A Distributed Denial of Service (DDoS) attack is an attempt to crush a web server or online system by overwhelming it with data. DDoS attacks can be simple mischief, revenge, or hactivism, and can range from a minor annoyance to long-term downtime resulting in loss of business.
How Does a DDoS Attack Work?
DDoS attacks most often work by botnets – a large group of computers that act in concert with each other –simultaneously spamming a website or service provider with requests.
Attackers use malware or unpatched vulnerabilities to install Command and Control (C2) software on user’s systems to create a botnet. DDoS attacks rely on a high number of computers in the botnet to achieve the desired effect, and the easiest and cheapest way to get control of that many machines is by leveraging exploits. The recent DYNDNS attack exploited WIFI cameras with default passwords to create a huge botnet.
Once they have the botnet ready, the attackers sends the start command to all of their botnet nodes, and the botnets will then send their programmed requests to the target server. If the attack makes it past the outer defenses, it quickly overwhelms most systems, cause service outages, and in some cases, crashes the server. The end-result of a DDoS attack is primarily lost productivity or service interruption – customers can’t see a website.
While that may sound benign, the cost of a DDoS attack averaged $2.5 million in 2017. Hackers engage DDoS attacks for anything ranging from childish pranks to revenge against a business to express political activism.
Common Types of DDoS Attacks
Application Layer Attacks
Application layer DDoS attacks aim to exhaust the resources of the target and disrupt access to the target’s website or service. Attackers load the bots with a complicated request that taxes the target server as it tries to respond. The request might require database access or large downloads. If the target gets several million of those requests in a short time, it can very quickly get overwhelmed and either slowed to a crawl or locked up completely.
An HTTP Flood attack, for example, is an application layer attack that targets a webserver on the target and uses many fast HTTP requests to bring the server down. Think of it as pressing the refresh button in rapid fire mode on your game controller. That kind of traffic from many thousands of computers at once will quickly drown the webserver.
Protocol DDoS attacks target the networking layer of the target systems. Their goal is to overwhelm the table spaces of the core networking services, the firewall, or load balancer that forwards requests to the target.
In general, network services work off a first in, first out (FIFO) queue. The first request comes in, the computer processes the request and then it goes and gets the next request in the queue so on. Now there are a limited number of spots on this queue, and in a DDoS attack the queue could become so huge that there aren’t resources for the computer to deal with the first request.
A SYN flood attack is a specific protocol attack. In a standard TCP/IP network transaction, there is a 3-way handshake. They are the SYN, the ACK, and the SYN-ACK. The SYN is the first part, which is a request of some kind, the ACK is the response from the target, and the SYN-ACK is the original requester saying “thanks, I got the information I requested.” In a SYN flood attack, the attackers create SYN packets with fake IP addresses. The target then sends an ACK to the dummy address, which never responds, and it then sits there and waits for all those responses to time out, which in turn exhausts the resources to process all of these fake transactions.
The goal of a volumetric attack is to use the botnet to generate a major amount of traffic and clog up the works on the target. Think of like an HTTP Flood attack, but with an added exponential response component. For example, if you and 20 of your friends all called the same pizza place and ordered 50 pies at the same time, that pizza shop wouldn’t be able to fulfill those requests. Volumetric attacks operate on the same principle. They request something from the target that will vastly increase the size of the response, and the amount of traffic explodes and clogs up the server.
DNS Amplification is a kind of volumetric attack. In this case, they are attacking the DNS server directly and requesting a large amount of data back from the DNS server, which can bring the DNS server down and cripple anyone that is using that DNS server for name resolution services.
DDoS Attacks Today
Just like everything else in computing, DDoS attacks are evolving and becoming more destructive to business. Attack sizes are increasing, growing from 150 requests per second in the 1990s – which would bring a server of that era down – to the recent DYNDNS attack and GitHub attack at 1.2 TBs and 1.35 TBs respectively. The goal in both of these attacks was to disrupt two major sources of productivity across the globe.
These attacks used new techniques to achieve their huge bandwidth numbers. The Dyn attack used an exploit found in Internet of Things (IoT) devices to create a botnet, called the Mirai Botnet attack. Mirai used open telnet ports and default passwords to take over wifi enabled cameras to execute the attack. This attack was a childish prank but presented a major vulnerability that comes with the proliferation of the IoT devices.
The GitHub attack exploited the many thousands of servers running memchached on the open internet, an open-source memory caching system. Memchached happily responds with huge amounts of data to simple requests, so leaving these servers on the open internet is a definite no-no.
Both of these attacks show a significant risk of future exploits, especially as the IoT universe continues to grow. How fun would it be for your fridge to be part of a botnet? On the bright side, GitHub wasn’t even brought down by the attack.
What’s more, DDoS attacks have never been easier to execute. With multiple DDoS-as-a-Service options available, malicious actors can pay a nominal fee to “rent” a botnet of infected computers to execute a DDoS attack against their target of choice.
How to Mitigate a DDoS Attack
How did GitHub survive that massive DDoS attack? Planning and preparation, of course. After 10 minutes of intermittent outages the GitHub servers activated their DDoS mitigation service. The mitigation service rerouted incoming traffic and scrubbed the malicious packets, and about 10 minutes later the attackers gave up.
In addition to paying for DDoS mitigation services from companies like CloudFlare and Akamai, you can employ your standard endpoint security measures. Patch your servers, keep your memchached servers off the open internet, and train your users to recognize phishing attacks.
You can turn on Black Hole Routing during a DDoS attack to send all traffic to the abyss. You can set up rate limiting to cap the number of requests a server gets in a short amount of time. A properly configured firewall can also protect your servers.
Varonis monitors your DNS, VPN, Proxies, and data to help detect signs of an impending DDoS attack against your corporate network. Varonis Data Security Analytics track behavior patterns and generate warnings when current behavior matches a threat model or deviates from standard behavior. This can include malware botnet attacks or significant increases in network traffic. Get a live 1:1 demo to see how Varonis protects your data from DDoS attacks and more.