A Distributed Denial of Service (DDoS) attack is an attempt to crash a web server or online system by overwhelming it with data. DDoS attacks can be simple mischief, revenge, or hacktivism, and can range from a minor annoyance to long-term downtime resulting in loss of business.
Hackers hit GitHub with a DDoS attack of 1.35 terabytes of data per second in February of 2018. That’s a massive attack, and it’s doubtful that it will be the last of its kind.
Get the Free Pen Testing Active Directory Environments EBook
Unlike ransomware or attacks from APT groups, which are financially motivated, DDoS attacks are more disruptive and annoying. How bad can it get? Thousands of avid gamers couldn’t get on Classic WoW because of a DDoS attack! The point is attackers don’t make money off of a DDoS attack – they’re simply doing it to cause pain.
How Does a DDoS Attack Work?
DDoS attacks most often work by botnets – a large group of distributed computers that act in concert with each other –simultaneously spamming a website or service provider with data requests.
Attackers use malware or unpatched vulnerabilities to install Command and Control (C2) software on user’s systems to create a botnet. DDoS attacks rely on a high number of computers in the botnet to achieve the desired effect, and the easiest and cheapest way to get control of that many machines is by leveraging exploits.
The DYNDNS attack exploited WIFI cameras with default passwords to create a huge botnet. Once they have the botnet ready, the attackers send the start command to all of their botnet nodes, and the botnets will then send their programmed requests to the target server. If the attack makes it past the outer defenses, it quickly overwhelms most systems, causes service outages, and in some cases, crashes the server. The end-result of a DDoS attack is primarily lost productivity or service interruption – customers can’t see a website.
While that may sound benign, the cost of a DDoS attack averaged $2.5 million in 2017. Kaspersky reports that DDoS attacks cost small businesses $120,000 and enterprises $2,000,000. Hackers engage DDoS attacks for anything ranging from childish pranks to revenge against a business to express political activism.
DDoS attacks are illegal under the Computer Fraud and Abuse Act. Starting a DDoS attack against a network without permission is going to cost you up to 10 years in prison and up to a $500,000 fine.
What is the Difference Between a DoS and a DDoS Attack?
A Denial of Service (DoS) attack includes many kinds of attacks all designed to disrupt services. In addition to DDoS, you can have application layer DoS, advanced persistent DoS, and DoS as a service. Companies will use DoS as a service to stress test their networks.
In short, DDoS is one type of DoS attack – however, DoS can also mean that the attacker used a single node to initiate the attack, instead of using a botnet. Both definitions are correct.
What Does a DDoS Attack Mean for My Security?
You need to prepare and plan to manage a DDoS attack against your systems. You need to monitor, generate alerts, and quickly diagnose a DDoS attack in progress. The next step is shutting down the attack quickly without affecting your users. You can block the IP addresses using your Next-Gen Firewall, or close inbound traffic to the targeted system and failover to a backup. There are other response plans you can implement, make sure to have one.
Common Types of DDoS Attacks
There are several different ways attackers perpetuate a DDoS attack. Here are some of the most recognized:
Application Layer Attacks
Application layer DDoS attacks aim to exhaust the resources of the target and disrupt access to the target’s website or service. Attackers load the bots with a complicated request that taxes the target server as it tries to respond. The request might require database access or large downloads. If the target gets several million of those requests in a short time, it can very quickly get overwhelmed and either slowed to a crawl or locked up completely.
An HTTP Flood attack, for example, is an application layer attack that targets a web server on the target and uses many fast HTTP requests to bring the server down. Think of it as pressing the refresh button in rapid-fire mode on your game controller. That kind of traffic from many thousands of computers at once will quickly drown the webserver.
Protocol DDoS attacks target the networking layer of the target systems. Their goal is to overwhelm the tablespaces of the core networking services, the firewall, or load balancer that forwards requests to the target.
In general, network services work off a first-in, first-out (FIFO) queue. The first request comes in, the computer processes the request, and then it goes and gets the next request in the queue so on. Now there are a limited number of spots on this queue, and in a DDoS attack, the queue could become so huge that there aren’t resources for the computer to deal with the first request.
A SYN flood attack is a specific protocol attack. In a standard TCP/IP network transaction, there is a 3-way handshake. They are the SYN, the ACK, and the SYN-ACK. The SYN is the first part, which is a request of some kind, the ACK is the response from the target, and the SYN-ACK is the original requester saying “thanks, I got the information I requested.” In a SYN flood attack, the attackers create SYN packets with fake IP addresses. The target then sends an ACK to the dummy address, which never responds, and it then sits there and waits for all those responses to time out, which in turn exhausts the resources to process all of these fake transactions.
The goal of a volumetric attack is to use the botnet to generate a major amount of traffic and clog up the works on the target. Think of like an HTTP Flood attack, but with an added exponential response component. For example, if you and 20 of your friends all called the same pizza place and ordered 50 pies at the same time, that pizza shop wouldn’t be able to fulfill those requests. Volumetric attacks operate on the same principle. They request something from the target that will vastly increase the size of the response, and the amount of traffic explodes and clogs up the server.
DNS Amplification is a kind of volumetric attack. In this case, they are attacking the DNS server directly and requesting a large amount of data back from the DNS server, which can bring the DNS server down and cripple anyone that is using that DNS server for name resolution services.
How Can DDoS Attacks Be Prevented?
How did GitHub survive that massive DDoS attack? Planning and preparation, of course. After 10 minutes of intermittent outages, the GitHub servers activated their DDoS mitigation service. The mitigation service rerouted incoming traffic and scrubbed the malicious packets, and about 10 minutes later the attackers gave up.
In addition to paying for DDoS mitigation services from companies like Cloudflare and Akamai, you can employ your standard endpoint security measures. Patch your servers, keep your Memcached servers off the open internet, and train your users to recognize phishing attacks.
You can turn on Black Hole Routing during a DDoS attack to send all traffic to the abyss. You can set up rate limiting to cap the number of requests a server gets in a short amount of time. A properly configured firewall can also protect your servers.
Varonis monitors your DNS, VPN, Proxies, and data to help detect signs of an impending DDoS attack against your corporate network. Varonis tracks behavior patterns and generates warnings when current behavior matches a threat model or deviates from standard behavior. This can include malware botnet attacks or significant increases in network traffic that indicate a DDoS attack.
DDoS Attacks Today
Just like everything else in computing, DDoS attacks are evolving and becoming more destructive to business. Attack sizes are increasing, growing from 150 requests per second in the 1990s – which would bring a server of that era down – to the recent DYNDNS attack and GitHub attack at 1.2 TBs and 1.35 TBs respectively. The goal in both of these attacks was to disrupt two major sources of productivity across the globe.
These attacks used new techniques to achieve their huge bandwidth numbers. The Dyn attack used an exploit found in Internet of Things (IoT) devices to create a botnet, called the Mirai Botnet attack. Mirai used open telnet ports and default passwords to take over WiFi-enabled cameras to execute the attack. This attack was a childish prank but presented a major vulnerability that comes with the proliferation of the IoT devices.
The GitHub attack exploited the many thousands of servers running Memcached on the open internet, an open-source memory caching system. Memcached happily responds with huge amounts of data to simple requests, so leaving these servers on the open internet is a definite no-no.
Both of these attacks show a significant risk of future exploits, especially as the IoT universe continues to grow. How fun would it be for your fridge to be part of a botnet? On the bright side, GitHub wasn’t even brought down by the attack.
What’s more, DDoS attacks have never been easier to execute. With multiple DDoS-as-a-Service options available, malicious actors can pay a nominal fee to “rent” a botnet of infected computers to execute a DDoS attack against their target of choice.
In September of 2019, attackers hit both Wikipedia and Classic World of Warcraft with DDoS attacks. Currently, there isn’t any indication these attacks are new technology but stay tuned for any updates.
DDoS Attack FAQ
A quick look at the answers to common questions people have about DDoS attacks.
Q: What does DDoS mean?
A: DDoS stands for Distributed Denial of Service. Using multiple connected online devices known as a botnet, a DDoS attack aims to overwhelm the capacity limits of a website's network resources with fake traffic.
Q: What happens during a DDoS attack?
A: During a DDoS attack the distributed computers – botnet – spam the target with as many data requests as possible.
Q: Are DDoS attacks illegal?
A: Yes, it is illegal to use DDoS techniques to disrupt a target without permission. It’s a good practice to set up a DDoS drill so you can practice your Incident Response plan for DDoS attacks, which is a legal use of DDoS.
Q: In a DDoS attack, what communications channel is commonly used to orchestrate the attack?
A: HTTP, DNS, and TCP/IP requests are common protocols used for DDoS attacks.
DDoS attacks can be disruptive, so take a proactive approach and build an Incident Response plan to respond quickly. Varonis’ unique combination of monitoring and threat detection capabilities give you a head start on your DDoS strategy.
Check a Live Cyber Attack Demo webinar to see Varonis in action.
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.