlled botnet of vulnerable IoT devices.
This exponential growth of DDoS attacks is generally due to the lack of regulatory control over IoT devices, making them outstanding recruits for botnets. A group of hijacked IoT devices having unique IP addresses can be redirected to make wicked requests against websites, and that will be causing a DDoS attack.
What Are the Signs of a DDoS Attack?
The signs of DDoS attacks are as follows:
- The website will respond slowly.
- The website will be unresponsive.
- The user will face problems accessing the website.
- If you are a target, then you will also face internet connection issues.
Impact of a DDoS Attack
A DDoS attack affects many ways, but its main objective is to disrupt a website's availability which is to make a website slow so that it cannot respond to legitimate requests. Also, it can disable it entirely, making it impossible for legitimate users to access it. There are also other impacts, and that is:
- It damages the reputation
- It damages customer trust
- Financial losses take place
- Impact on critical services
- Data is loosed
- The cost of restoring a system in direct or indirect ways.
The Amplification Effect of DDoS Attacks
One of the features of DDoS attacks is their amplification effect. Hackers leverage botnets of compromised computers, and hence one attacker can control over 1000 bots that can be easily used to DDos the victim.
It is like one server serving thousands of bots to make it easier to win for the attacker. However, it is not always important for hackers to be in control of botnets. They can also make the host send a response to a wrong destination IP address.
A common example of this situation is when vulnerable Memcached servers were used to take Github down when none of them was hacked but were only fooled by the attacker.
Another effect of this amplification is related to the network layer and spoofed requests. You can understand it more clearly by considering a situation where each computer on the botnet only needs to send 1 byte to get a 100-byte response in return.
This process is called 100 times amplification. Also, when the request is spoofed, the reply of the message goes to another computer in the network and not the attacker. This makes the network port of the server process 100 plus 1 byte of data while attackers are dealing with only 1-byte outgoing request data.
Theoretically, a small botnet of 1000 bots can generate as much as 100 Gbps with the help of the correct amplification technique.
Amplification does not only stop at the network layer but also the application; it can do wonders. What if 1 HTTP request from the attacker can make the server do a lot of work? It is done by making the victim server do expensive research for the particular query. It does not cost servers various resources but also is very time-consuming.
What is the cost of a DDoS Attack?
According to Kaspersky Labs, the average cost of an enterprise DDoS attack can approach $2 million. Another report by Netscout says that the combined annual cost of DDoS attacks to the UK economy is close to £1 billion, which is $1.3 billion.
The cost of a DDoS attack could range from a few tens of thousands of dollars to millions depending upon the organization, the product or service it supplies, and the effectiveness of its incident response and post-incident strategy.
If the case includes a nation-state attack or an attack on critical national infrastructure, then the cost would be much higher, leading to social unrest. No deaths have been attributed directly to DDoS attacks, but its effect on the economy is very real and disturbing.
How Long Does a DDoS Attack Last?
The time an attack can last depends on the attacker and the target on which an attacker is trying to attack and on the attacker's defence mechanism and the target. If the defence system is low, it only has few defences, and then an attacker might succeed in just a few moments.
But there are also few words in the industry that an attack can last up to 24 hours. But up until now, the largest DDoS attack against GitHub has lasted about 20 minutes because of the effectiveness of the site's defences, according to Cloudflare.
If an attacker cannot take down the target in 24 hours, that does not mean the site is out of danger. The victim's sites or applications are not safe even after 24 hours. An attacker can try again with more data by simply moving on to another botnet or using a different range of exploits.
Are DDoS Attacks Illegal?
In the UK, the Computer Misuse Act 1990 makes it illegal to intentionally impair the operation of a computer or prevent or delay access to a program or data on a computer. If you are authorized to do so, there is no problem, but you need proper permission to do work.
Barracuda's Allen says that the biggest and most difficult job is to find the attacker. And law enforcement can only act if they can find the person behind these dangerous attacks.
Since these attacks are distributed, and the attacking devices are often unknowing parties, the true person, the attacker, is hard to touch. Also, when an attacker attacks, he does not put his real name upfront, which makes it harder to find the main attacker.
How to Prevent DDoS Attacks?
Until recently, security teams for many organizations in different industries believed that they did not need to worry about DDoS attacks. The latest data from the Verizon 2017 data breach investigations revealed that DDoS attacks could threaten businesses of any size.
In today's climate of ever-evolving DDos attacks scenario, every organization must consider a protection strategy. In addition to this, numerous DDoS tools are available in the e-market accessible for the unethical novice.
We talked extensively about types of DDoS attacks and how it impacts the owner in the article. So let us learn about its prevention now. Here are the following ways through which you can protect your site from DDoS attacks.
Website Application Firewall Protection
Most of the organization gets easily affected because of DDoS attacks as the attacks are generally automated. However, the threat can also work as a diversion for other attacks, especially if it is a financial institution.
There is a good probability of data theft when all eyes are on DDoS attacks. In such situations blocking DDoS attacks right at the application layer seems the optimal solution. The right firewall will protect the site's website hacks and protect your site to keep hackers out. It also monitors for security incidents.
As the name suggests, it is a layer of protection between your website and the traffic it receives. It is one of the best ways to prevent malicious traffic to your website. Install and activate a website application firewall to protect your site from DDoS attacks.
These are application-specific firewalls and work beyond the metadata of the packets transferred at the network level. Their ultimate focus is on the data in the transfer and was created to understand different types of data allowed for each protocol, for example, HTTP and SNTP.
Dozens of vendors offer application firewalls, often directly through hosting providers, at a pocket-friendly cost. You can purchase a subscription for your organization or implement the hardware-based DDoS mitigation hardware right at the network edge.
Large distributed network companies such as Akamai, Verisign, HPE, Cisco, and Cloudflare offer high-end distributed DDoS protection packages at the enterprise scale. You can install one for your organization to protect it from DDoS attacks.
Monitor Traffic to the Site
It is very important to monitor the traffic to your website to be aware of traffic peaks and DDoS attacks. Everybody desires millions of users for his website but getting them in one single day seems fishy. On the other hand, a dramatic increase in website traffic is a red sign for DDoS attacks. Hence, here comes the scene of monitoring the traffic flow to your website.
This is the most basic DIY approach to DDoS attack prevention, where you continuously monitor your website's traffic and shut down any suspected IP address. Although this may work for small organizations, Brian Honan warns it to be un-effective to protect them from large malicious attacks.
According to Bridewell's James Smith, organizations need a well-implemented patching policy to ensure that any service software is patched on time if it may encounter any DDoS vulnerabilities.
The organization could also get installed a cloud-based compromise detection system (CDS) for their websites to have a more accurate check on their site continuously. The system alerts the organization of any suspicious activity to take quick action. As a result, it reduces any negative impact on the traffic of the website to a great extent.
Blocking Specific Users
The majority of website threats come from specific enemy countries. After you learn the pattern of threats and their source origin, you can specifically block total traffic from the users of that particular country. It is done by blocking IP addresses from particular areas.
The users will be allowed in read-only mode, meaning that they will still view all content, but they will neither register on these websites nor submit comments. This prevents them from attempting any login methods hence no threat of DDoS attacks.
A DDoS attack uses network vulnerability to make the system persistently lose the connection and slow down the performance. By creating more traffic to the website, the server cannot use internet service for a longer period. However, with perfect strategy and technique, the organization can save its site from getting corrupt.
The article above discusses DDoS attacks extensively and various ways of extensively preventing and preempting them. Learn the skill now!
Do you value your privacy online?
Use VPN Surf and surf safely and securely in the open waters of the internet.