DDoS (Distributed Denial of Service)
A distributed DoS attack carried out simultaneously from a vast number of devices that attackers have taken control over, gaining the ability to send commands to generate floods of bogus requests. An attack of this kind can cause a denial of service to systems owned by a large enterprise or to an entire network.
How it works
The purpose of a DDoS attack is to achieve denial of service for devices connected to the Internet: network equipment and infrastructure, various Internet services, websites and web applications, IoT infrastructure.
The vast majority of attacks develop in the following sequence:
- Collecting data about the victim and further analysis in order to identify obvious and potential vulnerabilities, the choice of the attack method;
- Preparing for an attack by deploying malicious code on computers and Internet-connected devices that have been intercepted;
- Generating a stream of malicious requests from multiple devices controlled by the attacker;
- Analysis of the effectiveness of the attack: if the objectives of the attack were not achieved, the attacker can conduct a more thorough analysis of the data and perform a second search for the methods of attack (go to step 1).
In case of a successful attack, the attacked resource will demonstrate a significant decrease in performance or will not be able to process legitimate requests from users and other services at all. Depending on what exactly the victim resource is, the consequences of a successful DDoS attack can be a sharp drop in performance or inaccessibility of the network, server, Internet service, website, application. As a result, the Internet resource “freezes”, legal users cannot access it at the right time, the network or server becomes temporarily “cut off” from the Internet, the Internet resource stops working correctly, etc.
Attackers may have different motivations. The most common occurrences are unfair competition, attempts at blackmail, conflicts of interest or beliefs, and social or political protest. Revenge attacks, a desire to “practice” the criminal hacking craft, and vanity are also common. However, in recent years, the desire of DDoS attackers to earn extra money has come to the fore. And if the order for an attack is generously paid, it can be quite intense, last for many hours, modified and repeated over and over again.
The damage from a successful DDoS attack primarily lies in financial and reputational costs: lost profits, termination of contracts and loss of users, numerous complaints from customers, a wave of negativity in the media and social networks and, as a result, the decline in popularity of the Internet resource and its owner. Often, a DDoS attack is used as a cover for the main malicious impact in targeted attacks: while cybersecurity specialists focus on DDoS mitigation and system recovery, attackers strengthen the main attack vector - for example, hacking a service, stealing confidential data, or installing malicious codes.
Who is most vulnerable to a DDoS attack?
The most common targets for DDoS attacks are government, financial institutions, gaming services, and e-commerce companies. With the onset of the pandemic, attacks on educational resources, video conferencing services, online cinemas, media and entertainment sites have sharply increased.
One of the most intense and lengthy was the series of DDoS attacks in 2007 against government, financial, media and other resources in Estonia, which most likely became an expression of protest against the demolition of monuments to Soviet soldiers who liberated the republic.
Another major attack was carried out in 2013 against the international non-profit organization Spamhaus, which aims to fight spam. It can be assumed that the cybercriminals interested in spreading spam were clearly unhappy with her successful activities.
In 2014, one of the most powerful DDoS attacks in history was carried out - this time against the growing Occupy Central movement in Hong Kong, which advocated changing the country's voting system.
In 2015 and 2018, two more DDoS attacks took place against the world's largest Internet resource for joint development and hosting of IT projects GitHub.
DDoS attack classification
The most commonly used method of classifying attacks is by the OSI layer at which they occurred. Let's list the most common types of attacks:
- Network layer (L3): DDoS attacks of this layer “work” over IP, DVMRP, ICMP, IGMP, PIM-SM, IPsec, IPX, RIP, DDP, OSPF, OSPF protocols. The targets of attacks are primarily network devices - switches (switches) and routers (routers).
- Transport layer (L4): the impact is made via the TCP and UDP protocols, as well as the DCCP, RUDP, SCTP, UDP Lite subprotocols. The targets of attacks of this level are usually servers and some Internet services, such as gaming.
- Application layer (L7): The attack is carried out at the application protocol layer. Most often, attackers use HTTP, HTTPS and DNS. Attacks of this level target both popular network services and various websites and web applications.
Another common method of classification is by the method of exposure:
- exploitation of protocol vulnerabilities: they allow to achieve denial of service by influencing the attacked resource with incorrect requests, as a result of which the victim “goes into a stupor”, trying to process them;
- traffic overflow with a powerful stream of requests, which the victim is unable to "digest";
- impact on weaknesses in the architecture and logic of application operation, which can severely disrupt the performance of a software complex connected to the Internet, especially if it has a weak level of security.
DDoS protection methods
Before taking on the use of means of protection against DDoS attacks, you should take care of increasing the degree of security of the Internet service - its ability to effectively repel attacks with a minimum waste of resources. Otherwise, in order to secure the Internet service from influences, you will have to spend a lot of effort and money. Shortly, to increase security you need:
- provide as little information as possible to the attacker;
- provide as much information as possible to the DDoS defender;
- provide clear attack filtering capabilities;
- ensure the reliability of the service under attack.
Possibilities of protection against DDoS attacks can and should be provided in an Internet resource even at the stage of designing its architecture: good design will increase the availability of the resource and reduce the cost of protecting it from attacks here:
As for the protection tools, they can be divided into local (on-premise), cloud and hybrid. On-premise solutions and anti-DDoS tools come in both software and hardware (specialized network devices) and can be installed by both customers themselves and their providers. The main users of local anti-DDoS solutions are large telecom operators (cloud and Internet providers) and data centers that can afford to have their own response service, are able to cope with powerful (hundreds of gigabits) attacks and offer anti-DDoS service to their customers.
Cloud solutions implement almost the same security functionality as on-premise solutions. In addition to packet protection, anti-DDoS cloud service providers often offer services to protect sites from attacks made by bots (attackers use the HTTP protocol in them), as well as technical support and support during a DDoS attack. Cloud solutions seem to be the best option for most companies.
A hybrid solution is a set of an on-premise solution and a subscription to an anti-DDoS cloud service that is automatically connected when an attack starts. A hybrid approach removes the attack volume limitations of on-premise solutions and takes advantage of both cloud and on-premise solutions. Hybrid solutions can be recommended for large enterprises with an emphasis on interacting with customers through online channels, as well as small service providers.
Depending on what kind of Internet resources need to be protected, anti-DDoS tools and services are chosen that have one or another range of protection functions:
- protection against packet flooding based on filtering packets of the transport and network layer (L3 and L4) - this is enough to protect network devices;
- protection against both packet flooding and flooding at the application level (L3 - L7) - this is necessary, in particular, to ensure the operability of sites, since most attacks on them are carried out precisely at the L7 level;
- protection not only against flooding at the L3 - L7 level, but also against “intelligent” DDoS attacks using “smart” bots that attack those parts of web applications that are most resource-intensive when processing incoming requests, using the functions of the Web Application Firewall (WAF) - this is necessary to protect critical Internet resources.
The connection format distinguishes between symmetric and asymmetric DDoS protection. The first option implies installing the filter in a symmetric mode: both incoming and outgoing traffic of the protected server (or service information about this traffic) always passes through the filter. Asymmetric algorithms analyze only incoming traffic. In general, symmetrical protectors are more effective, but the cost of ownership is higher and the signal latency is higher. Asymmetric tools are often more complex, but because they do not analyze outbound traffic, some attacks are not fully filtered in asymmetric mode.
In addition, special care should be taken to ensure that DDoS protection is properly deployed: it is necessary to reduce to zero the number of vulnerabilities that an attacker could exploit.
And of course, you need to pay close attention to the choice of a protection provider, since the real quality of his services, as well as the level of his competence in anti-DDoS matters, can extend over a wide range.