What is a DDoS Attack: Types & Mitigation Methods


A DDoS (Distributed Denial of Service) attack is a kind of robustness test of a company's IT infrastructure and services. Cybercriminals aim to prevent users from accessing a web resource. For a DDoS attack to succeed, the attacker sends more requests than the victim's server can handle or send fake requests. There is also a normal DDoS when websites crash or work slowly because they cannot cope with the buyers' flood during the busy selling season.

This type of attack was first mentioned in public in 1999, when Yahoo, eBay, Amazon, and CNN were attacked. Since then, this type of cybercrime has expanded rapidly. There even appeared companies that offer DDoS-as-a-service. 

According to a report by Kaspersky, the total number of DDoS attacks decreased by 38.8 percent in the second quarter of 2021 as compared to Q2 2020, and by 6.5 percent in comparison to the previous quarter in 2021. The business needs to be able to protect its systems against DDoS. Cloud providers offering Infrastructure-as-a-Service can help in this matter. 

DoS vs. DDoS: What is the difference?

Along with DDoS, intruders have another type of attack known as DoS (Denial of Service). The first case of DoS occurred in February 2000 when a Canadian hacker decided to overload Amazon and eBay web servers.

During a DoS attack, requests are sent from a single source, rather than a network, and it targets a specific domain or virtual machine. It is similar to a DDoS because, in both scenarios, the goal is to disrupt access to a network or an online resource. But DoS has its specific features:

  • Single-vector approach. Traffic flows from the same subnet.
  • Visibility. Attack on the site is visible in monitoring systems.
  • Easy to reflect. DoS attacks are easy to block through a firewall or network router.

These attacks are not dangerous but they do require software that recognizes and blocks the threat in time.

DDoS is characterized by other features:

  • Multithreading. Multiple channels of requests simplify blocking a compromised resource because it is impossible to quickly filter out all the attacking IP addresses.
  • Invisibility. The attack is well masked by normal traffic, gradually filling a resource with "junk" requests making it difficult to track.
  • Hard to stop. Inability to determine precisely the time when an attack launched interferes with filtering of attacking IP addresses.

As you understand, distributed denial of service works "more efficiently", especially since it is extremely difficult to trace this attack and reach its source.

Reasons for DDoS 

What is the Motivation Behind DDoS Attacks? There are several possible reasons:

Conflict. Personal animosity is the cause of a significant number of cyberattacks against businesses and government agencies. For example, after a massive FBI raid on hackers in 1999, FBI Web sites were attacked. As a result, they were down for weeks.

Ideology. Disagreement with government or opposition policies can be the reason for a cyberattack. Hacktivists (IT specialists who are radical on any religious or political agenda) can support different political interests and express their protest by DDoS. Government or financial websites are often victims of hacktivism DDoS attacks.

Boredom. The attacker might be a novice hacker, IT tester, or just a person who decided to "play around" by ordering a short but harmful hack on some semi-legal resource.

Extortion. To stop DDoS attacks hackers often demand a ransom from website owners. The amounts vary widely depending on the attacker's desires. Refusal to pay is followed by a "punishment". 

Unfair competition. A custom attack is far from being rare. In the high season, competitors may try to crash other companies' sites to steal customers.

Masking. While you are blocking a DDoS, you may not notice another, more serious attack. Using junk traffic as a cover is an effective and quite popular practice. Flooding server with fake traffic

Who is targeted in a DDoS attack?

Almost any organization and even an individual may become a victim of a cyberattack. According to several reports, every sixth Russian company has faced such a problem.

Among the high-risk are the following websites:

  • Large enterprises and government agencies.
  • Banks.
  • Medical institutions.
  • Payment systems.
  • Popular blogs and media.
  • Online stores.
  • Gaming services.
  • Cryptocurrency exchanges.

Internet bulletin boards and travel agency sites also face DDoS attacks, but less frequently. In August 2021, Yandex revealed that it had experienced Russia's largest DDoS. Before that, in 2020, Sberbank was attacked.

The Internet of Things (IoT) is another relatively new attack vector. Devices connected to the Internet often become part of a botnet or wiretap channel.

How does a DDoS Attack Work?

The principle of DDoS lies right in the name of the attack itself – denial of service. Any equipment has a bandwidth limitation as well as a limit on the number of requests to be processed. Attack initiator aims to load all channels to the maximum so that legitimate users could not get through to the service because of the huge number of fake requests.

These attacks involve botnets consisting of compromised computers that hackers can control. The number of botnets can be as high as hundreds of thousands. During the attack, hackers send requests from these bots to the victim's website. Since each computer initiates connections that are no different from the actions of an ordinary person, it is difficult to detect the attack. Load exceeding the expected becomes noticeable only as the number of requests grows.

Typically, a DDoS lasts a few hours. Yet there were cases when a DDoS attack lasted for several days.

The attacks are divided into three types according to their effect:

  • Channels flooding. ICMP flooding, UDP flooding, DNS amplification.
  • The exploitation of network protocol stack insecurity. "Ping of death", ACK/PUSH ACK flood, SYN flood, TCP null/IP null attack.
  • Application layer attack. HTTP flooding, slow sessions, fragmented HTTP packets.

 

Types of DDoS Attacks

HTTP floods – multiple regular or encrypted HTTP requests are sent to the attacked server, which floods the communication nodes.

ICMP floods – the victim host machine is overloaded with service requests to which it is obliged to give echo replies.

SYN floods – use one of the basic mechanisms of the TCP protocol (the algorithm "request-response": SYN packet - SYN-ACK packet - ACK packet). The victim site receives a wave of fake SYN requests without a response. The channel is flooded with a queue of TCP connections from outgoing connections requesting their ACK packet.

UDP flood - victim's host ports are flooded with UDP packets, and responses to these packets overload network resources.

MAC floods – network ports are flooded with streams of "empty" packets with different MAC addresses

Ping of Death – mass ICMP packets of large length are sent to the victim's computer, resulting in a buffer overflow.

DNS spoofing – spoofing the IP address in the server cache redirects the user to a fake page. Once redirected, the attacker gains access to the user's data.

The Signs of an Attack

The following signs are typical for this type of cyber attack:

  • Hangups, random session terminations, and other server software and OS failures.
  • Excessively high load on the CPU, RAM, disk, and other server components.
  • A sudden increase in the number of requests per port.
  • Unusual behavior of a large number of users.
  • Massive requests to ports and services, similar to each other.

How to prevent a DDoS attack 

Filtering traffic based on content, IP addresses, and other parameters are considered the main way to protect it. There are two approaches to doing this:

  • Using a server and software of your own. This way you can control your infrastructure, customize it to your needs.
  • Utilizing the anti-DDoS service. Thus, the company saves on equipment purchase and maintenance costs as well as IT specialists' salaries. Protection issues are handled by a third-party organization.

The second method has been in demand on the market for five years. It is easier for companies to pay a fixed amount for protection with the ability to connect and disconnect additional anti-DDoS services.

Keep in mind that attacks often exploit vulnerabilities in an organization's IT infrastructure. Therefore, it is important to regularly update all software components. It is also worth checking the ability of the corporate site and IT services to work even under high load.

By collaborating with cloud providers, companies can get a comprehensive solution to protect their IT infrastructure, web applications, and online services from any type of DDoS attacks. The providers use more powerful equipment and software technology solutions. Also, they have extensive experience in handling attacks and can quickly regain control of the situation to create conditions in which the load does not affect the availability of infrastructure, applications, and services.

 

Cloud4Y DDoS protection service is easily integrated with the client infrastructure hosted in the cloud, requires no data migration and no additional configuration, software installation, or hardware purchase. Cleaning parameters are determined by the specifics of the business.


Is useful article?
0
0
author: Alexander Vorontsov
published: 10/12/2021
Last articles
Scroll up!