A distributed DoS attack carried out simultaneously from a vast number of devices that attackers have taken control over, gaining the ability to send commands to generate floods of bogus requests. An attack of this kind can cause a denial of service to systems owned by a large enterprise or to an entire network.
The purpose of a DDoS attack is to achieve denial of service for devices connected to the Internet: network equipment and infrastructure, various Internet services, websites and web applications, IoT infrastructure.
The vast majority of attacks develop in the following sequence:
In case of a successful attack, the attacked resource will demonstrate a significant decrease in performance or will not be able to process legitimate requests from users and other services at all. Depending on what exactly the victim resource is, the consequences of a successful DDoS attack can be a sharp drop in performance or inaccessibility of the network, server, Internet service, website, application. As a result, the Internet resource “freezes”, legal users cannot access it at the right time, the network or server becomes temporarily “cut off” from the Internet, the Internet resource stops working correctly, etc.
Attackers may have different motivations. The most common occurrences are unfair competition, attempts at blackmail, conflicts of interest or beliefs, and social or political protest. Revenge attacks, a desire to “practice” the criminal hacking craft, and vanity are also common. However, in recent years, the desire of DDoS attackers to earn extra money has come to the fore. And if the order for an attack is generously paid, it can be quite intense, last for many hours, modified and repeated over and over again.
The damage from a successful DDoS attack primarily lies in financial and reputational costs: lost profits, termination of contracts and loss of users, numerous complaints from customers, a wave of negativity in the media and social networks and, as a result, the decline in popularity of the Internet resource and its owner. Often, a DDoS attack is used as a cover for the main malicious impact in targeted attacks: while cybersecurity specialists focus on DDoS mitigation and system recovery, attackers strengthen the main attack vector - for example, hacking a service, stealing confidential data, or installing malicious codes.
The most common targets for DDoS attacks are government, financial institutions, gaming services, and e-commerce companies. With the onset of the pandemic, attacks on educational resources, video conferencing services, online cinemas, media and entertainment sites have sharply increased.
One of the most intense and lengthy was the series of DDoS attacks in 2007 against government, financial, media and other resources in Estonia, which most likely became an expression of protest against the demolition of monuments to Soviet soldiers who liberated the republic.
Another major attack was carried out in 2013 against the international non-profit organization Spamhaus, which aims to fight spam. It can be assumed that the cybercriminals interested in spreading spam were clearly unhappy with her successful activities.
In 2014, one of the most powerful DDoS attacks in history was carried out - this time against the growing Occupy Central movement in Hong Kong, which advocated changing the country's voting system.
In 2015 and 2018, two more DDoS attacks took place against the world's largest Internet resource for joint development and hosting of IT projects GitHub.
The most commonly used method of classifying attacks is by the OSI layer at which they occurred. Let's list the most common types of attacks:
Another common method of classification is by the method of exposure:
Before taking on the use of means of protection against DDoS attacks, you should take care of increasing the degree of security of the Internet service - its ability to effectively repel attacks with a minimum waste of resources. Otherwise, in order to secure the Internet service from influences, you will have to spend a lot of effort and money. Shortly, to increase security you need:
Possibilities of protection against DDoS attacks can and should be provided in an Internet resource even at the stage of designing its architecture: good design will increase the availability of the resource and reduce the cost of protecting it from attacks here:
As for the protection tools, they can be divided into local (on-premise), cloud and hybrid. On-premise solutions and anti-DDoS tools come in both software and hardware (specialized network devices) and can be installed by both customers themselves and their providers. The main users of local anti-DDoS solutions are large telecom operators (cloud and Internet providers) and data centers that can afford to have their own response service, are able to cope with powerful (hundreds of gigabits) attacks and offer anti-DDoS service to their customers.
Cloud solutions implement almost the same security functionality as on-premise solutions. In addition to packet protection, anti-DDoS cloud service providers often offer services to protect sites from attacks made by bots (attackers use the HTTP protocol in them), as well as technical support and support during a DDoS attack. Cloud solutions seem to be the best option for most companies.
A hybrid solution is a set of an on-premise solution and a subscription to an anti-DDoS cloud service that is automatically connected when an attack starts. A hybrid approach removes the attack volume limitations of on-premise solutions and takes advantage of both cloud and on-premise solutions. Hybrid solutions can be recommended for large enterprises with an emphasis on interacting with customers through online channels, as well as small service providers.
Depending on what kind of Internet resources need to be protected, anti-DDoS tools and services are chosen that have one or another range of protection functions:
The connection format distinguishes between symmetric and asymmetric DDoS protection. The first option implies installing the filter in a symmetric mode: both incoming and outgoing traffic of the protected server (or service information about this traffic) always passes through the filter. Asymmetric algorithms analyze only incoming traffic. In general, symmetrical protectors are more effective, but the cost of ownership is higher and the signal latency is higher. Asymmetric tools are often more complex, but because they do not analyze outbound traffic, some attacks are not fully filtered in asymmetric mode.
In addition, special care should be taken to ensure that DDoS protection is properly deployed: it is necessary to reduce to zero the number of vulnerabilities that an attacker could exploit.
And of course, you need to pay close attention to the choice of a protection provider, since the real quality of his services, as well as the level of his competence in anti-DDoS matters, can extend over a wide range.