DDoS in Detail
DDoS as a Cyber Weapon
Mostly, DDoS is used to attack websites and web applications, though it can also be effective against email servers, databases, phone systems, and any other network-connected endpoint. In contrast to a simple denial-of-service attack (DoS), distributed denial of service attacks can have an immense impact. Several computers that have been linked through bot networks simultaneously attempt to access a site or an entire network infrastructure. This can quickly lead to the failure of the servers.
Some botnets already have tens of thousands of computers or connected devices under their control. These so called bots have been infected with malicious software and are repeatedly used to launch a powerful attack, without the computers' authorized users even being aware of it. Due to the large number of computers or devices used, it is almost impossible for an attacked website to identify the source of the attack. Likewise, in most cases it remains unclear who can be held liable for such attacks.
How Does DDoS Work?
There’s a common misconception that all DDoS attacks are flooding attacks. This is not true. Broadly, DDoS attacks fall into three categories:
Classic flooding attacks that aim to exceed the maximum bandwidth of a targeted asset. These attacks take advantage of Internet protocols like UCP and ICMP, which don’t require the receiving asset to ‘accept’ each packet of data. Most modern volumetric attacks use botnets (armies of Internet-connected devices enslaved by malware) to overwhelm targets with a massive volume of data packets.
Also called ‘traffic attacks’, protocol attacks consume server resources rather than pure bandwidth. Unlike volumetric attacks, which rely on data volume, protocol attacks force target servers (and other equipment like firewalls) to respond to more data packets than they can handle. The targeted asset becomes overwhelmed, and can no longer serve legitimate users.
Unlike volumetric and protocol attacks, which overwhelm the infrastructure responsible for serving a web asset, application attacks target the asset itself. Using a flood of application-layer requests (e.g., HTTP GET/POST requests) these attacks exhaust the capabilities of a targeted website or application.
Using a botnet (e.g., the Mirai botnet) threat groups can conduct extremely high-volume DDoS attacks. However, in recent years another technique has been used to unleash some of the largest DDoS attacks ever seen: amplification.
Amplification attacks — also known as reflection amplification attacks — abuse publicly accessible services like time servers (the servers that ensure all your devices know what time it is) to deliver disproportionately high volume attacks. Each machine within a botnet sends spoofed requests to these resources, listing the IP address of the target victim. The service then sends a much larger response (sometimes hundreds of times larger) to the target, resulting in a massive flooding attack.
The precise techniques and services used to conduct these attacks vary significantly. Since 2014, Link11 has catalogued at least 14 different types of reflection amplification attack, including Memcached, CLDAP (Connectionless Lightweight Directory Access Protocol), and CoAP (Constrained Application Protocol) attacks. These attacks have amplification factors that range between 6.3X and 51,000X the size of spoofed requests.
Using amplification techniques one threat group unleashed a sustained DDoS attack against Amazon measuring more than 2.3 terabytes per second. To put that in perspective, it’s roughly equivalent to transmitting 350 full HD movies every second. Amazon managed to contain the attack, but don’t let that fool you. An attack of half that size would be more than enough to disrupt practically anything not owned by Amazon, Google, or Microsoft.
DoS vs DDoS
In a Denial of Service (DoS) attack, a single Internet-connected device is used to launch an attack against a target asset. One example of this is a Slowloris attack. Slowloris is an application-layer attack that targets assets hosted on Apache web servers — just over a third of all web servers worldwide. Slowloris attacks exhaust an asset's maximum number of concurrent connections, rather than traffic volume. As a result, they can disrupt an asset’s ability to serve legitimate users while requiring minimal bandwidth investment from the attacker.
In a Distributed Denial of Service (DDoS) attack, the attack is launched concurrently from a large number of computers, servers, or other Internet-connected devices.
The collection of devices needed to pull off an attack like this is known as a botnet, which is short for ‘robot network’. A botnet consists of a number of Internet-connected devices that have been infected with malware that enables the attacker to control each infected device. The attacker will then use a ‘command and control’ (C2) server to issue commands to all infected devices at once, which is how large DDoS attacks are coordinated.
DDoS attacks are far more common than DoS attacks and are usually more damaging. However, depending on the technique used, it is possible to launch a DoS attack from a single computer and cause massive disruption.
Note that in many cases the term DDoS is used as a blanket term for all denial of service attacks. It’s not technically correct, but worth keeping in mind to avoid confusion.
Distributed Denial of Service Attack Examples
Originally, DDoS attacks were used primarily to disrupt and frustrate their targets. They were commonly used by hacktivist groups, such as when Anonymous took on the Church of Scientology back in 2008. However, as with most cyber threats, the DDoS landscape has matured significantly since then. Now, hacking groups use DDoS attacks for two primary purposes.
How to Prevent DDoS Attacks
Historically organizations have relied on hardware solutions to detect and protect against DDoS attacks. However, these on-premise solutions are ineffective against modern DDoS attacks. On-premise devices are constrained by the network resources and bandwidth available, making them susceptible to high-volume DDoS attacks. Simply, if an attack is allowed to reach its target’s IT systems, it’s too late to stop.
Link 11’s Cloud Security Platform uses proprietary AI and ML algorithms to identify even brand new threats in real-time, with zero human intervention. From there, the solutions’ cloud-based scrubbing centers filter, analyze, and — where needed — block traffic before it reaches your IT systems.
The platform provides:
- Instant protection against attacks that follow known patterns, with zero impact on your users.
- Protection against brand-new DDoS threats, with full mitigation in under 10 seconds.
- Industry-leading protection against DDoS attacks, with guaranteed 99.99% availability.
As a result, your organization benefits from a huge reduction in cyber risk and avoids the hefty costs associated with recovering from a DDoS attack.