What is a DDoS Attack? The Complete Guide

What is a DDoS Attack?

The phrase Distributed Denial-of-Service (DDoS) Attack is used to describe a computer crime where an attacker sends a stream of traffic to a server to prevent individuals from accessing associated websites and online services. Distributed Denial of Service (DDoS) is a form of DOS attack where more than one system, which is trojan infected, attacks a specific system which results in a DoS attack. A DDoS attack employs numerous servers and Internet connections to overwhelm the targeted resource. A DDoS attack is one of the strongest tools available on the cyber platform.

What is the Difference Between DDoS and DoS?

Even-though DDoS (Distributed Denial of Service) and DoS (Denial of Service) attacks are both designed to flood a network with malicious traffic, there are some subtle differences between them. Unlike a DDoS attack, a DoS attack doesn’t rely on creating a botnet of distributed devices to carry out the attack. Instead, it uses a single-source SYN flood, which manipulates the TCP three-way handshake. DoS attacks tend to focus on specific servers as opposed to entire networks, and they don’t target devices between the attacker and the organization. Given that DDoS attacks are more effective than DoS attacks, they have become more popular in recent years.

How Do DDoS Attacks Work?

Web servers, and other network resources, can only handle a certain number of requests at any one time. If the number of requests to a server or network resource exceeds these limits, they will grind to a halt, thus preventing any new requests from being serviced. A DDoS attack typically uses a ‘botnet’ to deliver large volumes of traffic. In other words, the hackers will try to create a network of computers, or ‘zombie networks’, by compromising remote devices, usually on an ad-hoc basis, via social engineering, or some other technique. Once infected, they will be ordered to simultaneously launch an attack, thus overwhelming the target server. It’s worth noting that few cybersecurity professionals really understand how DDoS attacks work, let alone how to stop them. This is because DDoS attacks originate from outside of their networks, and don’t require the use of malware or direct phishing attempts to be effective.

What Are Some Common Types of DDoS Attacks?

Below is a list of the most common types of DDoS attacks:

1. Application- Layer Attacks: Attacks that primarily target the application layer of networked services are referred to as application layer DDoS attacks. Stated differently, these attacks prey on particular weaknesses in online apps to stop them from functioning. Attacks at the application layer target the communication protocols that are used when two applications exchange data over the internet. Despite being one of the simplest DDoS assaults to initiate, they are challenging to stop and control. Here are a few examples of application layer attacks:
   • HTTP Floods: These malicious attacks take use of the HTTP internet protocol, which is used to deliver and load material over the internet. They overload a server, website, or web application with a huge volume of HTTP GET or POST requests, causing it to slow down or crash.
   • Slow and Low Attack: This kind of attack, commonly referred to as a denial of service attack (DoS), is intended to avoid detection by delivering HTTP requests and traffic that seem authentic at a very sluggish pace. Slow and low attacks can be launched from a single computer or via a botnet, and they use very little bandwidth. Since the traffic in a slow and low attack resembles genuine layer 7 communication and is not transmitted at a rate that raises security alerts, it appears to be challenging to identify.
   • Slowloris: Through the establishment and maintenance of numerous concurrent HTTP connections to a target server, a Slowloris DDoS attack aims to overload a web server. Slowloris consumes server resources by making requests that look like normal traffic but are actually slower than usual. One characteristic of the HTTP protocol that attackers exploit is the ability of clients to divide GET or POST requests into several packets. In order to compromise a specific web server, a Slowloris attack creates several connections and maintains them open for as long as feasible.
2. Protocol Attacks: Protocol attacks target the Layers 3 and 4 of the OSI model’s internet communications protocols in an effort to take advantage of its weaknesses. State-exhaustion attacks, another name for protocol attacks, disrupt services by using excessive amounts of server and/or network resources, such as load balancers and firewalls. Malicious connection requests that exploit the Internet Control Message Protocol (ICMP) or Transmission Control Protocol (TCP) protocols are used in these attacks to try to deplete the processing power of various network infrastructure resources. The following are some examples of protocol-based attacks:
   • SYN Flood: A SYN flood, also known as a half-open attack, is a kind of denial-of-service attack that seeks to render a server inaccessible to authorized traffic by using up all of its resources. On a targeted server system, the attacker can overload all available ports by sending initial connection request (SYN) packets frequently. This makes the targeted device react slowly or not at all to genuine traffic.
   • Smurf DDoS Attack: Smurf attacks are distributed denial-of-service (DDoS) attacks that use spoof source addresses and Internet Protocol (IP) broadcast addresses to flood a targeted network or device with fake traffic. In order to overload the target’s network or device, this enables an attacker to increase the volume of traffic generated.
3. Volumetric Attacks: A distributed denial-of-service attack, which aims to overload a server’s or network’s capacity and cause it to malfunction or slow down, is typically suspected of being the source of this attack. Volumetric assaults cause packet loss, interfere with services, and clog networks by sending massive volumes of traffic to a single server. Bits per second (bps), packets per second (pps), or connections per second (cps) are commonly used to quantify the speed of these attacks. Volumetric assaults typically affect the OSI (Open Systems Interconnection) architecture’s Layers 3 and 4, which are the gold standard for terminology used to describe how the technical services communicate. It can be difficult for the server, network device, or its security barriers to separate legitimate requests from malicious traffic when there is a lot of traffic. The server uses up resources like bandwidth, processing power, and memory as it tries to handle and respond to each request in incoming traffic. Volumetric attacks are typically used as a distraction from more dangerous cyberattacks or other types of DDoS attacks.
4. DNS Amplification Attacks: A database known as the Domain Name System (DNS) is used to store internet domain names and convert them into IP addresses. In a DNS reflection/amplification distributed denial-of-service (DDoS) assault, the attacker manipulates open DNS servers in two steps. The hacker initially sends a large number of requests to DNS servers using a faked IP address. When the DNS server responds to the request, an attack is launched on the intended victim. Due to the fact that these assaults are greater than the spoof request, the victim server receives a lot of traffic. For a business or organization, the attack frequently leaves all data completely inaccessible.

How to Identify a DDoS Attack in Progress?

Early detection of a Distributed Denial of Service (DDoS) attack is important to stop it from causing significant damage. The following are the typical indications of an impending DDoS attack:

1. Traffic Spikes: During a DDoS (Distributed Denial of Service) attack, a target server or network is overloaded due to an abrupt and significant rise in network traffic, frequently from several sources. DDoS attacks can result from a sudden spike in traffic, particularly from a single IP address or a small group of IP addresses. Some indicators of an imminent DDoS attack can also be found with the help of traffic analytics software.
2. Old Traffic Patterns: DDoS assault could start with such traffic patterns. Unexpected activity, such as spikes at strange times, repetitive queries to particular endpoints, or unexpected traffic geographic areas, could all be signs of a DDoS site.
3. Website Slowness: A website or online services that are notably slow or unresponsive may be the result of malicious traffic flooding. It is a typical sign that all of your server’s resources are being strained by a DDoS attack. The inability to access a website or online service or a noticeable drop in performance could be warning indicators.
4. Regular Timeouts: An increase in server failure, such as HTTP 503 (Service Unavailable), or recurring timeouts, which may suggest that your server is having trouble managing the volume of incoming requests, are signs of a DDoS attack.
5. Server Resource Utilization: Another element that contributes to DDoS assaults is excessive server resource usage. The server may be the target of a DDoS attack if there is an unanticipated increase in CPU or memory utilization that is not accompanied by an increase in genuine user activity.
6. Sudden Increase in Spam Mails: An unusual or abrupt increase in spam emails is one of the causes of a DDoS attack. Given that DDoS attacks occasionally entail delivering malicious traffic in large quantities to email servers, this abrupt increase in spam emails may also be an indication.

How Can You Mitigate a DDoS Attack?

As mentioned above, the biggest problem we have when it comes to mitigating DDoS attacks is that it is very hard to differentiate between legitimate traffic and DDoS traffic. This is because DDoS traffic can arrive in many forms, from many different locations, and target many different network resources. For example, some DDoS attack vectors use multiple attack pathways, which might include HTTP flooding coupled with DNS amplification. As such, we need to adopt a layered approach, which may involve the following techniques:

1. Blackhole routing: This is where you funnel traffic into a ‘blackhole’, where the traffic is essentially discarded. This approach can be effective if the restriction criteria are properly configured. If it is not, both legitimate and malicious network traffic will be lost, thus making the network inaccessible.
2. Rate limiting: Limiting the number of requests a server will accept over a certain time-frame is also an effective way to minimize the damage caused by a DDoS attack. However, rate limiting alone will not be able to completely prevent DDoS attacks.
3. Web application firewall: A Web Application Firewall (WAF) focuses on protecting the Application Layer. By placing a WAF between the internet and your network, you can filter out certain types of malicious traffic. Modern WAF solutions also use machine learning techniques to learn anomalous activity patterns.
4. Anycast network diffusion: Anycast is a network addressing and routing method which can route incoming requests to a variety of different locations. It essentially scatters traffic across a network of distributed servers, thus preventing the DDoS attack from making any specific server or resource inaccessible. The effectiveness of anycast network diffusion depends on both the size of the attack and the size of the network. Naturally, the bigger the network of distributed servers, the more effective it will be.

Conclusion

DDoS attacks can be incredibly disruptive and damaging to your organization, so it’s vital that you have an adequate incident response plan in place. With Lepide, you can audit changes and interactions in Active Directory and data stores in real time, and respond to threats instantaneously with pre-defined threat models.