In our latest expert-led roundup we wanted to bring some of our favourite technology contributors together to define what is a DDoS (Distributed Denial-of-Service) attack? How to stop DDoS attacks? and What is the main difference between a DoS attack and a DDoS attack?
What is a DDoS (Distributed Denial of Service) attack?
When asked to describe both DDos & DoS attacks Aaron S. Birnbaum, CTO at Seron Security kindly provided a lot of detail on this topic in his response below:
“When criminals try to overwhelm a website intentionally by sending thousands of requests at one time. This is considered a Denial of Service (DoS).”
“As technology advanced, web servers became more powerful and devices like load balancers were developed to distribute traffic to multiple servers.”
‘But the criminals had an answer for this, they would 'hijack' a huge number of computers or devices that had internet access - often referred to as the Internet of Things (IoT) - and install programs on them that would allow them to control all of these devices, and set them all to make requests simultaneously.”
“These infected machines are called 'zombies' or 'bots', and they can be anything with an internet connection.”
“This new attack was called a Distributed Denial of Service (DDoS), as it involves a large number of devices from all over making these requests.”
“Currently, criminals can go online and buy or rent a 'botnet', a network of these compromised machines to perform these attacks for a minimal amount.”
Types of DDoS Attacks & What Happens During A DDoS Attack
“While on the surface, a DDoS attack aims to overwhelm resources, the way in which it can be done may vary.”, Aaron says.
“There are three main types of attacks, the most popular being the Application Layer Attacks.”
“Examples of this are the 'Layer 7 attack' and the 'HTTP Flood attack', which both aim to overwhelm the available network or server resources, usually by making HTTP requests. Imagine clicking the refresh button on your browser rapidly over and over again.”
“Protocol Attacks or state-exhaustion attacks like the SYN Flood Attack work by attacking the inherent weaknesses in the TCP/IP protocol, where a request is made, then held until the response is provided.”
“Criminals send hundreds of SYN requests, and do not respond to the SYN-ACK responses to complete the transaction. This leaves devices like firewalls and load balancers trying to store too much data and prevents the network from being accessible.”
“Volumetric Attacks work by creating congestion in the network by taking all the available bandwidth through a large botnet, or by using technologies to amplify requests from the server. It can incorporate DNS servers and other techniques.”
In addition to this Digital Privacy Expert and featured contributor in The Times, CNET & Threat Post, Ray Walsh contributed his response regarding DDos; “In recent years, a massive rise in infected IoT devices (Internet of Things) worldwide has led to some of the largest DDoS attacks in recorded history causing incoming traffic rates of up to 1.3 terabytes per second for victimised systems.”
Why Do DDoS Attacks Occur?
Aaron stated the following when asked about his thoughts around why DDos attacks happen, “There are a number of reasons that criminals or vandals would want to take down a website.”
“It could be to ruin a competitor's business, preventing them from selling a product or service online.”
“It could be because the material that the website is offering is offensive or the criminal dislikes the website for any reason.”
“Attacks can also be used to 'attack' propaganda or misinformation websites or government websites that oppress their citizens - as well as the governments wanting to silence dissent.”
“Normally they are done for financial gain. A criminal can blackmail a company and until it pays up, the website will stay down.”
Ray also provided the following additional angle to why a DDoS attack may occur; “On some occasions, malicious actors will even seek to leverage DDoS attacks at specific IP addresses.”
“In this way, a DDoS attack can even be targeted at individual internet users - perhaps to knock them out of an online gaming tournament worth large sums of money to the winner.”
How Can You Stop DDoS Attacks?
“One of the key tenets of Security is Availability - that your data is available whenever you need it”, said Aaron.
“Part of this is making sure that your website is always accessible to your customers and your staff. Anyone putting anything accessible through the Internet, needs to make sure that the code that provides it is secure, and takes preventative measures to prevent DDoS or other attacks from being successful.”
“Having a security strategy for creating code and applications, as well as having that code audited is a crucial step in preventing these-and other attacks.”
Reuben Yonatan, CEO at GetVoIP seconds this in his response; “Code that is not up to date leaves your site vulnerable to DDos attacks as when you are running the most recent
version, you are more secure thanks to security patches and updates.”
“Unfortunately, most website owners are not diligent when it comes to updating code. By the end of this year, PHP will retire PHP 7.2. When that happens, more than half of PHP websites on the internet will be running a discontinued version of PHP and as a result these sites will be more vulnerable to DDoS attacks.”
Aaron continues; “Additionally, there are a number of services that provide 'Content Delivery Networks' (CDN) utilizing an 'Anycast Network' to spread the traffic out to all of it's servers, effectively diluting the effects of the attack.”
“The greatest problem in DDoS prevention and mitigation is always the challenge of determining what traffic is 'real' and what is 'bad'.”
There are a number of methods that have been used to help determine this:
“Black Hole Routing, where a network administrator just diverts all the traffic away - down a black hole - until the website is back up. This will address the immediate issue, but is obviously not a long term viable solution.”
“There are rate-limiting hardware and software solutions that limit the rate of requests an IP may make over a set period of time, which has proven to be effective.”
“The most popular option today is to use a reverse-proxy server or a Web Application Firewall (WAF) which acts as a first line of defense. If a DDoS begins, the WAF can quickly be changed to address the traffic situation by a set of rules, called policies.”
“Regardless of which solution or solutions are used, every organization should have discussed this with their web hosting provider prior to making their website live.”
In addition to this Artur, owner of Coding Skills blog contributed his list of top tips for DDos protection below;
- Use a well-trusted hosting provider such as AWS or Google Cloud which have tools to protect your website against DDoS attacks. For example, you can use AWS Shield.
- Filter suspicious IPs, and don’t allow requests from them.
- When you use cloud computing, you can set up auto scaling policies which will keep your website/services running in case of DDoS attack. You will have time to get rid of DDoS attacks while your website/service is still available to your customers.
Can I See The Biggest DDoS Attacks Happening Right Now?
Thanks to tools like Netscout's Cyber Threat Horizon it is possible to see a map of the biggest DDoS attacks as they happen. This map provides filters to allow users to see attacks by industry, destination, source and trigger type.
How Do Log Management Systems Help Identify DDoS Attacks?
Log analysis platforms are incredibly useful as a solution for DDoS monitoring and detection because of the real-time alerts and notifications they provide, allowing you to take the necessary steps to avoid downtime and resume regular service for your users.
The Logit.io platform is designed to identify spikes & allows you to easily configure spike alerts in the event activity indicative of a DDoS attack is spotted by our system.
Logit.io also enables users with the visibility necessary to spot which servers a DDos attack has affected and as a result which errors are occurring within your log data. This allows you to troubleshoot and resolve the damage caused by a DDoS attack fast.
Get started with a free 14-day trial to see how Logit.io can help secure your operations and prevent a DDoS attack today.