What is a DDoS attack?
A distributed denial of service (DDoS) attack is when a hacker attempts to overwhelm a specific server, network, or service by flooding it with internet traffic. This is often done by first compromising a large number of computer systems, and then having them generate the coordinated traffic required to execute the attack. These systems can be computers, phones, or even IoT devices – anything that connects to a network has potential to be used for a DDoS attack.
With the huge increase of IoT devices over recent years, the number of entry points to networks has grown, giving hackers greater ability than ever before to carry out DDoS attacks. As a result, in 2022, the number of DDoS attacks worldwide increased by 150% compared to the previous year.
A DDoS attack is a type of denial-of-service (DoS) attack. Whereas a DoS attack uses only one internet connection to overwhelm the target with false requests, a DDoS attack is much more extensive and may utilize many thousands of devices, making it much more powerful.
The goal of a DDoS attack is to create a ‘traffic jam’ that prevents legitimate traffic from accessing the network or service. Attacks lead to results that can range from mildly inconvenient downtime to an extensive outage that exacts huge costs for the business.
A DDoS attack works by creating or taking over a network of devices connected to the Internet, which can then be remotely controlled using malware. Every device in the network is referred to as a ‘bot’, and together, the group is called a ‘botnet’. To launch an DDoS attack, the hacker instructs all of the distributed bots in the botnet to send requests to the target server’s IP address, causing it to be overwhelmed. As a result, the usual network traffic that would normally be accessing the server, like customers, is denied service.
Sometimes, DDoS attacks utilize applications that were originally designed to perform stress tests, enabling companies to assess how their website performs with high levels of traffic. In the wrong hands, and when used to activate many devices at once, these applications can create a huge number of access requests that is sufficient to bring network traffic to the targeted site to a complete standstill.
There are many different types of DDoS attacks, with each targeting a different aspect of a network connection. Each network connection is made up of seven layers, and the attacker may choose a specific layer on which to focus the DDoS attack. For example:
Attackers that execute DDoS attacks may have a number of motives:
The first step in preventing successful DDoS attacks is to set up an incident response team to recognize when one is occurring so it can be stopped.
Even without checking the actual network traffic accessing a server, some outward signs of a DDoS attack may be obvious, such as web pages loading unusually slowly. However, slow loading is a frequent occurrence on the web and can be hard to differentiate from typical day-to-day service issues.
When looking at network traffic, a sudden spike in traffic from similar users, perhaps with the same IP range, device, web browser, or geolocation may be signs of a DDoS attack. An attack may also be revealed by very high traffic targeted at a specific webpage or exceptionally high traffic at an unusual hour or according to a specific pattern.
Once you’ve identified that a DDoS attack is taking place, there are a number of ways that you can mitigate the attack.
Strategies and solutions can be applied to limit network traffic or identify suspicious traffic and block it. For example, limiting the rate of requests that can be received within a certain window of time can slow down a typical DDoS attack and limit the impact. A web application firewall (WAF) can be used to block application layer DDoS attacks by preventing malicious traffic from accessing the target server. Filters can be established to block certain types of requests based on activity that is suspicious.
An Anycast network can be used to scatter network traffic across distributed servers, allowing the network as a whole to continue working despite high volumes of incoming traffic.
As hackers are becoming more sophisticated, malicious traffic is becoming more difficult to differentiate from that of legitimate users. Attacks are being launched via many different vectors and malicious traffic can leverage random patterns that are hard to identify as an attack. Attacks may also combine different types of DDoS tactics, requiring a more complex mitigation strategy.
Using a Zero Trust Security Service Edge (SSE) solution, like Ericom, allows companies to ensure that their network is secure at every entry point. It also provides visibility into network traffic and applies policies at the edge, to keep apps and resources secure, ensuring maximum reliability and minimal downtime.