Distributed denial of service (DDoS) attacks: A cheat sheet
This comprehensive guide covers different types of denial of service attacks, DDoS protection strategies, as well as why it matters for business.
Denial of service (DoS) attacks are the cyberweapon of choice for state-sponsored threat actors and freewheeling script kiddies alike. Independent of who uses them, denial of service attacks can be particularly disruptive and damaging for organizations targeted by cybercriminals. Since 2018, the frequency and power of DDoS attacks have been increasing, making them a more potent risk for organizations.
TechRepublic’s cheat sheet on denial of service attacks is a comprehensive guide to this topic. This article will be updated periodically as attack and mitigation strategies evolve.
What is a denial of service attack?
A denial of service (DoS) attack is an attack strategy in which a malicious actor attempts to prevent others from accessing a web server, web application, or cloud service by flooding it with service requests. While a DoS attack is essentially single origin, a distributed denial of service (DDoS) attack uses a large number of machines on different networks to disrupt a particular service provider; this is more challenging to mitigate, as the attack is being waged from multiple sources.
Following a powerful DDoS attack against the popular secure messenger app Telegram, the company colorfully described DDoS attacks as a case in which “your servers get GADZILLIONS [sic] of garbage requests which stop them from processing legitimate requests. Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you—and each is ordering a whopper. The server is busy telling the whopper lemmings they came to the wrong place—but there are so many of them that the server can’t even see you to try and take your order.”
Typically, DDoS attacks target the network infrastructure, aiming to bring down the entire network stack. In contrast, application layer attacks target specific functionality of a given website, aiming to disable a specific feature by overextending the process with excessive numbers of requests.
Other types of DDoS attacks include smurf attacks, which use a large number of Internet Control Message Protocol (ICMP) packets with a victim’s IP address spoofed to appear as the origin.
Generally, DDoS attacks can be categorized as flood attacks, which aim to overload systems, or crash attacks, which attempt to bring down an application or system.
How simple to execute and damaging are DDoS attacks?
Executing a DDoS attack is not something that requires particular skill. “A DDoS attack is not a sophisticated attack,” Matthew Prince, CEO and co-founder of Cloudflare, told TechRepublic in 2015, following an attack on Protonmail. “It’s the functional equivalent of a caveman with a club. But a caveman with a club can do a lot of damage.”
While it is relatively safe to assume that higher-power DDoS attacks are the work of professionals, these are attacks that even your average script kiddie can launch with substantive success. The industry of DDoS attacks has also given rise to “denial-of-service as a service,” otherwise known as “booter” or “stresser” services allowing users to conduct a DDoS attack on any arbitrary target in exchange for payment.
Because of the ease with which DDoS attacks can be launched, they can be used by anyone—from highly-funded state-sponsored hackers to teenagers with a grudge against someone.
For businesses, the potential damages stemming from an outage are wide-ranging. Whether through lost sales, a reputational hit for experiencing downtime, or costs relating to excess amounts of network traffic, the potential issues that emanate from DDoS attacks are too substantial to ignore. These risks prompt a need for proactive mitigation measures before an attack is launched.
What are the largest observed DDoS attacks?
Principally, denial of service attacks affect the internet-connected host targeted by the attacker. In practice, this affects the business being targeted by attackers, as well as users of the service that business provides. Any organization can be targeted by a denial of service attack—because of their effectiveness and relative ease with which they can be utilized, they are often deployed against smaller organizations to great effect.
In February 2018, a number of record-setting DDoS attacks utilizing a vulnerability in the memcached protocol were observed, leveraging flaws in the user datagram protocol (UDP). Initial reports from CDN provider Cloudflare observed 260 Gbps of inbound traffic generated in memcached-powered DDoS attacks. One day later, memcached-powered attacks hit GitHub at peak speeds of 1.35 Tbps. In March 2018, NETSCOUT’s Arbor Networks confirmed a 1.7 Tbps DDoS attack waged against one of its clients.
These attacks are initiated by a server spoofing their IP address—specifying the target address as the origin address—and sending a 15-byte request packet. This request packet is answered by a vulnerable memcached server with responses ranging from 134KB-750KB. The size disparity between the request and response—as much as 51,200 times larger—is what makes amplification attacks so effective. When the memcached vulnerability was discovered, 88,000 unprotected servers from which attacks could be launched were found to be connected to the internet.
Importantly, the 260 Gbps attack on Cloudflare was observed at a maximum of 23 million packets per second; because of the properties of amplification, a relatively low number of packets were needed to carry out the attack, but with a relatively high bandwidth. In 2019, Imperva observed a DDoS attack that exceeded 500 million packets per second—four times that of the GitHub attack—putting considerably more stress on mitigation systems, as these typically inspect the headers of each packet, though typically not the full payload.
Many DDoS attacks utilize botnets of compromised devices, particularly Internet of Things (IoT) devices. The Mirai botnet has been used to affect routers and IoT devices, and was used to attack managed DNS provider Dyn, causing outages affecting nearly a quarter of the internet. Similarly, Mirai was used in an attack that knocked out internet services for all of Liberia.
DDoS attacks are seeing a resurgence, as attacks increased 94% in Q1 2019, according to a Kaspersky Lab report. Likewise, attacks over 100Gbps by 967% in Q1 2019 compared to Q1 2018, according to a Neustar report.
How can I protect against a DDoS attack?
There are ways to mitigate the effects of DDoS attacks, permitting targeted systems to continue operating normally for users, transparently, as if no attack was occurring.
The first step is separating genuine users from programmatically-generated traffic used in DDoS attacks. This can be done using IP address filtering, checking cookie/session states, and browser fingerprinting, among other methods.
Traffic filtering strategies include connection tracking, rate limiting, blacklisting or whitelisting traffic. Manual DDoS mitigation can be defeated by advanced attackers by deploying attacks in stages, and re-mounting the attack from a different set of devices when connections are refused from the systems used in the first attack stage.
Cloud-based DDoS mitigation is available through providers including Cloudflare, Imperva, Akamai, Radware, Coreo, and Arbor Networks. One of the methods employed by these vendors includes tracking IP addresses across websites protected by a given service to differentiate genuine users from generated traffic.
How can I avoid being a participant in a distributed denial of service attack?
VPNFilter was used to infect 500,000 routers globally, including devices manufactured by ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, UPVEL, and ZTE, as well as network-attached storage (NAS) devices by QNAP. Initial reports indicated that rebooting the router was enough to clear the infection, but further updates found that to not be sufficient, recommending that users reflash the firmware as well.
“One of the fastest growing sources of DDoS attacks currently, are compromised IoT devices recruited into massive botnets. Organizations using such devices need to adopt best practices in updating software to the latest releases and ensuring good password hygiene, as many devices ship with common defaults,” Sean Newman, director of product management at Coreo, told TechRepublic. “The other common target is DNS infrastructure being used to amplify DDoS attacks. Any organization with their own DNS servers should ensure best practices around monitoring and security are in place, to avoid them being abused to attack others.”