DDoS refers to Distributed Denial of Service, and before we can explain DDoS, we have discussed another term that is often used interchangeably with DDoS, which is DoS (Denial of Service).
DoS VS DDoS
A Denial of Service attack is any attempt/attack that is aimed at making the web resource unavailable to its users (denying service, hence the name), mainly by flooding the website’s URL with so many requests that the server can handle. During a successful DoS attempt, regular traffic on the website will be slowed down or completely unavailable.
A DDoS attack, on the other hand, is a DoS attack that comes from more than one source which is distributed. A DDoS attack can involve thousands or even hundreds of thousands of computers. These computers/devices might not know that their resources are used to attempt a DDoS attack, but they have been previously infected with malware and are collectively known as “botnets”.
It is suspected that there are tens of millions of machines that have been compromised and used in DDoS attacks, which can include traditional computers to smartphones and even IoT devices.
How Does DDoS Attack Works?
The objective of a DDoS attack is to prevent legitimate users from accessing a website or network resource, mainly by overwhelming the server with requests. As mentioned, a DDoS attack differs itself from a simple DoS attack by the fact that it uses armies of infected devices, which are called the ‘botnets’
Botnet
A classic DDoS attack typically begins with the hacker/attacker exploiting a vulnerable machine and turning it into a botmaster or botnet controller. This botmaster, on the other hand, will send malware to other vulnerable machines. When enough machines are infected to launch an attack (i.e., 1,000 computers), each of them will spam requests to a target website, which will cause extreme slow down and even completely failing the website.
A DDoS attack exploits the fact that all network resources including web servers have a finite limit to the number of requests that they can service at any given time. Not only the server has a limited bandwidth capacity, the channel that bridges the server to the internet also have a limited capacity. When a number of requests exceed the limit of any component of the network, the service will experience a slowdown, limited failure when some of the users were denied service, and complete failure where all users can’t access the website or service at all.
In most cases, the hacker’s or attacker’s aim is to cause a complete failure for the website, a total denial of service, and it’s quite often that the attackers will request payment before they will stop the successful attack (ransom). In other cases, there are also attacks that are launched by competitors (via various DDoS-for-hire services) to discredit or damage a business.
Different Types of DDoS Attacks
DDoS attacks have dramatically evolved to adapt to various security measures that have been implemented. So, there are now many different variants of DDoS attacks to attack different vulnerabilities. Broadly speaking, however, we can divide DoS and DDoS attacks into three main categories:
Volumetric or volume-based attacks
The type we have discussed above. The goal is to launch a huge volume of requests to saturate the bandwidth of the target network. The severity of the attack is measured in bits per second (Bps).
Protocol attacks
This type of attack sends data packets so the server must download and interpret the packets consuming the actual server resources or software/hardware equipment like load balancers and firewalls. The magnitude of protocol DDoS attacks is measured in packets per second (Pps).
Application layer attacks
This type of attack involves sophisticated requests that are seemingly legitimate, but they target vulnerabilities in application level, like Windows, Apache, or OpenBSD vulnerabilities, among others. Application layer attacks are measured via Requests per second (Rps).
We can further divide these three categories into many different variants, and here are the common ones:
UDP Flood
A subtype of volumetric DDoS attack, a UDP flood DDoS is any attacks that flood the target with UDP (User Diagram Protocol) packets. The objective of this attack is to flood random ports of the server, causing the host to repeatedly check for the application at that port and reply with a Destination Unreachable packet when no application is found.
ICMP Flood
Another type of volumetric attack, and quite similar in principle to a UDP flood attack. An ICMP (Ping) Flood send numerous ping request to the target URL without waiting for replies. The target server will typically attempt to respond with ICMP Echo Reply (Ping Reply) packets, which will result in a slowdown both in incoming and ongoing bandwidths.
Slowloris
A rather popular type of DDoS attacks nowadays, and is highly-targeted. Slowloris holds as many connections as possible to the target URL by sending only a partial request. So, the attack constantly sends HTTP headers but never completes the request. The targeted website, on the other hand, will keep these false requests open, which will saturate the available connection pool causing the server unable to process additional requests from legitimate users.
SYN Flood
A SYN flood DDoS attack attempts to initiate a TCP connection which must be answered by a SYN-ACK response from the target server, which is then should be confirmed by an ACK response from the requester (in this case, attacker). However, in an SYN flood attack, the attacker doesn’t respond to the SYN-ACK response so the target system continues to wait for the response and overflows the maximum available resources.
Conclusion
With how DDoS attacks have evolved and becoming more sophisticated than ever, proper DDoS mitigation is very important for any business to ensure cybersecurity compliance. Choosing the right method that can defend your system from various types of DDoS attacks is very important, considering a successful DDoS attack can lead to long-term and even permanent damage to your business’s credibility.
It’s very important to assess the current condition of the network, available equipment, and what kinds of safety measures against DDoS are necessary for the system.
