A distributed denial of service attack is a trial to block a web server or network system by flooding it with data. DDoS attacks can be a simple ordeal, revenge, or hacktivism and can range from less hassle to long-term downtime resulting in job loss.
Hackers hit GitHub with 1.35 terabytes of data per second of DDoS attack in February 2018. It is a massive attack and is unlikely to be the last of its kind.
How does a DDoS attack work?
DDoS attacks often operate through botnets, large groups of distributed computers that interact in unison, simultaneously sending spam to a website or a service provider with a request for data.
Attackers use certain malware or vulnerabilities to install Command and Control (C2) software on users’ systems to create botnets. DDoS attacks rely on a robust number of computers in the botnet to accomplish the desired effect. The simplest and cheapest way to control this number of computers is to exploit the vulnerability.
The DynDNS attack used WIFI cameras with default passwords to create a massive botnet. Once the active botnets are attacked, the attackers send a move command to all of their botnet nodes, and the botnets then send their scheduled requests to the destination server.
If an attack overwhelms an external defense, it quickly overwhelms most systems, causing service outages and, in some cases, server downtime. The result of a DDoS attack is primarily a loss of productivity or a service disruption – customers cannot see the website.
While it may seem benign, the cost of DDoS attacks averaged $2.5 million in 2017. Kaspersky reports that DDoS attacks cost $120,000 to small businesses and $2,000,000 to businesses. Hackers carry out DDoS attacks on everything from childish hardships to corporate revenge for showing political activism.
DDoS attacks are illegal underneath the Computer Fraud and Abuse Act. Launching a DDoS attack on a network without approval will cost you up to 10 years in prison and a fine/bail of up to $500,000.
What is the difference between a DoS attack and a DDoS attack?
A denial of service (DoS) attack involves many types of attacks, and everything is designed to interrupt services. Also, to DDoS, you can have application layer DoS, advanced persistent DoS, and DoS as a service. Businesses will use DoS as a service to test their networks.
In short, DDoS is a type of DoS attack; however, DoS can also mean that an attacker used a single node to launch an attack, instead of using a botnet.
What Does a DDoS Attack Signify for my Security?
You need to prepare and plan for managing a DDoS attack against your systems. You need to monitor, generate alerts quickly, and diagnose an ongoing DDoS attack. The next step is to close the attack without affecting users promptly.
You can block IP addresses with the next-generation firewall or disable incoming traffic to the destination system and switch to the backup. There are other intervention plans that you can implement, make sure you have them.
Common types of DDoS attacks
There are several different ways for attackers to increase a DDoS attack. Here are some of the most famous:
1. Application Layer Attacks
DDoS attacks against the application layer aim to deplete target resources and to disable access to the target site or service.
Attackers load a robot with a complex request that taxes the target server while it attempts to respond. The request may require access to a database or large downloads.
If a target receives several million of these requests in a short time, it can be quickly mastered and slowed down or entirely planted.
An HTTP Flood attack, take, for example, is an attack on an application layer that targets a target web server and uses many fast HTTP requests to disable the server.
Imagine this by pressing the Refresh button in rapid-fire mode on the game controller. Such traffic from thousands of computers at once will quickly drown a web server.
2. Protocol Attacks
DDoS attack protocols target the network layer of target systems. Its objective is to replace the main service space of a leading network, a firewall, or a load balancer that conveys requests to a destination.
In general, network services operate from the first line (FIFO) from the first port. The first request arrives, the computer processes the request, then goes and gets the next request online, and so on.
There are now a limited number of points in this queue, and in a DDoS attack, the line can become so vast that the computer has no resources to respond to the first request.
An SYN flood attack is a specific attack. There is a three-way negotiation in a standard TCP / IP network transaction, and these are SYN, ACK, and SYN-ACK.
SYN is the first part, which is any request, ACK is the target response, and SYN-ACK is the original request which says, “Thank you, I have received the requested data.” In an SYN flood attack, attackers create SYN packets with false IP addresses.
The target then sends the ACK to a bogus address, which never responds, stays there, and waits for the time for these responses to expire, which depletes resources to process all of these fake transactions.
3. Volumetric Attacks
A volumetric attack aims to use a botnet to generate a large amount of traffic and disrupt work on the target. Imagine an HTTP flood attack, but with an exponential response, a component added.
For example, if you and 20 friends called the same pizzeria and ordered 50 cakes at the same time, that pizzeria may not meet these requirements. Volumetric attacks work on the same principle.
They are looking for something in the target that will significantly increase the magnitude of the response, and the volume of traffic explodes and obstructs the server.
DNS amplification is a type of volumetric attack. In this case, they directly attack the DNS server and require a large amount of data from the DNS server, which can cause DNS blocking and paralyze anyone who uses this DNS server for name resolution services.
How to avoid DDoS attacks?
How did GitHub survive this massive DDoS attack? Planning and preparation, of course. After 10 minutes of occasional downtime, the GitHub servers have activated their DDoS mitigation service.
The mitigation service redirected incoming traffic and deleted malicious packets, and about 10 minutes later, the attackers abandoned it.
To paying for DDoS mitigation services from companies like Cloudflare and Akamai, you can also use their standard endpoint security measures. Fix your servers, keep Memcached servers open on the Internet, and train your users to recognize phishing attacks.
You can enable black hole routing during a DDoS attack to send all traffic to the abyss. You can configure the speed limit by limiting the number of requests that the server receives in a short period. A well-configured firewall can also protect your servers.
Varonis observes your DNS, VPN, proxies, and data for signs of an upcoming DDoS attack on your corporate network. Varonis monitors behavior patterns and generates alerts when current practice matches a threat pattern or deviates from standard behavior.
This can include malicious hood attacks or significant increases in network traffic, indicating a DDoS attack.
DDoS Attacks Today
Like everything else in IT, DDoS attacks are evolving and becoming more destructive for businesses.
The size of attacks is increasing, with 150 requests per second during the 1990s, which would reduce the server from that time to the recent DYN DNS attack and GitHub attacks to 1.2 TB and 1.35 TB, respectively.
The purpose of these two attacks was to disrupt two significant sources of productivity around the world. These attacks used new techniques to reach their vast bandwidth. The Dyn attack used an explosive found on the Internet of Things (IoT) devices to make a botnet, named the Mirai Botnet attack.
Mirai is used to open Telnet ports and default passwords to download WiFi-enabled cameras to conduct the attack. This attack was a childish difficulty, but it also had a significant vulnerability that accompanies the proliferation of IoT devices.