DDoS
What is DDoS?
DDoS (short for distributed denial of service) is a type of cyber attack that disrupts a website or network to the point it can’t perform its regular functions. A DDoS attack is a simple, direct attack that overwhelms the target’s servers with requests for data or false credentials (like a bad IP address). The desired result of a DDoS attack is to either drastically reduce the target’s ability to respond to legitimate business, or crash the servers altogether.
A DDoS attack is a variation of a denial of service (DoS) attack. A DoS attack uses a single point of attack—like a computer—which can limit the effectiveness, while a DDoS attack is a coordinated attack from many computers or connected devices at once. Multiple sources of attack create more incoming traffic, which can mean a faster, more effective, and longer lasting attack on the target network. Where a DoS attack can be stopped by blocking all traffic from the single computer that’s causing the attack, a DDoS attack is much harder to defend against because the attack comes from multiple locations. This, in turn, makes it harder to delineate a normal user’s computers from the attacker’s computers.
A DDoS attack may have several motivations, including the desire to disrupt functionality of a site or service, cyber warfare, revenge, blackmail, or hacktivism. More recently, DDoS attacks have been used as a distraction for other cyber attacks—while network security systems and personnel are occupied addressing the DDoS attack, there’s less security monitoring and defense against other forms of attack.
How does a DDoS attack work?
In a DDos attack, multiple computers are programmed to simultaneously contact a targeted network (often a website). By flooding the target with more traffic than the target is designed to handle, the coordinated computers exhaust the targeted network’s bandwidth or other system resources.
A common tool for launching a DDoS attack is a botnet. Botnets are often created from compromised IoT devices, routers, or computers infected with malware that can be triggered remotely to attack at the same time. A large botnet can attack a target from hundreds of thousands of unique devices in different locations, straining target resources more effectively than a single device with specialized software exploits (i.e. a DoS attack). A botnet is particularly good at using up bandwidth, creating a bottleneck where real traffic can’t get through. It can be hard to distinguish botnet DDoS traffic from legitimate traffic, making it difficult to stop an attack by blocking traffic from a particular IP address.
There are many variations on the basic concept of a DDoS attack, including: confusing a server with incomplete data, attacking persistently over several days, and attacking in waves that force a network to repeatedly adjust resource levels (wasting money and personnel time). But there are three fairly common forms of DDoS attack:
Volume DDoS attacks
These types of DDoS attacks rely on sending massive amounts of unusable data or pings to the server. The server dedicates resources either trying to figure out what to do with the unusable data, or responding to pings.
Protocol DDoS attacks
This type of DDoS attack targets weaknesses in Internet protocols. One example of this is called a “SYN flood.” In a typical connection between a website and a user, a three part “handshake” occurs: First, the user contacts a website (technically, the browser sends a SYN packet, thus the name SYN flood); the website then acknowledges the user; and, lastly, the user finalizes the connection.
In a SYN flood DDoS attack, the attacker initiates connections like a legitimate user might, but provides a fake IP address in the SYN packet. So when the targeted website sends their response message, it gets sent to the fake IP address instead. The device at the fake IP address has no record of initiating a connection with the website, and so never replies with the third message needed to complete the handshake. The channel (or port) on the targeted website stays open, waiting for a response that isn’t coming. Ports get opened up and not released, making them unavailable for legitimate users to initiate and complete a connection.
Application layer DDoS attacks
This type of DDoS attack focuses on a specific application on a website. Frequent, repeated calls to the same application data (for example, a specific website page to be displayed) uses up the website server’s resources. This is particularly effective when the request for a website’s content includes a login, search, or query that requires the server to prepare customized content. If the website server is overwhelmed with these requests, it has no capacity left to respond to legitimate users.
How do organizations protect their networks from DDoS attacks?
DDoS attacks are costly to the victims, both in terms of financial loss and in reputation damage. For the attackers, a DDoS attack is easier to conduct and relatively inexpensive if an attacker wants to rent access to a DDoS service, making them an increasingly more popular vector of attack. DDoS attacks are also used as a distraction for a real attack to steal data, or set up ransomware. Thus, a good cybersecurity plan needs to include processes to defend against DDoS attacks.
One area of cybersecurity—called network security—defends against DDoS attacks primarily by monitoring traffic, attempting to classify it as legitimate or illegitimate, and blocking the latter category. To block illegitimate traffic, a network can do several things, including:
- Filtering to divert all traffic to a separate DDoS protection service that evaluates the traffic. Only legitimate traffic is then routed to the intended destination network.
- Placing hardware at the perimeter of a network to block illegitimate traffic from gaining access to network resources.
- Using a Web application firewall to monitor access requests before sending them along to the Web server. At the application level, the firewall monitors each instance of access request and compares it to common activities of a real user. Access requests that are suspicious or anomalous are blocked.
Rate limiting is another defensive tactic: It limits how much traffic can come into the system from a particular source (usually categorized by IP address) within a particular time frame. By slowing down excessive traffic, rate limiting prevents a server from getting overloaded by a single source. Because DDoS attacks are often launched from many unique IP addresses, rate limiting may not be very effective in defending against a DDoS attack.
A dispersed Internet presence (also called a content delivery network, or CDN) increases network capacity, and spreads the load in the event of an attack. If an attack succeeds in disabling one server, others can remain online and maintain good service to legitimate users.
Can DDoS attacks affect individuals?
DDoS attacks are meant to disrupt networks and servers—they generally don’t pose a direct threat to individuals. However, if someone is trying to access a network or website that’s currently under attack, they might find it hard or impossible to make a connection or get the information they’re seeking. When this happens, the individual becomes a secondary victim. Depending on the reason for wanting to connect (e.g. if it’s an urgent medical or banking need), the problem for the individual could range from minor inconvenience to a very large problem. Unfortunately, there’s nothing a user can do about this sort of situation except wait for the targeted system to resolve the attack.
Individuals can, however, participate in defending against DDoS attacks by making sure their connected devices (such as routers, computers, and IoT devices) are secured. By keeping device software and firmware up-to-date, and changing factory default passwords to strong unique passwords, you can keep your devices from becoming part of a botnet.
