What are DDoS attacks all about? Why are they so crippling? And how can you defend against them? Learn everything you need to know about the next DDoS attack that may target your system – and how to respond.
What is a distributed denial-of-service attack?
DDoS stands for Distributed Denial of Service. Sounds complicated? Don’t worry, it’s quite a simple concept to grasp.
During DDoS attacks, huge numbers of “bots” attack target computers. Hence, many entities are attacking a target, which explains the “distributed” part. The bots are infected computers spread across multiple locations. There isn't a single host. You may be hosting a bot right now and not even know it.
When DDoS attackers direct their bots against a certain target, it has some pretty unpleasant effects. Most importantly, a DDoS attack aims to trigger a “denial of service” response for people using the target system. This takes the target network offline. If you’ve repeatedly struggled to access a retail website, you may well have encountered a denial of service. And it can take hours, or days to recover from.
How does a DDoS attack work?
Why do DDoS attacks cause so much damage? In part, it’s simply a question of resources. Servers have a certain capacity – they aren’t limitless processing hubs. When they breach their capacity limits, systems within the server act to preserve the server as a whole. This takes targeted websites or users offline in the process.
Generally, attackers use a variety of denial of service techniques to bombard their targets – from data packets to messages or connection requests. All these techniques have the effect of turning targets into confused, slow, and often dysfunctional systems.
To achieve this, DDoS attackers need to control a bot army (or botnet). That’s the tricky part. However, by using social engineering (such as phishing) to spread malware or enticing users to download it, hackers can create the bots they need.
After attackers infect your system, it becomes a “bot.” You no longer have complete control over what your computer does online. Instead, control passes to a “master,” who orchestrates DDoS attacks. To do so, the “masters” weave together bots into botnets and coordinate them via special software.
These botnets can be massive. For instance, there are estimates claiming that the Srizbi included more than 450,000 bots. And these enormous forces continue to wage war on web users across the world, often with devastating results.
The main types of DDoS attacks
When we say a DDoS attack, it generally means a large-scale attack aimed to shut down a particular target. However, there are several variations in how DDoS attacks work. Typically, this depends on the part of the network that suffers the attack.
Network connections consist of many components, so a DDoS attack could target any one of them to intercept the service. In the network architecture OSI model, these components are more commonly known as layers - and they help us to describe the process of connectivity:
Application layer (7th layer) – topmost layer that specifies protocols for interactions with the network
Presentation layer (6th layer) – makes sure that the data is in a standardised format that the two separate systems understand
Session layer (5th layer) – is a mechanism that manages open network sessions intended for particular exchanges
Transport layer (4th layer) – ensures the reliable arrival of messages and confirms their reception
Network layer (3rd layer) – responsible for routing data packets through intermediaries like routers and servers
Datalink layer (2nd layer) – organizes the data into the packets that are ready to be sent
Physical layer (1st layer) – defines the transmission of raw bits over physical data links
In this sense, DDoS attacks fall into three categories: application-layer attacks, protocol attacks, and network-centric attacks, depending on which layer they target. Here’s what each of them does.
Application layer attacks
Or (layer 7 attacks) are a DDoS attack category that targets the outermost communications layer, which specifies protocols and interface methods for data exchange. The aim is to overwhelm these weak points to bring the network to its knees, misdirect it or disturb the exchanges, making them painfully slow.
BGP Hijacking – targets the Border Gateway Protocol used to standardize routing and information exchange data. This application-layer attack aims to route Internet traffic to an unintended destination by impersonating ownership of IP address groups via IP prefixes. This information can quickly spread to other networks, routing users to incorrect webpages.
Slowloris attack – targets HTTP connection requests to keep as many simultaneous connections open as possible. This exploits the fact that all servers have finite processing power. It only affects the webserver, dramatically slowing it down and negating requests from real users. It makes the service painfully slow and denies genuine requests.
Slow POST attack – a slow POST attack works by sending correctly specified HTTP POST headers to the targeted web server. However, the header’s body is intentionally sent at a very low speed. Since the message header is legitimate and there’s nothing wrong with it, the server responds to the request. If the server received thousands of these messages, it could quickly deny all other requests, stuffing the server resources.
Slow read attack – you can think of the slow read attack as a reversed slow POST attack. The difference is that in the case of a POST attack, the method is slowly sending the message body. In the case of a slow read attack, the HTTP requests are intentionally accepted and read at a very slow speed. The target server has to keep these requests open since the transfer is in progress, exhausting its resources, especially in cases with massive botnets.
Low and slow attack – this type of attack can target Transmission Control Protocol (TCP) via HTTP or TCP sessions with super slow rates. It's a method to slowly and steadily overwhelm servers flooding the pipeline and denying genuine user requests to connect. This attack requires a lot fewer resources to execute and is even possible without a botnet. Plus, it bypasses usual DDoS mitigation methods because the sent packets are genuine.
Large payload POST attack – this type exploits extensive markup language (XML) encoding used by webservers to exchange over HTTP. In this instance, the webserver receives data encoded in XML. The data, however, is altered by the attacker so that once it's in the memory, the size would be many times larger. If the server receives a large number of these requests, its memory quickly depletes.
Mimicked user browsing – as the name suggests, this DDoS attack imitates a real user's browsing patterns. However, this is actually a massive scale botnet. Each bot imitates real people going to the websites, generating high visitor spikes. It makes it impossible for real user data to go through, denying their queries.
Protocol attacks target the data transmission process, exploiting the transport and network layers. They target the protocols authenticating pre-selected connection methods. This type of attack accumulates pressure by bullying firewalls and sending faulty packets that crash the systems.
SYN floods – this attack exploits vulnerabilities in the TCP handshake system, which requires a SYN request, SYN-ACK, and ACK packet to authenticate the exchange. The attacker sends out an SYN request to the server, the server responds with an SYN-ACK message, waiting for an ACK confirmation from the client. However, the hacker sets up his equipment in such a way that the ACK packet never arrives, leaving the server hanging. Because there’s a finite amount of how many TCP interactions can simultaneously occur on a given server, a higher amount of these requests can quickly cause a crash.
Fragmented packet attacks – this attack type targets the maximum possible capacity of the Internet Control Message Protocol. There is a pre-determined size that a normal internet communications datagram cannot exceed. The attacker then fragments the packet and sends it in parts. Once the receiving server reassembles the packet, it returns an error, crashing the system.
IP/ICMP fragmentation attack – this attack is set up by sending malicious datagram packets that exceed the maximum transmission unit. The catch, in this case, is that if a packet is too large, it is transferred to temporary storage. Once there, it stuffs the memory, causing other requests to be denied.
Smurf DDoS – this attack exploits the Internet Control Message Protocol with a spoofed victim’s IP to generate infinite query loops. The attacker uses the victim as bait, amplifying the generated queries from the server network. It works as if the target requested queries, being overwhelmed with responses.
Network-centric or volumetric attacks mainly involve blitzing targets with data packets. This type of attack accumulates an enormous amount of traffic. It directs it to servers, which are unable to sustain full load for a prolonged period and will crash.
HTTP flooding attack – this attack type overwhelms the targeted server with a massive number of HTTP requests. Too many processed requests leave fewer available slots for genuine users. This denies service to them because the server is busy responding to the bots' queries.
ICMP flood attack – the most common type of volumetric attack. It works by requesting a high number of Internet Control Message Protocol requests, also known as pings. Each time the server receives such a request, it has to diagnose the health of its network. This exhausts resources and takes slightly longer than to generate a query.
IPSec flood – this attack targets the victim’s VPN server, trying to take it out of order. The attacker sends a large volume of IPSec IKE requests, making the server respond with redirected traffic. The goods news is that this type of attack is a thing of the past. After the introduction of the IKEv2 tunneling protocol, this vulnerability was largely solved.
UDP flood attack – this type of attack uses a large number of User Datagram Protocol (UDP) requests, sent faster than the server can respond. Due to the added cumulative effect of being bombarded with requests that return no destinations, even the server’s firewall can crumble. This also stops the service from responding to genuine requests.
Reflection amplification attacks – this attack works by sending a large volume of UDP packets with spoofed IP addresses to a DNS server. Essentially, it bounces them to the victim’s IP. The target gets hits by a load of responses as if he had contacted all these servers. This allows the hacker to remain anonymous, harassing innocent users with huge spikes clogging the bandwidth.
The dangers of DDoS attacks
There are plenty of reasons to neutralize the threat posed by DDoS attacks and botnets. Here are but a few examples of what can happen if you let your defenses drop.
Commercial systems can fail – in 2018, the Danish rail operator DSB fell victim to a DDoS attack, and it decimated their routing schedules. Ticketing systems went down, and trains slowed to a crawl to protect rider safety.
Gaming servers disruption – in 2016, the world of online gaming was rocked by the discovery of what came to be called the Mirai botnet attack. In this case, attackers sought to knock out competing Minecraft servers (which used to be a common money-making scheme). This attack didn’t just disrupt Minecraft players around the world. What’s even worse is the fact that the botnet went “rogue,” inflicting damage across servers in the eastern USA.
Bankruptcy is possible – back in 2014, the internet company Code Spaces proved to be a great example of the worst-case DDoS attack scenario. After repeated attacks, the coding hub closed its doors. This is something that could happen to any organization – all it takes is leaving the door open to DDoS attackers.
What are the effects of hosting a bot on your system? One of the worst aspects of DDoS attacks is how hard it is to detect whether your system is compromised. While there are some effects on connection speeds, most users barely notice any of this. Instead, they continue their normal online activities, blissfully unaware of the damage they’re spreading worldwide.
However, there are consequences for everyday users as well. For example, gamers can see connection speeds drop, and latency increase dramatically when DDoS attacks take place. Some games like Runescape have been victims of such attacks, resulting in terrible ping for many players.
DDoS attack map
Online you can find many data flow visualizations that pinpoint cyber-attack clusters. Such maps often encompass botnets, hubs setting up for reflection attacks, and more. The DDoS attack map, then, is just one of the ways to filter out just the data that portrays large scale DDoS attack directions, showing them on a map using historical records. Here are a few most known examples.
Arbor Networks DDoS attack map
The product of Google Ideas and Arbor Networks collaboration is a live data visualization that also doubles as a source for historical data and trends for DDoS attacks. The project uses data gathered by their proprietary ATLAS threat intelligence system collaborating with ISP’s who voluntarily agreed to share anonymized data collected on their users.
Fortinet threat map
Fortinet threat map acts as a free demo version of what would be available if you decided to opt-in and become a full-fledged Fortiguard user. Displaying the data, collected from anonymized Fortinet products users, it shows the more heated eruptions indicated with different color codes. Actual Fortiguard users have a better version on their hands. They can more easily monitor what threat may be looming nearby on a personalized map.
Bitdefender live cyber threat map
Although Bitdefender is more famous for its anti-virus service, they also have a cybersecurity threat map that also displays DDoS attacks in real-time. You can filter the reports with attack type and targeted country.
Largest DDoS attacks
Large scale DDoS attacks can have devastating consequences even for those with the workforce and resources to mitigate the damage. Here are the most vicious examples of past DDoS attacks. Do keep in mind that this list is incomplete, and most likely, something as disastrous could always occur out of the blue.
1. CloudFlare DDoS attack in 2014
In 2014, cybersecurity heavyweight CloudFlare found themselves under a large scale DDoS attack. It started as a reflection attack on one of its customers. However, due to CloudFlare’s cyberthreat mitigation methods, their other server in Europe caught the damage, which was massive even when spread out across several fleets. This attack exploited the Network Time Protocol (NTP) vulnerability, using these servers to bounce spoofed requests to the victims, hitting other CloudFlare’s servers in its way.
2. GitHub DDoS attack in 2018
GitHub’s example shows how a timely alert can help to mitigate even large scale attacks. There were no large botnets. However, it was sending data packets at 126.9 million per second rate. That’s almost 1.4 Terabytes per second. It was executed by flooding memcached servers with spoofed requests, considerably amplifying the scale and redirecting the responses to the GitHub network. Prolexic Technologies, the DDoS mitigation providers that GitHub used, kicked in intercepting the attacks.
3. Dyn attack in 2016
Domain Name System (DNS) provider Dyn, Inc. came under fire of a DDoS attack targeting their systems. Due to the fact how much data DNS servers share, the disruptions sent shockwaves through Paypal, Amazon, Reddit, and more webpages, making them inaccessible. The attack disrupted DNS lookup requests flooding their DNS servers using the same Mirai botnet.
4. Estonian incident of 2007
One of the biggest DDoS attack examples can also possibly be an example of a foreign country intervention. It’s one of the famous examples of Russian hackers making things worse for you in cyberspace.
In 2007, Estonia relocated a Soviet Union monument dedicated to the soldiers who perished in World War II. Not long after, the Estonian parliament, government services, and even news media and broadcasters found themselves in the middle of a large scale DDoS attack. It widely believed that Russia had directed the attacks. However, since they didn’t comply with Estonian requests to let them pursue their investigation, it remains a mystery how it happened.
How to prevent and stop DDoS attacks
The tricky thing about DDoS attacks that there’s no one-click solution that will protect you. DDoS attacks are very pervasive and can have several workarounds to bypass the measures by imitating genuine user traffic. However, there are still several things that could be done as a business to minimize the risk that it will happen.
- Monitoring. If you’re running a business, you should be actively monitoring your network for all kinds of possible threats, DDoS attacks being just one of the possible threats. The faster you distinguish a botnet bombardment from the genuine spikes in user traffic, the quicker you can mitigate the damage before your servers melt from the overload.
- Have a shield ready. You’d be surprised how many business owners can play the cheap route when setting up the servers. It can quickly backfire if the servers configurations are faulty. Adding such a barrier like firewalls with appropriate traffic limits can help you to avoid blitz from the perpetrators with more modest botnets.
- If you’re under fire, act quickly. One of the classic camping tips goes as follows: “when on fire, stop, drop and roll.” The same is true when you’re a target for DDoS. Hence, when you’re under attack, you should have a plan of what to do when it’s already in progress. In one case, this might mean contacting your ISP to ask them to reroute traffic. In other cases, this might mean contacting your DDoS mitigation service provider. It will heavily depend on the situation that you’re in. However, what holds true in all cases, the more quickly you react, the better are your chances to stop it before it causes too much damage.
For most individual users, most of these tips will likely don’t be that useful. It’s not very cost-effective to pay for DDoS mitigation service if you’re just casually browsing social media and watching Netflix. However, there’s also a couple of things that you could do to play your part.
- Protect your network. The main thing that each user should do is to make sure that his system isn’t taken over by a hacker. This can happen by clicking on suspicious links and installing malware that compromises your network, which then gets incorporated in a large scale botnet weaponizing your resources against the attacker’s targets. For this we recommend using a VPN with DDoS protection.
What is the difference between DoS and DDoS attacks?
The main difference between DoS and DDoS attacks is a difference of scale. DoS attack uses one computer to flood a server with packets to shut it down. DDoS does the same thing, but it ups the scale using many different devices to achieve the same goal.
Are DDoS attacks illegal?
Cybercrimes are uncharted territory for many countries, so the legality and punishments for those offenses will vary greatly. For example, in the US, DDoS attacks are considered illegal on the Computer Fraud and Abuse Act. From European countries, the United Kingdom is particularly noteworthy because they're specifically outlawed DDoS attacks under the Computer Misuse Act.
Do keep in mind that even the actions are deemed illegal, it will be tough to find justice on the court. DDoS attacks by nature use intermediaries, so the attacker can do its job from a safe distance without revealing his identity.
How long do DDoS attacks last?
If there are no mitigation procedures implemented, the DDoS attacks can last as long as the attacker wants. Some attack types can be quick because they have a clear intent. For example, the Ping of Death sends a malformed packet that quickly crashes the system. Naturally, the attack itself happens reasonably quickly. Whereas the SYN flood would take a lot more time for it to take effect, naturally, the attack time would be longer. Many of the DDoS attacks go unreported, so be cautious about the sites that claim approximate time of attack duration. Treat it more on a case by case basis.
Can a DDoS attack be traced?
The main problem with tracing DDoS attacks is that the attackers use intermediary servers or botnets to do their job. Since the traffic is coming from thousands of locations and IP addresses simultaneously, it will be challenging to sort through the traffic. Especially considering that this traffic is overloading your network. Usually, the hackers themselves are using proxies to hide their information.
Does VPN stop DDoS?
VPN is a very effective method for a typical user to add protection from DDoS attacks. This works by masking your real IP address and displays your VPN provider's assigned one. In essence, when someone would try to DDoS you, the attack would be directed at the VPN server, instead of your own. Plus, VPN providers have many mitigation measures set up in place to stop the attack in its tracks.
The only way this wouldn't be useful is in cases when your attacker already knows your real IP address. Then, a VPN would not help because your home router, for example, would still be affected, denying you the service.