Have you ever tried to buy tickets to a big game on a website, or some hot new tech that everyone’s been queuing for online, only to be met with that white screen telling you that the DNS Server did not respond? Then you may have come across what’s known as a distributed denial-of-service attack, or DDoS for short. DDoS attacks are where hackers essentially overload a website or server beyond its capacity, causing it to crash and denying users access to it.
A report by NETSCOUT found that, in the first quarter of 2021, around 2.9 million DDoS attacks occurred, rising by approximately 31% from the same time in 2020. And each of these attacks had potentially devastating consequences for the victim organization.
But how do DDoS attacks work, and what do they look like? We’ve got you covered. Throughout this blog post we’ll dive into how DDoS attacks happen, with some examples of real-life attacks, and how best to prepare yourself for them.
What Is A DDoS Attack?
A DDoS attack is a type of cyberattack whereby an attacker purposely takes down a web service by overloading the website’s capacity through increased web traffic. Cybercriminals do this by controlling a number of computers, or other endpoints, and coordinating a simultaneous traffic spike to the desired target, which, in practice, overloads the service and causes it to crash, denying access for genuine users wishing to access it.
Unlike viruses and malicious emails, there is no one reason why organizations are targeted by DDoS attacks. Usually, organizations are the victims of DDoS attacks as a result of a protest, sheer traffic volume (i.e., ticket sales) or a prank. In some cases, they’re attacked with the motive of ransom. The kind of organizations that are targeted range far and wide, from big financial players, to games companies, to online retailers.
How Are DDoS Attacks Created?
For a DDoS attack to happen, the cybercriminal needs many data channels—in this case, internet access points—to take down a website. What this means is that, A: a cybercriminal either has a lot of other criminal friends, all in a warehouse ready to click on a website all at the same time, or B: the cybercriminal has access to a botnet.
Botnets are the primary medium for hackers to carry out DDoS attacks. Botnets are networks of remote-access computers, usually made up of compromised devices controlled by a central server. With control of the botnet, the attacker will target a network or a server and flood it using the systems at their disposal. These botnets can sometimes comprise thousands or even millions of computers at a time.
DDoS attacks occur when botnets send server connection requests all at once, overloading the server and exceeding the bandwidth capabilities. Botnets can also be used to send spam, malware and ransomware to a target.
What Types Of Botnets Are There?
There are three different types of botnets that cybercriminals can use; Client Servers, Peer-to-peer, and Internet of Things.
Client Server: The attacker sends out commands from a main control computer to “zombie” computers. This requires the attacker to have access to multiple computers, all of which are connected to, and controlled by, the same central computer. For cybercriminals, these types of botnets are susceptible to being taken down easily, as all it takes is shutting down the command computer.
Peer-to-peer: In this system, each infected machine communicates and commands other infected machines, creating a chain reaction throughout the network. The hacker will then use a digital signature to command the bots to do their bidding. Unlike the client server, the system cannot be taken down by shutting down a single computer and, as a result, they are very hard to “take down.”
Internet of Things: With IoT technology ever advancing––to the point where a multitude of kitchen devices are even now connected to the internet––creating a botnet has become a lot easier, thanks to the number of devices that are able to flood a server. Some IoT devices, though they have basic internet connectivity capabilities, lack authentication or access controls, leaving them prone to hijacking and misuse. This means that cybercriminals can easily commandeer a fleet of IoT devices to add to their botnet in preparation for a DDoS attack.
Are Your Corporate Devices Part Of A Botnet?
Attackers usually use compromised devices to carry out DDoS attacks. It’s important that you’re able to identify when a device has been compromised, and educate your users on the symptoms of device compromise so that they can report any suspicious activity to you.
There are distinctive symptoms that can mean your device is part of a botnet, some of which often coincide with other common attacks, like a virus. For instance, file crashes and slowed file browsing are one of the signs that your computer may be affected by a bot. Other symptoms include downed or inaccessible websites, disconnected internet and excessive spam emails.
What Are The Different Types Of DDoS Attacks?
With a botnet at their disposal, a cybercriminal can begin to launch a DDoS attack on their chosen target. At this stage, there are four main types of attack they could launch: volume-based attacks, application attacks, protocol attacks, and DNS amplification.
Volume-based attacks rely on botnets to flood the traffic of a server, causing it to process too many requests at once and, as such, crash the system. These are the most common types of DDoS attacks that occur, due to their easy set-up and execution. Imagine a volume-based attack as a queue for a nightclub—where the capacity is already full, you’re not getting in!
Protocol attacks are slightly more complex in their nature. Cybercriminals will target a vulnerability in a system through its datagram fragmentation process and overload the server that way. Essentially, the attacker will send smaller, IP datagrams to the host server, where they are then reassembled. When the packages are reassembled, they usually increase in size, but can also corrupt, which can overload the server and cause the website to crash. They work like a bubble bath; a little too much mixture and the whole bathroom is foaming over with bubbles.
Application Layer Attacks
Application layer attacks are a slower, long-form attack that involves attackers targeting a layer of the server where web pages are generated and HTTPS requests are responded to. They are designed, in nature, to target vulnerabilities in specific applications. This means they must conform to specific policies and compliances, so the process is slow and long, and must be launched by devices that cannot be spoofed, such as IoT devices. The problem when spotting these attacks is that, at first, the requests seem genuine, but as they build and the threat becomes clear, it’s too late—the server will crash.
DNS amplification attacks are where the cybercriminal leverages the service’s open Domain Name System (DNS) to overwhelm the targeted server through amplified traffic. Amplification attacks exploit the difference in the attacker’s and the host server’s bandwidth consumption. As the difference grows due to the number of requests, the ensuing volume of traffic can severely disrupt the network’s infrastructure. Attackers do this by sending small requests that result in large responses, which in turn is the most efficient way of crashing the server. By the same token, with each system in the botnet making the same style of requests, the attacker is hidden from source whilst also reaping all the rewards.
Real Life Examples Of DDoS Attacks
The first major DDoS attack of its kind occurred in February 2000 in an attack commonly known as Project Rivolta, where 15-year-old Michael Calce brought down the websites of large organizations such as Yahoo!, Fifa.com, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN. The attacks reportedly caused a total cost of an estimated $1.2 billion. Calce cited that his aim in the attacks was to assert power for his group, TNT, in the cyberworld.
The FBI and Royal Canadian Mountain Guard later took custody of Calce, where he pleaded guilty to the charges brought against him and, in September 2001, he was sentenced to eight months of “open custody,” one year of probation, restricted use of the internet, and a small fine.
Spring 2007 saw Estonia fall victim to one the largest cyberattacks ever, whereby political unrest between Estonia and Russia over the relocation of a Soviet-era monument in Tallinn sparked violent riots and targeted cyberattacks. The cyberwarfare that targeted Estonian information-based systems sparking a 22-day onslaught, where businesses, organizations and health systems were severely affected. According to NATO StratCom, damages in emergency web hosting services were estimated to be in billions of euros, whilst the country also faced loss of productivity, business, and remediation.
In December 2014, hacker group Lizardsquad targeted both PlayStation Network and Xbox Live through DDoS attacks, stopping users from accessing the online servers, denying access to apps, games, streaming services like Netflix and their respective stores. The reason behind the attacks was that Lizardsquad believed that PSN and other similar platforms should be spending more money on securing their users’ sensitive information. This was a response to a similar attack in 2011, where hacker group Lulzsec also targeted PSN, except this exposed users’ personal information, passwords and the credit card details of 77 million accounts, resulting in a 24-day down period for the platform and a $15 million lawsuit.
How To Stop DDoS Attacks
So, with the dangers of DDoS attacks laid out, you’re probably wondering how you can defend your business against them. And, the short answer is, there’s not a lot you can do to stop these specific attacks. However, what you can do, is prepare your servers and equipment via these methods:
Configure Firewalls And Routers
Businesses should be prepared for quick responses to attacks, through configuring firewalls and routers. These remain your businesses’ front-line defense against DDoS, and can be configured to analyze data packages, categorizing the priority of the data using it to filter out the poor connections.
You can compare the top DDoS protection solutions here.
Scrubbing Centers are a form of defense which monitor traffic flow to a service, looking for malicious traffic and/or attacks, and then removing them. They analyze the flow, seeking out poor connections and terminating them. The centers are designed to withstand high volumes of floods at both the network and application layers, slower attacks, request for comments (RFC) compliance checks, and zero-day anomalies. They are usually utilized by ISPs and cloud-based service providers.
When web traffic reaches a high, it’s redirected to the scrubbing center—typically via a DNS or BGP (border gateway protocol)—where the poor connections are filtered back to the original network, and the poor ones are mitigated. There is also research into using a blockchain, which enables users to share their unused bandwidth in order to host some of the malicious traffic from the DDoS attack, and as a result nullifies that traffic.
Securing endpoints should also always remain a priority for businesses, as it can help to defend devices against becoming part of a botnet. Using endpoint security, admins can ensure that their users’ machines are up to date and patched, minimizing the risk of malicious threats getting through.
To read more about endpoint security, click here.
And there you have it, a complete run down of the ins and outs and DDoS attacks. There’s a lot of information to take on board, and some complex processes to understand. Even with an understanding of how DDoS works, unfortunately, there is no tried-and-tested way of stopping them, and they can still have severe consequences for your business.
However, by correctly configuring your firewalls and routers, and implementing robust endpoint security, you can reduce the risk of your organizations’ devices being used in an attacker’s botnet, and greatly minimize the consequences of a DDoS attack on your business.