What Are DDoS Attacks?
A DDoS (Distributed Denial of Service) attack attempts to overwhelm an Internet-connected asset with the aim of making it unavailable to legitimate users. It does this by exhausting a finite resource — usually the sheer volume of traffic an asset is capable of handling — over a prolonged period, making normal use impossible. In a typical DDoS attack, the attacker sends a large number of requests to the targeted asset, aiming to exceed the asset’s capacity to handle that type of request. Since the asset is now ‘exhausted’ in that area, legitimate users cannot interact with it properly.
Nowadays, DDoS attacks are part of the most common cyberattacks. Especially in the sectors of industry and finance, these powerful attacks are used to put companies under pressure and demand high sums as protection money. Also in the area of cyberspionage DDoS attacks belong to the standard repertoire. But what does DDoS mean for companies?
DDoS in Detail
DDoS as a Cyber Weapon
Mostly, DDoS is used to attack websites and web applications, though it can also be effective against email servers, databases, phone systems, and any other network-connected endpoint. In contrast to a simple denial-of-service attack (DoS), distributed denial of service attacks can have an immense impact. Several computers that have been linked through bot networks simultaneously attempt to access a site or an entire network infrastructure. This can quickly lead to the failure of the servers.
Some botnets already have tens of thousands of computers or connected devices under their control. These so called bots have been infected with malicious software and are repeatedly used to launch a powerful attack, without the computers’ authorized users even being aware of it. Due to the large number of computers or devices used, it is almost impossible for an attacked website to identify the source of the attack. Likewise, in most cases it remains unclear who can be held liable for such attacks.
Your advantages of the patented
Link11 anti DDoS solution
Protect your web pages and IT infrastructure from DDoS attacks on all levels
Classic flooding attacks that aim to exceed the maximum bandwidth of a targeted asset. These attacks take advantage of Internet protocols like UCP and ICMP, which don’t require the receiving asset to ‘accept’ each packet of data. Most modern volumetric attacks use botnets (armies of Internet-connected devices enslaved by malware) to overwhelm targets with a massive volume of data packets.
Also called ‘traffic attacks’, protocol attacks consume server resources rather than pure bandwidth. Unlike volumetric attacks, which rely on data volume, protocol attacks force target servers (and other equipment like firewalls) to respond to more data packets than they can handle. The targeted asset becomes overwhelmed, and can no longer serve legitimate users.
Unlike volumetric and protocol attacks, which overwhelm the infrastructure responsible for serving a web asset, application attacks target the asset itself. Using a flood of application-layer requests (e.g., HTTP GET/POST requests) these attacks exhaust the capabilities of a targeted website or application.
Using a botnet (e.g., the Mirai botnet) threat groups can conduct extremely high-volume DDoS attacks. However, in recent years another technique has been used to unleash some of the largest DDoS attacks ever seen: amplification.
Amplification attacks — also known as reflection amplification attacks — abuse publicly accessible services like time servers (the servers that ensure all your devices know what time it is) to deliver disproportionately high volume attacks. Each machine within a botnet sends spoofed requests to these resources, listing the IP address of the target victim. The service then sends a much larger response (sometimes hundreds of times larger) to the target, resulting in a massive flooding attack.
The precise techniques and services used to conduct these attacks vary significantly. Since 2014, Link11 has catalogued at least 14 different types of reflection amplification attack, including Memcached, CLDAP (Connectionless Lightweight Directory Access Protocol), and CoAP (Constrained Application Protocol) attacks. These attacks have amplification factors that range between 6.3X and 51,000X the size of spoofed requests.
Using amplification techniques one threat group unleashed a sustained DDoS attack against Amazon measuring more than 2.3 terabytes per second. To put that in perspective, it’s roughly equivalent to transmitting 350 full HD movies every second. Amazon managed to contain the attack, but don’t let that fool you. An attack of half that size would be more than enough to disrupt practically anything not owned by Amazon, Google, or Microsoft.
DoS vs DDoS
In a Denial of Service (DoS) attack, a single Internet-connected device is used to launch an attack against a target asset. One example of this is a Slowloris attack. Slowloris is an application-layer attack that targets assets hosted on Apache web servers — just over a third of all web servers worldwide. Slowloris attacks exhaust an asset’s maximum number of concurrent connections, rather than traffic volume. As a result, they can disrupt an asset’s ability to serve legitimate users while requiring minimal bandwidth investment from the attacker.
In a Distributed Denial of Service (DDoS) attack, the attack is launched concurrently from a large number of computers, servers, or other Internet-connected devices.
The collection of devices needed to pull off an attack like this is known as a botnet, which is short for ‘robot network’. A botnet consists of a number of Internet-connected devices that have been infected with malware that enables the attacker to control each infected device. The attacker will then use a ‘command and control’ (C2) server to issue commands to all infected devices at once, which is how large DDoS attacks are coordinated.
DDoS attacks are far more common than DoS attacks and are usually more damaging. However, depending on the technique used, it is possible to launch a DoS attack from a single computer and cause massive disruption.
Note that in many cases the term DDoS is used as a blanket term for all denial of service attacks. It’s not technically correct, but worth keeping in mind to avoid confusion.
These attacks are often (but not exclusively) politically motivated. Typically, attackers use DDoS as a tool to silence or disrupt an organization they disagree with. For example:
- In August 2020, the New Zealand stock exchange was knocked offline more than four days in a row due to DDoS attacks.
- In January 2019, the hacktivist group Anonymous targeted a series of Zimbabwean government websites with DDoS attacks in response to government-sanctioned nationwide Internet blackouts.
- Messaging app Telegram was temporarily taken down by a “state actor-sized DDoS attack” in June 2019. The attack is thought to have been orchestrated by the Chinese government to disrupt protests in Hong Kong that were organized via the app’s encrypted messaging.
Hold the victim to ransom
Similar to a ransomware attack, DDoS attacks can be used to extort money from targeted organizations. The approach is simple. The attacker unleashes a DDoS attack as a proof of concept, then contacts the victim organization to demand money. If the victim refuses to pay, the attacker will recommence the DDoS attack. Some publicized examples include:
- A criminal group posing as Russian APT group Fancy Bear launched DDoS attacks against a series of financial institutions. Following each attack, the affected organization was sent a ransom note.
- In March 2020, a Germany-based food delivery company was targeted with a DDoS attack. The attack was accompanied by a demand that the company pay a ransom of 2 bitcoins (around $11,000 at that time).
Since extended outages can prove highly expensive for most organizations, many DDoS ransom demands like these are paid each year. For obvious reasons, most are never made public.
How to Prevent DDoS Attacks
Historically organizations have relied on hardware solutions to detect and protect against DDoS attacks. However, these on-premise solutions are ineffective against modern DDoS attacks. On-premise devices are constrained by the network resources and bandwidth available, making them susceptible to high-volume DDoS attacks. Simply, if an attack is allowed to reach its target’s IT systems, it’s too late to stop.
Link 11’s Cloud Security Platform uses proprietary AI and ML algorithms to identify even brand new threats in real-time, with zero human intervention. From there, the solutions’ cloud-based scrubbing centers filter, analyze, and — where needed — block traffic before it reaches your IT systems.
The platform provides:
- Instant protection against attacks that follow known patterns, with zero impact on your users.
- Protection against brand-new DDoS threats, with full mitigation in under 10 seconds.
- Industry-leading protection against DDoS attacks, with guaranteed 99.99% availability.
As a result, your organization benefits from a huge reduction in cyber risk and avoids the hefty costs associated with
recovering from a DDoS attack.