What is a DDoS attack?

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as traffic sources, often involving computers and other networked resources such as IoT devices.

How does it work?

In a DDoS attack, the attacker begins by exploiting a vulnerability in one computer system, making it the DDoS master (also referred to as the ‘botmaster’ or ‘controller’). The attack master identifies and infects other vulnerable systems with malware, forming a network of infected machines known as a ‘botnet.’ Once a botnet is established, the attacker can command it to flood a target (a specific website, network, or service) with massive traffic. The flood of incoming messages, connection requests, or malformed packets to the target system forces it to slow down or even crash and shut down, denying service to legitimate users or systems.

How to Identify a DDoS Attack?

Several signs may indicate a DDoS attack:

  1. Prolonged network performance, either in terms of a specific website or the entire network.
  2. Unavailability of a particular website or an inability to access any site.
  3. A dramatic increase in the number of spam emails received. This is called a spam email bomb.
  4. Excessive requests for a single page or endpoint. This can be seen in network logs.
  5. Disconnection of a wireless or wired internet connection.

These signs, mainly when combined, can indicate a possible DDoS attack.

Common Types of DDoS Attacks

DDoS attacks can be broadly classified into Application layer attacks, Protocol attacks, and Volumetric attacks.

Application Layer Attacks

An application layer attack (or layer 7 DDoS attack) targets the layer where the web page is generated on the server and delivered to the visitor. The goal of such attacks is to exhaust the resources of the target server, such as CPU and RAM.

One common type of application layer attack is the HTTP flood attack, where the attacker floods the server with HTTP requests. This can be GET or POST requests, designed to seem like a real user sent them. These requests consume server resources and can bring them to a halt. For example, an attacker may target a financial institution’s website, resulting in the site’s unavailability to legitimate customers.

Protocol Attacks

Protocol attacks, also known as state-exhaustion attacks, cause a service disruption by consuming all the available state table capacity of web application servers or intermediate resources like firewalls and load balancers. The goal is to saturate the ability of the target’s network resources.

One example of a protocol attack is the SYN flood. The attacker requests to connect to the server but never completes the handshake. This leaves the connected devices hanging and eventually leads to the exhaustion of resources. An attacker might use this method to target an e-commerce site during a significant sale, causing the site to crash and legitimate users to lose out.

Volumetric Attacks

Volumetric attacks are the most common type of DDoS attack. The goal is to saturate the bandwidth of the targeted site, resulting in inaccessibility. The attack creates congestion by consuming all the available bandwidth between the target and the more considerable internet.

An example of a volumetric attack is a UDP flood. The attacker sends many User Datagram Protocol (UDP) packets to random ports on a remote host. When the host tries to connect to the port, it returns an ‘unreachable’ packet. The process can overwhelm the target and consume resources, effectively shutting it down. A public service site, like a government information site, could be a potential target to disrupt services.

Mitigating a DDoS Attack

Mitigation of a DDoS attack involves multiple strategies:

  1. Preparation: Always have a DDoS response plan. The plan should include a list of internal and external contacts, critical assets you need to protect, and who should make decisions during an attack.
  2. Detection: Invest in baseline tools that can help you detect abnormal traffic flows. A sudden spike in traffic could indicate a DDoS attack.
  3. Response: Once an attack is detected, your response plan should go into action. This could involve rerouting traffic, applying filters, or even increasing bandwidth.
  4. Recovery: After the attack has been mitigated, conduct a post-mortem analysis. This will help you understand what happened, why, and how to improve your response.

Mitigating a DDoS attack can be costly, especially when you need to increase bandwidth or procure high-end security devices. However, partnering with cloud-based DDoS mitigation providers can significantly reduce costs. These services can scale to absorb the significant traffic associated with DDoS attacks and use advanced algorithms to filter out malicious traffic.

In conclusion, DDoS attacks can have significant impacts, but with proper understanding, detection mechanisms, and response strategies in place, their effects can be substantially mitigated.