Distributed denial-of-service attacks involve a whole family of methods and techniques. The complexity of the attack dictates the complexity of the response.

Understanding Distributed Denial-of-Service Attacks

Organizations worldwide face hundreds of distributed denial-of-service attacks (DDoS) per month. The longest last for daysand can marshal up to 1.7 Tbps. Thanks to more and more internet-connected devices with low security, the size, scale, and frequency of DDoS attacks are growing. You can watch them on this map. But what exactly are DDoS attacks and how do they work?

DoS vs. DDoS

It is important to distinguish between denial-of-service (DoS) attacks and DDoS attacks. They both deny service to their target in that they seek to disrupt normal traffic to a server, service, or network. The difference is that a DoS attack originates from a single machine and a DDoS attack has multiple sources. A DoS attack is simpler to defend against than a DDoS attack. That’s why attackers like to use botnets that allow them to involve multiple sources in their attack.

What Is a Botnet?

A botnet is a network of machines infected with malware that obey a single device. An attacker may use their own botnet, but it’s very common to rent botnets. The price for renting an already hacked botnet has dropped to $30 on some Russian forums. However, the growth of the internet of things means that botnets are getting larger and even cheaper to use.

How Does a DDoS Attack Work?

The victim is flooded with incoming traffic originating from many different sources. This makes the attack difficult to stop, in that the victim can’t just block one source. Of course, the victim can’t block all sources either, because then they’d be blocking legitimate traffic. Imagine a whole bunch of people showing up at a store and blocking the entrance so that customers can’t enter. That’s how DDoS attacks work.

Of course, that analogy is very simplistic. There are dozens of ways to launch DDoS attacks. These are some of the most common.

Layer 7 DDoS Attack: This attack targets the OSI (Open Systems Interconnection) layer, where web pages are generated on the server and delivered in response to HTTP requests. It’s easy to generate an HTTP request but more difficult to fulfill, in that the server might have to load multiple files and run database queries to create the web page.

An example of this is an HTTP flood. This is a bit like mashing the refresh button on a website over and over again, only across hundreds of computers at once. Remember, HTTP requests are easy to create but require more effort to fulfill. A simple HTTP flood might involve the attacker requesting the same URL over and over, while a more complex one might involve requesting different URLs from all over the site.

Imagine a pizza place. An attacker calls, waits for a staff member to answer and say their opening bit, and then hangs up, only to repeat. It costs little effort for the attacker to dial the number over and over, but it costs the pizza place in staff time and capacity to answer the calls. Thus, legitimate customers can’t reach the pizza place.

Volumetric Attacks: These attacks seek to occupy all the bandwidth between the target and the rest of the internet.

An example of this is DNS amplification. This is when an attacker makes a request to an open DNS server with a spoofed IP address, using the IP address of their target. The request is arranged so that the DNS server responds with a lot of data, amplifying the initial request.

By analogy, imagine an attacker calling a restaurant supply store and saying, “I need quotes on every piece of equipment you can offer; call me back.” The attacker leaves the phone number of their true target, a pizza place. The pizza place then gets a call they didn’t ask for that’s longer than the initial call, effectively holding their phone line hostage.

Protocol Attacks: A protocol attack denies service by using up the capacity of the network and transportation layers of a connection.

An example of this is a SYN (synchronize) flood. This kind of attack sends out a large number of TCP (Transmission Control Protocol) Initial connection request SYN packets. The victim responds to each request and waits for the handshake to conclude, which never occurs. Eventually, the victim becomes overwhelmed.

Imagine a pizza place getting a phone call ordering a pizza for pick-up. They acknowledge the order, make the pizza, and wait for pick-up. This happens over and over, but no one arrives to pick up. Eventually, the restaurant is overwhelmed with unsold pizza.

How Can DDoS Attacks Be Thwarted?

As you can see, DDoS attacks involve a whole family of methods and techniques. The complexity of the attack dictates the complexity of the response.

To learn more about protecting your business from DDoS attacks, contact us today.

Image from Digital Attack Map