In 2020, Neustar published a report, Cyber Threats & Trends Report, which states that Denial-of-service (DDoS) attacks have increased by 151% in 2020 compared to 2019. DDoS attacks are considered one of the main cybersecurity issues.
Published on July 20, 2021, 3:56 p.m. (Updated on 20 October 2021 11:27)
The attacks become more and more organized and intelligent. Experts say that, with network development, crime is surely expected to continue to grow in 2021 and businesses will have to invest more in digital security to fend off DDoS attacks.
Due to the coronavirus pandemic, internet usage has increased significantly. With longer screen time, cybercriminals have amplified the volume of their assaults. To establish efficient cybersecurity strategies, you need to know how to identify those attacks.
A DDoS attack is defined as a cyber attack by “Distributed Denial-of-Service".
A DDoS is an attempt to disrupt the online traffic of a server, a service or a given network by overwhelming it with a huge amount of traffic from multiple sources, which will eventually limit or disable the functions of the network.
According to the National Cyber Security Center, DDoS attacks are one of the criminals' favourite tools these days. These types of attacks are normally cheap, easy to get hands-on on the marketplace and effective.
To carry out a DDoS cyber attack, hackers rely on a network of online machines. These can be computers, servers, or IoT (Internet of Things) devices. The hacker infects all of these computing devices with malicious software: "malware".
These machines become what we call "bots", or "zombies". The hacker controls them remotely as a single group, or "botnet". All they have to do is give this botnet a target IP address and all the machines will execute the attack by sending out tens of thousands of internet requests.
The targeted site or server will not be able to convert all the amount of traffic, and that is what is the so-called "denial of service". The DDoS attack succeeds when the online service is unstable or unavailable.
E-commerce sites and online casinos are prime targets for this cyber threat. One of the most famous DDoS attacks dates back to February 2000. The attack led by the cyber hacker Mafiaboy, or Michael Calce, affected the online platforms of Amazon, eBay, E-Trade, and ZDNet.
There are different types of DDoS attacks. The damage of the attack will depend on what layer of OSI (Open Systems Interconnection) is targeted.
The OSI includes 7 layers, some dedicated to applications, others to communication. These network connection layers are the breeding ground for various DDoS attacks, which must be mastered to establish a reliable cyber risk map.
There are 3 main types of DDoS attacks.
Attacks targeting the application layers of the server are often referred to as "Layer 7 DDoS attacks". These include cyber attacks targeting vulnerabilities within applications.
These slow-and-low attacks are HTTP GET or POST requests, where HTTP floods in the form of a botnet will saturate the target server's bandwidth capabilities and damage it.
It is particularly difficult to mitigate because the victim has difficulty differentiating between malicious and normal traffic.
Among the best-known protocol attacks are the SYN flood, Smurf DDoS and Ping Flood. These kinds of attacks will exploit the vulnerabilities of actual server resources, such as firewalls and load balancers.
These cyber attacks, also known as "connection table exhaustion attacks", target layers 3 and 4 of the OSI model. They are based on the so-called "communication" layers, which allow computers to connect to each other in a network.
To understand the SYN Flood attack, you have to keep in mind that in order to connect to a network, two computers exploit TCP negotiation. This process is known as a three-way handshake.
In an SYN flood, the attacking computer sends numerous "initial connection requests". This causes the victim machine to respond to all these connection requests via SYN/ACK packets. Since the initiated connection is never finalized, the server will be overloaded.
This heavy TCP negotiation process exhausts the network's resources, until damaging or shutting down the system. In that way, SYN flood exploits weaknesses in TCP connection.
Ping flood is an attempt to overwhelm the target with Internet Control Message Protocol (ICMP) echo-request packets that consist of both incoming and outgoing messages.
The low ability to respond to the high amount of requests on the device also called ping traffic, causes a disruption to the normal traffic.
A Smurf DDoS attack is a similar attempt as the Ping flood. The difference is that a Smurf attack is a DNS amplification, exploiting the vulnerabilities in the Internet Protocol (IP) and ICMP, which can result in more damage.
The most common of the 3 types of DDoS attacks are volume-based attacks. The goal is to utilize as many computers and internet connections to saturate the bandwidth and to flood a website with traffic. A common example is a UDP flood.
In the case of the UDP flood, the hackers use the UDP (User Datagram Protocol) connection protocol. This allows data to be transferred from one machine to another without negotiating a connection, which is the opposite of TCP transmission. The victim of this attack receives a large number of UDP packets, whose origin it cannot identify. It then sends "destination unreachable" messages by the hundreds, which overloads its resources and ultimately blocks its system.
In reality, the hackers use more advanced systems today, something that is called mixed/blended/multi-vector attacks. For example, a cyberattack can start with a volume-based attack followed by an application-layer DDoS, just to distract the victim from the “real” attack. These hacking techniques are more complex and frequent and can be very dangerous without a proper defense system.
To ensure the protection of your network against the various types of DDoS attacks, you must be able to identify the signs that characterize them. You also need to know what are the effective measures to reduce the impact.
There are several classic symptoms of a DDoS attack. The challenge is to distinguish a legitimate traffic spike from an abnormal network slowness. IT departments should therefore rely on their traffic analysis to identify the worrying signs:
● unusual traffic patterns;
● flows of traffic from a single IP address or range of IP addresses;
● a spike in requests to a single web page;
● unexplained traffic from machines with identical behaviors, possibly running on the same type of browsers.
We talk more about mitigating a DDoS attack rather than removing it, as it is still difficult to distinguish legitimate traffic from hacked traffic. It is therefore in the best interest of an organization that is a victim of a DDoS attack to refer to a business continuity plan (BCP). The challenge is to continue to process legitimate traffic while stopping the traffic created by the hackers.
The other major challenge in stopping a DDoS attack is its complexity. Some hackers do not hesitate to carry out a "multi-vector" attack. This combines different categories of DDoS attacks and targets several layers of the OSI model. Mitigating a multi-vector DDoS attack, therefore, requires the intersection of various techniques: multi-layer strategies.
So, let's look into how to protect yourself from DDoS attacks.
A web application firewall (WAF) is defined as a tool that filters requests that are supposed to destabilize layer 7 of a network connection.
It acts as a reverse proxy, preventing hackers from targeting your IP addresses. This firewall relies on rules that identify DDoS, to protect a given server from illegitimate traffic.
The firewalls and routers are the basic protections that should always be configured and updated.
To protect from DDoS attacks, server owners can also choose to limit the rate of requests they accept during certain periods.
This strategy is not sufficient to stop multi-vector DDoS attacks. However, it does have the merit of mitigating their impact and preventing joint cyberattacks, such as data theft.
The logical consequence of limiting the request rate is to limit server performance. A lack of efficiency hardly meets the needs of online businesses, whose productivity is synonymous with revenue. Moreover, this strategy does not completely prevent the risk of server overload.
To get around this problem, many companies provide an alternate website to which legitimate traffic is redirected in case of an attack.
Most anti-DDoS cybersecurity professionals offer their customers the use of an Anycast network. This is also referred to as a "vacuum" tool.
This is a network of free servers to mop up malicious traffic and free up the expression of legitimate traffic. It often relies on different data centers, distributed in several locations. Indeed, the larger the Anycast network, the faster the DDoS attack is mitigated.
Faced with a DDoS attack, the victim network can choose to send all the website traffic into a black hole.
This system hardly makes the difference between legitimate and malicious network traffic. This is why this technique akin to self-sabotage.
DDoS attacks are not easy to deal with and can be very problematic when they occur. It is often more useful to invest in a security system beforehand than trying to mitigate a DDoS attack.
A DDoS attack is defined as a “Distributed Denial-of-Service" attack. It aims at rendering a service, a server or an online platform inaccessible. This type of cyber attack consists in saturating the bandwidth of the victim server, or exhausting its system resources to make it unable to handle legitimate traffic.
The sole purpose of DDoS is to prevent legitimate traffic from reaching a victim server. The DDoS attack does not enable hackers to take over the target server or steal data from it, although these objectives may characterize joint cyber attacks.
Most of the time, a DDoS attack is characterized primarily by an abnormal increase in traffic on a network or server. The victim system will be overloaded with requests of various kinds, depending on the type of DDoS attack.