Picture this: A crowd of people suddenly, without warning, enter a tiny shop, with room for only a handful of customers. All these extra people make it impossible for customers to get in or get out. Those extra people do not intend to shop — instead they want to disrupt the regular business operations. All this traffic jam-packs the shop, preventing it from carrying out normal business operations.
That’s what a DDoS attack is like. And today, distributed denial-of-service attacks are one of the most sophisticated cyberattacks out there, causing serious damage to targeted enterprises. In fact — just this week — a new zero-day vulnerability called “HTTP/2 Rapid Reset” has been exploited in a BIG way...to launch "the largest DDoS attacks in internet history".
So, in this article, I’ll explain DDoS attacks, including how it works, types of DDoS attacks, and what a DDoS-as-a-service is. We’ll also delve into important statistics about DDoS attacks, how to detect them, and the techniques to prevent DDoS attacks.
DoS attack overview
First things first: DoS attacks. A denial-of-service (DoS) attack is a cyberattack that floods a host machine, network, or service with a larger volume of requests or malicious network traffic packets that it cannot handle.
A system under such a DoS attack can become completely unresponsive or slow in responding, disrupting its services to legitimate users.
What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is a variation of DoS. An attack becomes a distributed DoS attack when a larger volume of traffic is generated at the host machine, network, or service coming from different sources.
Attackers carry out DDoS attacks using several compromised machines, such as personal computers, servers, mobile devices, IoT devices and network devices. That means that blocking one source of traffic does not help defeat the DDoS attack.
You will need better ways to block them.
How DDoS attacks work
Attackers use multiple interconnected machines infected with malware to execute a DDoS attack. Often, these machines number in the thousands. Importantly, they come from various IP addresses or sources. These infected machines are called ‘bots’, and the networks of such machines are called ‘botnets’ or ‘zombie networks.’
Attackers can control these machines remotely. They use a Command and Control server (C&C) and a central system to command the botnet. When executing the attack, the attacker instructs the botnet to send massive traffic or requests to their targeted machine. The botnet sends the targeted system a significant volume of traffic during a DDoS attack.
Because every system has a specific capacity or amount of network traffic it can handle, the system will, sooner or later, become overwhelmed and ultimately unresponsive. This denies service to legitimate traffic: real people who are really trying to access a website or system. (And now you know why it’s called a distributed denial of service!)
Trends & patterns with DDoS Attacks
Recent research makes it clear just how significant DDoS attacks are, and they sure are not disappearing anytime soon. Research reports a 200% increase in DDoS attacks in the first quarter of 2023. More specifically, we understand that:
- 32% of all DDoS attacks were DNS-based DDoS attacks.
- The strength of VM-based DDoS can be more than IoT-based DDoS attacks.
- Cryptocurrency company-targeted attacks grew by 600%
Who’s being attacked and why? Well, if you’re large enough, you’re inherently an attack target. More specifically, organizations in the U.S. have been the largest source of HTTP DDoS attacks. And overall, the finance and telecommunications industries were the primary targets of DDoS attacks.
And all that explains why the global DDoS protection and mitigation market is expected to reach $7.45 billion by 2030.
Types of DDoS Attacks
There are several types of DDoS attacks, typically categorized along two main factors:
- The target of the attacker
- The targeted layer of the Open Systems Interconnection (OSI) model
Application layer attacks (Layer 7 DDoS attacks)
An application-layer DDoS attack aims to overwhelm the server resources by sending more resource requests than it can handle. A web server often manages the application logic and database operations when rendering a web page. These attacks target the server layer, in which web pages are created for HTTP requests.
For example, HTTP flooding involves a botnet sending many HTTP requests to a server, aiming to consume its resources. This attack resembles a faster web browser refreshing multiple times from different machines. It leads to a flood of HTTP requests that the server cannot handle, ultimately denying the service.
It is difficult to fight against application-layer attacks due to random URL attacks, which are hardly differentiated.
Protocol attacks (State-exhaustion attacks)
Protocol attacks stem from weaknesses in layers 3 and 4 of the OSI model, which exploit vulnerabilities in server protocols. These attacks are also known as ‘state-exhaustion attacks’. They lead to the exhaustion of server resources and other network resources, such as load balancers and firewalls.
One example of protocol attacks is SYN flood attacks, where the server gets many transmission control protocol (TCP) handshake requests from malicious IP addresses. The server tries to handle requests that exceed its resource capacity. Thus, the server never gets to complete the handshake.
Another example is the ‘Smurf attack,’ which exploits broadcast IP networks to send a large volume of traffic targets it cannot handle.
Volume-based attacks (Volumetric attacks)
Volume-based attacks attempt to consume the available bandwidth of the target system by overwhelming the bandwidth of a network.
Attackers can carry out such attacks in several different ways. Examples include overwhelming the target by sending a flood of ICMP packets and User Datagram Protocol (UDP) packets to saturate its bandwidth.
Another popular volumetric attack is DNS amplification. There, an attacker asks an open DNS server to look up a domain name, pretending to be the target system. When the DNS server replies with the DNS record, it doesn't go back to the person who asked but to the target. So, the target gets a much bigger response than the tiny question the attacker first sent.
Yo-Yo DDoS Attacks
Yo-Yo DDoS attacks are a more recent DDoS attack that targets cloud resources. Here, the attackers send a large volume of traffic to the auto-scaling-enabled cloud computing system. The purpose is to automatically scale those services, such as application load balancers, to accommodate that traffic.
After that, the attacker stops the traffic, causing the system to scale down again to reduce the over-provisioned resources. Then, the attacker again sends a large volume of traffic, scaling up the system.
Yo-Yo attacks cause the cloud computing system to repeatedly scale up and down — hence its name. This phenomenon can increase the cost of computing resources while reducing the quality of service.
DDoS-as-a-service is a service model where hackers perform DDoS attacks on behalf of a client, charging money. Customers who do not have the skills to carry out a DDoS attack can still use this service, as long as you know how to access them on the Dark Web.
The service provider has a botnet to execute the DDoS attacks. Customers don't need to manage a botnet or understand the technical nuances behind DDoS tactics. Those who want to get their service can pay them using cryptocurrency.
As in legal cloud services, like SaaS and PaaS, the service providers can provide subscriptions, discounts, and many more options to attract them to their business.
Signs you’re experiencing a DDoS attack
There are a number of indicators that you might be under DDoS attack:
- A sudden and/or unexpected increase in traffic. Though there are legitimate reasons to receive more traffic.
- System slowness or non-response. (Beware: websites can load slowly, or not at all, for many reasons—not all reasons mean it’s a DDoS attack.)
- Unusual traffic patterns. E.g., current traffic deviates from normal traffic patterns, such as inconsistent traffic with your typical user base and receiving traffic at unusual hours.
- Increase in traffic to a single endpoint. E.g., part of your system, such as a specific URL, suddenly receives a high amount of traffic compared to others.
- A high volume of traffic from a single IP or small range of Ips. This observation indicates that these addresses could be part of a larger botnet.
How to detect & prevent DDoS attacks
Like anything in cybersecurity, there is no sure prevention mechanism. Bad actors and hackers get better at what they do every day. Still, these are tried and true approach that, together with a comprehensive security approach, will help you prevent DDoS attacks.
- Web application firewalls (WAF) can identify and act as a reverse proxy to block malicious traffic. You can configure rules to filter traffic and avoid Layer 7 attacks.
- Black hole routing. The internet service provider sets up a "black hole" or a network device that drops the traffic and directs the traffic straight into it. This technique quickly stops a DDoS attack by dropping all traffic from the attacking sources.
- Rate limiting limits the number of requests a server or an application can receive in a given period.
- Anycast network diffusion is a technique that routes traffic to the nearest or best location. Thus, the DDoS traffic will not reach the same destination, diffusing the traffic altogether.
- Regular traffic monitoring helps detect traffic anomalies and trigger alarms, enabling you to take action immediately when a suspicious traffic pattern is detected.
- Employee awareness. Ensure that your employees are well-educated about DDoS attacks. They need to know two things: how to detect them and how to respond and report appropriately.
- DDoS protection solutions are specialized solutions designed to detect and mitigate DDoS attacks.
Don’t deny service to your users
Today, DDoS attacks are one of the leading cyber-attacks. Without robust prevention mechanisms, they’re difficult to detect and prevent without. As discussed in this article, there are various types of DDoS attacks based on their intended targets and techniques. The DDoS-as-a-service model allows anyone to execute a DDoS attack without any technical knowledge about it.
According to the latest statistics and reports, DDoS attacks continue to increase. Take the necessary precautions to mitigate these DDoS attacks.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.