What is a DDoS attack?
a DDoS Attack?
A DDoS (Distributed Denial of Service) attack attempts to overwhelm an Internet-connected asset with the aim of making it unavailable to legitimate users. It does this by exhausting a finite resource — usually the sheer volume of traffic an asset is capable of handling — over a prolonged period, making normal use impossible. In a typical DDoS attack, the attacker sends a large number of requests to the targeted asset, aiming to exceed the asset’s capacity to handle that type of request. Since the asset is now ‘exhausted’ in that area, legitimate users cannot interact with it properly.
Nowadays, a Distributed Denial of Service is part of the most common cyberattacks. Especially in the sectors of industry and finance, these powerful attacks are used to put companies under pressure and demand high sums as protection money. Also in the area of cyberspionage those attacks belong to the standard repertoire. But what does it mean for companies?
DDoS attack in Detail
DDoS as a Cyber Weapon
Mostly, DDoS is used to attack websites and web applications, though it can also be effective against email servers, databases, phone systems, and any other network-connected endpoint. In contrast to a simple denial-of-service attack (DoS), distributed denial of service attacks can have an immense impact. Several computers that have been linked through bot networks simultaneously attempt to access a site or an entire network infrastructure. This can quickly lead to the failure of the servers.
Some botnets already have tens of thousands of computers or connected devices under their control. These so called bots have been infected with malicious software and are repeatedly used to launch a powerful attack, without the computers’ authorized users even being aware of it. Due to the large number of devices used, it is almost impossible for an attacked website to identify the source of a Distributed Denial of Service attack. Likewise, in most cases it remains unclear who can be held liable for such attacks.
This is how easy it is to commission overload attacks
DDoS attack for everyone
Cybercriminals have long since moved beyond targeting private commercial enterprises to attacking the public sector and critical infrastructure such as energy producers, rail network operators, banks and hospitals. In some cases, the perpetrators are not at all interested in enriching themselves. Instead, they want to spread chaos, weaken competitors or paralyze democratic processes. But what exactly is a DDoS attack?
The construction of botnets and the actual implementation of the attack require technical know-how, but above all criminal energy. In recent years, potential attackers have found it increasingly easy to obtain the necessary expertise. As the case of the Mirai IoT botnet shows, source code and tools for building botnets are often made freely available. Increasingly, DDoS attacks are no longer just the tool of IT professionals or hacker groups.You no longer have to be a programmer to take out competitors, political dissidents or certain Internet systems with a Distributed Denial of Service. In the meantime, cyber attacks are a service that can be commissioned online by non-professionals – and it is neither complicated nor cost-intensive. If you are interested in DDoS attack as a service, you can find numerous providers of booter or IP stresser services on the Internet, where you can commission attacks after an anonymous registration process. Hacks – whether commissioned or self-executed – are punishable by law in Germany. All those involved – from the client to the booter operator – face up to five years’ imprisonment if convicted.
Your advantages of the patented
Link11 anti DDoS solution
Protect your web pages and IT infrastructure from a DDoS attack on all levels
Classic flooding attacks that aim to exceed the maximum bandwidth of a targeted asset. These attacks take advantage of Internet protocols like UCP and ICMP, which don’t require the receiving asset to ‘accept’ each packet of data. Most modern volumetric attacks use botnets (armies of Internet-connected devices enslaved by malware) to overwhelm targets with a massive volume of data packets.
Also called ‘traffic attacks’, protocol attacks consume server resources rather than pure bandwidth. Unlike volumetric attacks, which rely on data volume, protocol attacks force target servers (and other equipment like firewalls) to respond to more data packets than they can handle. The targeted asset becomes overwhelmed, and can no longer serve legitimate users.
Unlike volumetric and protocol attacks, which overwhelm the infrastructure responsible for serving a web asset, application attacks target the asset itself. Using a flood of application-layer requests (e.g., HTTP GET/POST requests) these attacks exhaust the capabilities of a targeted website or application.
DDoS Amplification attack
Using a botnet (e.g., the Mirai botnet) threat groups can conduct extremely high-volume attacks. However, in recent years another technique has been used to unleash some of the largest DDoS strikes ever seen: amplification.
Amplification attacks — also known as reflection amplification attacks — abuse publicly accessible services like time servers (the servers that ensure all your devices know what time it is) to deliver disproportionately high volume attacks. Each machine within a botnet sends spoofed requests to these resources, listing the IP address of the target victim. The service then sends a much larger response (sometimes hundreds of times larger) to the target, resulting in a massive flooding attack.
The precise techniques and services used to conduct these attacks vary significantly. Since 2014, Link11 has catalogued at least 14 different types of reflection amplification attack, including Memcached, CLDAP (Connectionless Lightweight Directory Access Protocol), and CoAP (Constrained Application Protocol) attacks. These attacks have amplification factors that range between 6.3X and 51,000X the size of spoofed requests.
Using amplification techniques one threat group unleashed a sustained Distributed Denial of Service against Amazon measuring more than 2.3 terabytes per second. To put that in perspective, it’s roughly equivalent to transmitting 350 full HD movies every second. Amazon managed to contain the attack, but don’t let that fool you. An attack of half that size would be more than enough to disrupt practically anything not owned by Amazon, Google, or Microsoft.
DoS vs DDoS attack
In a Denial of Service (DoS) attack, a single Internet-connected device is used to launch an attack against a target asset. One example of this is a Slowloris attack. Slowloris is an application-layer attack that targets assets hosted on Apache web servers — just over a third of all web servers worldwide. Slowloris attacks exhaust an asset’s maximum number of concurrent connections, rather than traffic volume. As a result, they can disrupt an asset’s ability to serve legitimate users while requiring minimal bandwidth investment from the attacker.
In a Distributed Denial of Service (DDoS) attack, the attack is launched concurrently from a large number of computers, servers, or other Internet-connected devices.
The collection of devices needed to pull off an attack like this is known as a botnet, which is short for ‘robot network’. A botnet consists of a number of Internet-connected devices that have been infected with malware that enables the attacker to control each infected device. The attacker will then use a ‘command and control’ (C2) server to issue commands to all infected devices at once, which is how large such hacks are coordinated.
A DDoS attack is far more common than a DoS attack and are usually more damaging. However, depending on the technique used, it is possible to launch a DoS attack from a single computer and cause massive disruption.
Note that in many cases the term DDoS is used as a blanket term for all denial of service attacks. It’s not technically correct, but worth keeping in mind to avoid confusion.
These attacks are often (but not exclusively) politically motivated. Typically, attackers use DDoS as a tool to silence or disrupt an organization they disagree with. For example:
- In August 2020, the New Zealand stock exchange was knocked offline more than four days in a row due to an on-going cyber attack.
- In January 2019, the hacktivist group Anonymous targeted a series of Zimbabwean government websites with DDoS attacks in response to government-sanctioned nationwide Internet blackouts.
- Messaging app Telegram was temporarily taken down by a “state actor-sized attack” in June 2019. The attack is thought to have been orchestrated by the Chinese government to disrupt protests in Hong Kong that were organized via the app’s encrypted messaging.
Hold the victim to ransom
Similar to a ransomware attack, a DDoS attack can be used to extort money from targeted organizations. The approach is simple. The attacker unleashes a strike as a proof of concept, then contacts the victim organization to demand money. If the victim refuses to pay, the attacker will recommence the attack. Some publicized examples include:
- A criminal group posing as Russian APT group Fancy Bear launched DDoS attacks against a series of financial institutions. Following each attack, the affected organization was sent a ransom note.
- In March 2020, a Germany-based food delivery company was targeted with a attack. The offensive action was accompanied by a demand that the company pay a ransom of 2 bitcoins (around $11,000 at that time).
Since extended outages can prove highly expensive for most organizations, many RDoS demands like these are paid each year. For obvious reasons, most are never made public.
How to prevent a DDoS attack
Historically organizations have relied on hardware solutions to detect and protect against high-profile attacks. However, these on-premise solutions are ineffective against a modern Distributed Denial of Service. On-premise devices are constrained by the network resources and bandwidth available, making them susceptible to high-volume attacks. Simply, if an attack is allowed to reach its target’s IT systems, it’s too late to stop.
Link 11’s Cloud Security Platform uses proprietary AI and ML algorithms to identify even brand new threats in real-time, with zero human intervention. From there, the solutions’ cloud-based scrubbing centers filter, analyze, and — where needed — block traffic before it reaches your IT systems.
The platform provides:
- Instant protection against attacks that follow known patterns, with zero impact on your users.
- Protection against brand-new threats, with full mitigation in under 10 seconds.
- Industry-leading protection against DDoS attacks, with guaranteed 99.99% availability.
As a result, your organization benefits from a huge reduction in cyber risk and avoids the hefty costs associated with
recovering from a DDoS attack. A good protection is absolutely important these days.