A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the regular functioning of a network, service, or website by overwhelming it with a flood of illegitimate traffic.
In a DDoS attack, multiple compromised devices, often forming a botnet, generate high requests or traffic to overwhelm the target system’s resources, such as bandwidth, processing power, or memory.
The objective of a DDoS attack is to exhaust the target’s resources to the point where it becomes unavailable or experiences significant degradation in performance.
By saturating the target with an overwhelming amount of traffic, legitimate users cannot access the service, causing inconvenience, financial loss, and damage to the target’s reputation.
DDoS Attack Example
One example of a DDoS attack is the Mirai botnet attack in 2016. In this attack, Mirai malware infected many Internet of Things (IoT) devices, such as cameras, routers, and DVRs, with weak security measures or default credentials.
Once infected, the attackers controlled these compromised devices and formed a massive botnet. The attackers then launched a coordinated DDoS attack against their target, the DNS (Domain Name System) provider Dyn.
The Mirai botnet flooded Dyn’s servers with overwhelming traffic, targeting their DNS infrastructure. As a result, several major websites, and online services, including Twitter, Spotify, Reddit, and Netflix, experienced significant disruptions and were inaccessible to users for a considerable period of time—see more details on the most famous DDoS attacks in history.
How Does a DDoS Attack Work?
A DDoS attack typically involves the following steps:
Botnet Formation: The attacker assembles a network of compromised devices called a botnet. These devices can be computers, servers, IoT devices, or even smartphones infected with malware. The compromised machines are under the attacker’s control and are used to launch the attack.
Reconnaissance: The attacker identifies potential targets, such as websites, servers, or network infrastructure, to disrupt or disable. This can be done through automated scanning or leveraging information about vulnerable targets.
Command and Control (C&C) Setup: The attacker establishes a command-and-control infrastructure to communicate with the compromised devices in the botnet. This infrastructure allows the attacker to issue commands and coordinate the attack.
Initiation of the Attack: The attacker instructs the botnet’s compromised devices to send massive traffic or requests to the target system. This flood of traffic overwhelms the target’s resources, such as bandwidth, processing power, or memory.
Traffic Redirection: To amplify the attack, the attacker may employ techniques like IP spoofing or reflection/amplification attacks. IP spoofing involves forging the source IP address of the attacking traffic to make it appear as if it’s coming from legitimate sources. Reflection/amplification attacks exploit vulnerable servers or services that respond with more traffic than they receive, magnifying the attack’s scale.
Impact on the Target: The target system’s resources become overwhelmed due to the excessive traffic volume. As a result, the target system experiences performance degradation or becomes completely inaccessible to legitimate users. This disruption can lead to financial loss, damage to reputation, and potential security vulnerabilities.
Attack Persistence: The attacker may attempt to sustain the attack over an extended period, adjusting the attack strategy or targeting different parts of the infrastructure to evade detection or mitigation measures.
What is the Motivation Behind DDoS Attacks?
DDoS attacks are motivated by various factors, including:
Financial Gain: Attackers may launch DDoS attacks to extort money from the target. They may threaten to continue or escalate the attack unless a ransom is paid.
Ideological or Political Reasons: Hacktivist groups or individuals may carry out DDoS attacks to promote a particular agenda, express dissent, or protest against specific organizations, governments, or ideologies.
Competitive Advantage: Competitors or malicious entities may launch DDoS attacks against rival businesses to disrupt their operations, gain a competitive edge, or sabotage their online presence.
Revenge or Personal Vendetta: Individuals with grudges against a particular organization, individual, or community may launch DDoS attacks as an act of retaliation or to cause harm.
Distraction or Cover: DDoS attacks can be used as a diversionary tactic to divert the attention of security teams or overwhelm security infrastructure. In contrast, other attacks, such as data breaches or malware infections, are carried out.
Demonstrating Technical Ability: Some attackers launch DDoS attacks to showcase their hacking skills, gain notoriety within the hacker community, or simply for the thrill of causing disruption.
Disrupting Critical Infrastructure: DDoS attacks can target critical infrastructure, such as financial institutions, government websites, or public utilities, to cause widespread disruption, instill fear, or undermine trust in these systems.
Testing Security Defenses: DDoS attacks can test the resilience and effectiveness of an organization’s security infrastructure and identify potential vulnerabilities that could be exploited in more targeted attacks.
How are DDoS Attacks Categorized?
DDoS (Distributed Denial of Service) attacks are categorized based on several factors, such as the type of traffic used, the method of attack, the attack’s duration, and the attack’s target. Here are some common categories:
Targeted websites are flooded with voluminous malicious requests using amplification and other techniques to create massive traffic and deplete the bandwidth and other resources.
Examples – UDP Flooding, NTP Amplification, ICMP Flooding, and DNS Amplification.
The vulnerabilities and weaknesses in Layers 3 & 4 of the protocol stack are leveraged in these state-exhaustion attacks to deplete the server resources or other network hardware/ intermediate communication equipment (firewalls, load balancers, etc.) in the middle.
Examples – SYN floods, Ping of Death, Smurf Attacks, and fragmented packet attacks.
The vulnerabilities, security misconfigurations, and business logic flaws in the targeted websites are leveraged in orchestrating these Layer-7 attacks. These are cheaper for the attacker to execute as there is a smaller resource/ device requirement.
Examples – Slowloris, HTTP Floods, and/ or targeting a specific vulnerability in the application with the intent of bringing it down.
Types of DDoS Attacks
Numerous sub-types of DDoS attacks fit into the categories mentioned above but possess distinct characteristics. Here is a comprehensive breakdown of current DDoS attack methods.
1. SYN Flood: A SYN Flood is a DDoS attack targeting the TCP (Transmission Control Protocol) handshake process. The attacker sends many TCP SYN packets to the target server but needs to complete the three-way handshake process. This causes the server to allocate resources for each incoming connection attempt but never frees them up, ultimately causing the server to become unresponsive.
2. LAND attack: A LAND attack is a type of DDoS attack that exploits a vulnerability in the TCP/IP protocol stack. The attacker sends a spoofed TCP SYN packet with the source IP address set to the target server’s IP address, the destination IP address set to the target server’s IP address, and a random source and destination port. This causes the target server to send an SYN-ACK packet back to itself, creating a loop that can cause the server to become unresponsive.
3. SYN-ACK Flood: A SYN-ACK Flood is a DDoS attack targeting the TCP handshake process. The attacker sends many TCP SYN-ACK packets to the target server, causing it to become overwhelmed and unresponsive.
4. ACK & PUSH ACK Flood: An ACK & PUSH ACK Flood is a DDoS attack targeting the TCP protocol by sending many TCP ACK or TCP PUSH packets to the target server. This can cause the server to become overwhelmed and unresponsive.
5. Fragmented ACK Flood: A Fragmented ACK Flood is a DDoS attack targeting the TCP protocol by sending fragmented packets with the ACK flag set. This can cause the server to become overwhelmed and unresponsive.
6. Spoofed Session Flood (Fake Session Attack): A Spoofed Session Flood, also known as a Fake Session Attack, is a type of DDoS attack that targets the TCP protocol by sending a large number of packets with a spoofed source IP address. This can cause the server to become overwhelmed and unresponsive as it tries to establish connections with the spoofed IP addresses.
7. UDP Flood: A UDP Flood is a type of DDoS attack that targets the UDP (User Datagram Protocol) protocol by sending many UDP packets to the target server.
8. DNS Flood: In a DNS Flood attack, DNS servers are bombarded with an excessive number of requests, overpowering their resources and resulting in unresponsiveness.
9. VoIP Flood: A VoIP Flood is a type of DDoS attack that targets VoIP (Voice over Internet Protocol) networks by sending a large number of VoIP packets to the target network, overwhelming its resources and causing it to become unresponsive.
10. CHARGEN Flood: This attack uses the Character Generator protocol to send a large volume of random characters to the target.
11. SSDP Flood: This attack targets the Simple Service Discovery Protocol, flooding the target with SSDP requests and overwhelming its resources.
12. SNMP Flood (SNMP Amplification): This attack uses SNMP servers to generate a large volume of traffic toward the target, overwhelming its resources and causing it to become unresponsive.
13. HTTP Flood: An HTTP Flood attack is a DDoS attack that targets web servers by sending massive HTTP requests to the server, overwhelming its resources and rendering it unresponsive. This type of attack is often carried out using a botnet.
14. Recursive HTTP GET Flood: A Recursive HTTP GET Flood attack is a type of HTTP Flood attack that targets web servers by sending HTTP GET requests in a recursive loop. This means that the attacker sends requests that include a URL pointing back to the original web server, causing the server to request its content repeatedly. This can cause the server to become overwhelmed and unresponsive.
15. ICMP Flood: An ICMP Flood attack is a type of DDoS attack that targets networks by sending massive ICMP packets to the victim’s network.
16. Misused Application Attack: A Misused Application attack is a type of DDoS attack that targets applications by sending a large amount of malicious input to the application, causing it to become unresponsive or crash. This attack can exploit vulnerabilities in the application’s code or configuration.
17. IP Null Attack: An IP Null Attack is a type of DDoS attack that targets routers and other network devices by sending a large amount of IP packets with a source IP address of 0.0.0.0.
18. Smurf Attack: A Smurf Attack is a DDoS attack targeting networks by exploiting the ICMP protocol’s broadcast feature. The attacker sends a large amount of ICMP packets with a spoofed source IP address to a network’s broadcast address, causing all devices on the network to respond to the request and flood the victim’s network with traffic.
19. Fraggle Attack: A Fraggle attack is a type of DDoS attack that uses UDP packets to flood the victim’s network with traffic. It is similar to a Smurf attack, but instead of using ICMP packets, it uses UDP packets to amplify the attack. The attacker sends a request to a vulnerable UDP service, such as the charge service, and the response is amplified and sent to the victim’s IP address. This causes the victim’s network to become overloaded and unresponsive.
20. Ping of Death Attack: A Ping of Death attack is a type of DDoS attack that sends an oversized ICMP packet to the victim’s network or web server. The packet size is larger than the maximum allowable size of an ICMP packet, causing the victim’s system to crash or become unresponsive. This attack has existed for decades but is still effective against vulnerable systems.
21. Slowloris: A Slowloris attack is a type of DDoS attack that targets web servers by opening multiple connections and keeping them open for as long as possible. The attacker sends partial HTTP requests to the victim’s web server but never completes them, keeping the connections open. This exhausts the server’s resources and makes it unable to respond to legitimate requests.
22. ReDoS: A ReDoS attack, or Regular Expression Denial of Service, is a type of DDoS attack that targets vulnerable applications that use regular expressions to parse user input. The attacker sends malicious input to the application that triggers a regular expression with exponential matching possibilities, causing the application to enter an infinite loop and consume all available resources.
23. High Orbit Ion Cannon (HOIC): A High Orbit Ion Cannon, or HOIC, is a type of DDoS attack that uses a tool to launch a coordinated attack from multiple sources. The device sends massive traffic to the victim’s network or web server, overwhelming its resources and rendering it unresponsive. Hacktivist groups commonly use this attack to target high-profile websites.
24. Low Orbit Ion Cannon (LOIC): A Low Orbit Ion Cannon, or LOIC, is another tool to launch DDoS attacks. It is similar to HOIC but is easier to use and does not require as much technical knowledge. The tool allows users to participate in a DDoS attack by contributing their bandwidth.
25. Zero-Day DDoS: A Zero-Day DDoS attack is a type of DDoS attack that exploits unknown vulnerabilities in software or hardware. This type of attack is more difficult to defend against because the victim is not aware of the vulnerability and, therefore, cannot take any proactive measures to mitigate the attack.
Why are DDoS Attacks Dangerous?
- DDoS attacks are on the rise. There is a 48% increase in DDoS attacks. 498M vs 336M (Q1, 2023 vs Q4, 2022) – State of Application Security report Q1, 2023
- One in two attacks successfully disrupted the services of the targeted platform.
- DDoS attacks are not used to breach the security perimeter of a website directly; they are often the smokescreen used to orchestrate other types of attacks/ malicious activities.
- DDoS attacks are not always volumetric; Layer-7 attacks, for instance, are smaller (1GB or less in magnitude), sneakier, and more silent.
- Multiple attack vectors are used by targeting a combination of network layers today to orchestrate DDoS.
- The financial costs attached to post-incidence response and recovery are high. The reputational losses from DDoS attacks are high owing to the high noticeability factor. The cost (financial and reputational) of a DDoS attack is estimated to be USD 120,000 for small businesses and USD 2+ million for large companies.
How to Protect Against DDoS Attacks?
Multi-layered DDoS protection is a must, as attackers often use multiple attack vectors.
An intelligent and managed WAF will enable early detection and continuous traffic and packet profiling to stay ahead of bad actors.
Reduce the attack surface by onboarding a CDN service with a WAF at the network perimeter and using load balancers to protect critical resources from exposure.
Regular scanning, testing, and auditing of the website are necessary to ensure there are no vulnerabilities or entry points for attackers to leverage.
It is vital to employ a comprehensive, intelligent, managed security solution to ensure complete security rather than just relying on a DDoS prevention service.
The security solution must provide the following:
- Always-on, instantaneous protection
- A robust network architecture
- Custom policies
- Real-time security posture visibility
- Certified security professionals’ expertise
Here is a detailed blog on must-have features of DDoS mitigation solution.
Achieve optimal security and uninterrupted service with AppTrana WAAP. It boasts an exceptional 99.99% uptime and robust protection against layer 3-7 DDoS attacks.
Its advanced features include behavioral DDoS mitigation and AI-driven rate-limiting capabilities, which consider factors such as URI, IP, host, and geographical information to provide unparalleled security and reliability.