What is a DDoS (distributed denial of service) attack?

What is a distributed denial of service attack?

A distributed denial of service (DDoS) attack is when a hacker attempts to overwhelm a specific server, network, or service by flooding it with internet traffic. This is often done by first compromising a large number of computer systems, and then having them generate the coordinated traffic required to execute the attack. These systems can be computers, phones, or even IoT devices – anything that connects to a network has potential to be used for a DDoS attack.

With the huge increase of IoT devices over recent years, the number of entry points to networks has grown, giving hackers greater ability than ever before to carry out DDoS attacks. As a result, in 2022, the number of DDoS attacks worldwide increased by 150% compared to the previous year.

A DDoS attack is a type of denial-of-service (DoS) attack. Whereas a DoS attack uses only one internet connection to overwhelm the target with false requests, a DDoS attack is much more extensive and may utilize many thousands of devices, making it much more powerful.

The goal of a DDoS attack is to create a ‘traffic jam’ that prevents legitimate traffic from accessing the network or service. Attacks lead to results that can range from mildly inconvenient downtime to an extensive outage that exacts huge costs for the business.

How does a distributed denial of service (DDoS) attack work?

A DDoS attack works by creating or taking over a network of devices connected to the Internet, which can then be remotely controlled using malware. Every device in the network is referred to as a ‘bot’, and together, the group is called a ‘botnet’. To launch an DDoS attack, the hacker instructs all of the distributed bots in the botnet to send requests to the target server’s IP address, causing it to be overwhelmed. As a result, the usual network traffic that would normally be accessing the server, like customers, is denied service.

Sometimes, DDoS attacks utilize applications that were originally designed to perform stress tests, enabling companies to assess how their website performs with high levels of traffic. In the wrong hands, and when used to activate many devices at once, these applications can create a huge number of access requests that is sufficient to bring network traffic to the targeted site to a complete standstill.

Types of distributed denial of service (DDoS) attacks

There are many different types of DDoS attacks, with each targeting a different aspect of a network connection. Each network connection is made up of seven layers, and the attacker may choose a specific layer on which to focus the DDoS attack. For example:

• Volumetric attack – In this type of attack, the attacker sends large amounts of data with the aim of consuming all of the bandwidth of target organization’s website. A particularly disruptive type of volumetric attack is DNS amplification, in which a DNS request is issued with a spoofed IP address that resolves to the address of the target server. As a result, the target server receives a very large response to the request.
• Protocol layer attack – In a protocol layer attack, the attacker overwhelms the resources of servers or network equipment like firewalls, using the ‘protocol layers’ of network connection. One type of protocol attack, called a SYN flood, sends initial connection request (SYN) packets to overwhelm server ports and prevent the server from being able to reply to legitimate connection requests.
• Application layer attack – The application layer is the last layer in a network connection, the point at which the user interacts with the network service through the application. This is where HTTP requests are made and web pages are generated in response. Attackers can overwhelm the connection at this layer by flooding the network with HTTP requests, in attacks known as an HTTP flood.
• Data link layer attack – In a dramatically titled POD (ping of death) attack, the attacker sends multiple malicious pings to a target using many fragments of one large IP packet. By the time the final IP packet arrives, the target is overwhelmed and no memory left to receive legitimate packets.

How can a DDoS attack impact an organization?

Attackers that execute DDoS attacks may have a number of motives:

• Ideology – Groups of hackers may get together to take down a specific website in a nation-state attack on an enemy state or if they disapprove of a company’s or organization’s actions, social agenda, or political ties.
• Business tactics – Competitors may deploy hackers to shut down competitor’s services.
• Competitive advantage – Gaming services are particularly at risk, with players seeking to create an advantage for themselves by slowing or blocking competitor’s activities, or choosing to bring down an entire gaming network.
• Extortion – Attackers can combine DDoS and ransomware attacks, with ransoms demanded from the victim in order for the DDoS attack to be stopped.
• Vandalism – Attackers may be cyber vandals seeking to cause mischief.

Distributed denial of service attack prevention

The first step in preventing successful DDoS attacks is to set up an incident response team to recognize when one is occurring so it can be stopped.

Outward signs

Even without checking the actual network traffic accessing a server, some outward signs of a DDoS attack may be obvious, such as web pages loading unusually slowly. However, slow loading is a frequent occurrence on the web and can be hard to differentiate from typical day-to-day service issues.

Network traffic signs

When looking at network traffic, a sudden spike in traffic from similar users, perhaps with the same IP range, device, web browser, or geolocation may be signs of a DDoS attack. An attack may also be revealed by very high traffic targeted at a specific webpage or exceptionally high traffic at an unusual hour or according to a specific pattern.

Once you’ve identified that a DDoS attack is taking place, there are a number of ways that you can mitigate the attack.

Blocking and limiting network traffic

Strategies and solutions can be applied to limit network traffic or identify suspicious traffic and block it. For example, limiting the rate of requests that can be received within a certain window of time can slow down a typical DDoS attack and limit the impact. A web application firewall (WAF) can be used to block application layer DDoS attacks by preventing malicious traffic from accessing the target server. Filters can be established to block certain types of requests based on activity that is suspicious.

Scattering network traffic

An Anycast network can be used to scatter network traffic across distributed servers, allowing the network as a whole to continue working despite high volumes of incoming traffic.

SASE for comprehensive DDoS prevention

As hackers are becoming more sophisticated, malicious traffic is becoming more difficult to differentiate from that of legitimate users. Attacks are being launched via many different vectors and malicious traffic can leverage random patterns that are hard to identify as an attack. Attacks may also combine different types of DDoS tactics, requiring a more complex mitigation strategy.

Using a Zero Trust Security Service Edge (SSE) solution, like Ericom’s ZTEdge, allows companies to ensure that their network is secure at every entry point. It also provides visibility into network traffic and applies policies at the edge, to keep apps and resources secure, ensuring maximum reliability and minimal downtime.