DDoS attacks are rising, as more and more vulnerabilities are discovered and machines are compromised. As they spread, it is important for a network administrator to understand what they are, and how to address them when they come. Because they will come, it’s only a matter of time.
What is a DDoS attack?
Denial-of-service (DoS) attacks have been part of the criminal toolbox for twenty years, and they’re growing more potent with botnets. Distributed denial of service (DDoS) attacks differ, in that they are executed by a network of many nodes. They may be a singular attack event or an advanced persistent attack, adding load to a network, reoccurring and morphing over time to reach an intended goal. Thus, the cumulative effect of DDoS attacks makes them deadly.
DoS attacks can be mischief, revenge, or hacktivism, and can range from a minor annoyance to long-term downtime, resulting in loss of business. Whereas DDoS attacks don’t just disrupt the regular traffic, they are designed to overwhelm a target server or target network or its surrounding infrastructure with a flood of Internet traffic (floods attacks). DDoS attacks are dangerous, by their very nature; masking the attacker, being distributed, shape-shifting, persistent, volumetric, and conducted with criminal intent, is what makes them dangerous to your network’s and business’s health.
How does a DDoS attack work?
DDoS is an abbreviation of “distributed denial of service”
- “Distributed”, meaning many nodes scattered across the internet.
- “DoS” means denial of service, meaning it prevents legitimate traffic from reaching its intended destination.
The hallmark of DDoS attacks is the distributed nature of the attacking machines. Spread around the globe, they are impossible to contain and shut off. DDoS attacks drown a system with requests for data. This could be sending a web server so many requests to serve a page, crashing the server or a database. Simply, the available Internet bandwidth, CPU, and RAM capacity are overwhelmed.
In DDoS attacks, the attack is launched from many compromised devices, in a botnet, flooding a target server or target network with malicious traffic. Owners of the devices involved in the attack, rarely have no clue that the attacks are being conducted using their systems. Often these infected devices have been recruited into a botnet with a large number of distributed computers, like the Mirai botnet,
DDoS attacks today are one of the most potent weapons cybercriminals have on the Internet. When you hear about a company being brought down by hackers, it generally means the company has been taken offline by a DDoS attack. What happens, during a web server, each bot sends consistent traffic requests to the host IP address. It’s the combined impact of all the devices, and their flood of requests, that overwhelms the webserver, forcing it to deny legitimate website visitors entry (or service).
Increasingly, the millions of devices that constitute the ever-expanding Internet of Things (IoT) are being hacked and used to become part of the botnets used to deliver DDoS attacks, especially those that have been recruited into the Mirai botnet. The security of devices that make up the IoTs is generally not as advanced as the security software found in computers and laptops. That can leave the devices vulnerable for cybercriminals to exploit in creating more expansive botnets.
How are DDos attacks launched?
The recruited cyber armies of bots can lie dormant until they’re given orders. This is where using peer-to-peer communications or a command and control server (C2) within the botnet comes into play. Cybercriminals simply issue instructions to the network of compromised devices, and when ordered, the infected or vulnerable devices use a tiny portion of their processing power to send fake traffic to a targeted server or website, and, bang! That’s how a DDoS attack is launched.
Why are DDoS attacks successful?
DDoS attacks are usually successful due to their distributed nature and the difficulty discerning between legitimate users and fake traffic. The attacks in themselves do not constitute a breach but overwhelm a target server to knock it offline. Usually, DDoS attacks are deployed to retaliate against a company or service or for political reasons. Sometimes, however, cybercriminals will use DDoS attacks as a smokescreen to distract attention, while they act on a more severe hidden compromise that may eventually lead to a full-blown breach.
A DDoS attack in itself is simple; although attacks can range in sophistication. It is a cyberattack on an email server, web server, service that overwhelms the target server or target network, rendering it inoperable or unreachable.
What types of DDoS attacks exist?
Network connections on the Internet consist of different layers of the Open Systems Interconnection model. Thus, just like the layers, there are different types of DDoS attacks, each focusing on a separate layer.
- Application attacks
The attacks on layer 7 are referred to as Application Layer, DDoS attacks.
Application attacks, aim to exhaust the target’s “application” resources, denying service to legitimate users.
- Protocol attacks
These types of attacks utilize networking protocols weaknesses in layer 3 and layer 4 of the protocol stack, sending malformed requests to a server, rendering the target server inaccessible.
Protocol attacks consume server resources, or those of the intermediate communication equipment, such as firewalls and load balancers.
- Volumetric attacks
Volumetric attacks create congestion, using amplification and target DNS servers. The botnet sends a large volume of fake DNS packets. This type of attack, a DNS Flood is one of the most difficult DDoS attacks to prevent and recover from.
Another type of volumetric attack that exploits normally benign publicly available NTP servers, uses these normally benign servers to overwhelm a target server with UDP traffic. Volumetric attacks consume all available bandwidth between the target server, target networks and the Internet.
A huge hurdle to thwarting DDoS is that it spans many tactics and systems. A DDoS attack is when an attacker or multiple attackers block access to:
- Servers (web server, application servers, email servers, and more)
- Devices (computers, firewalls)
- Services or applications
- Specific transactions within applications
Botnets for hire
Assembling the botnets necessary to conduct DDoS attacks can be time-consuming and challenging. Therefore, Cybercriminals have developed a business model in which the more sophisticated criminals create the botnets and then sell or lease them, as a service, to other criminals. They do their trading on the dark web, where criminals can anonymously buy, sell, and rent not only botnets, but also buy and sell stolen credit card numbers.
They trade through the deep web and the dark web. Botnets are leased on the deep web and dark web for as little as a couple of hundred dollars. Various shady websites sell a range of illegal goods, services, and stolen data.
In some ways, these websites operate like conventional online retailers. They may provide customer guarantees, discounts, and user ratings.
How DDoS attacks evolve
Another trend is using multiple attack vectors within a single attack. This is also known as Advanced Persistent Denial-of-Service APDoS. For instance, an APDoS attack may involve the application layer, including attacks against databases and applications, and directly on the server. Attackers often don’t directly target individual victims, but target networks or organizations they depend on, like ISPs and cloud providers.
This changes the impact of DDoS attacks on organizations and expands their risk. Businesses are no longer merely concerned with DDoS attacks on themselves, but attacks on their business partners, vendors, and suppliers. Today, the weakest link is a third party, whoever they are.
How long does a DDoS attack last?
A DDoS attack will last until an attacker realizes an attack has stopped working, after which, if the attacker is persistent, they will attempt other methods to attack their target victim.
The period of each attack is case-by-case, so the honest answer is “until it stops.”
However, the good news is that DDoS protection has become a requirement for all organizations that value online availability. Therefore, DDoS attacks which may happen to you may be short and occasional.
Typical denial of service attacks last an average of 10 minutes to 40 minutes. These are people who want to disrupt a competitor for a short period. Typically, if an attack is mitigated, the attackers seem to give up and move on to the next target.
2.5 days to more than 2 weeks
If an attack goes on for more than a few days, it may be worth investing in a service provider equipped to help. Regardless if you are attacked, you should notify your ISP or hosting provider as early as possible, as they can filter traffic upstream, to negate the impact. Blocks at the ISP can remain in place for a few days or several weeks until the attack stops.
If your network has no protection, the attacker will realize you may be easily compromised and may use its botnet resources to continue the attack on you for weeks.
DDoS attacks today have never been easier to execute. With multiple DDoS-as-a-Service options, malicious actors can pay a nominal fee to “rent” a botnet of infected computers to perform a DDoS attack against their target of choice.
DDoS attacks are on the rise
With IoT, 5G, and machine learning all growing, attackers are starting to integrate these technologies into their attacks. Last year, 2020 witnessed two of the largest DDoS attacks ever recorded against Amazon and Google. No target network is too large, everyone is vulnerable.
To amass a network of that size, cybercriminals coordinate the infected machines, to look for other machines that are vulnerable to attack. Bots don’t spend most of their time attacking, they simply keep probing and looking for ways to trick people into downloading malicious files and into spreading malware for them. That said, malware isn’t the only means of recruiting devices. Many companies and consumers practice such poor password habits, that malicious actors can scan the Internet for connected devices with known factory credentials or easy-to-guess passwords (“password,” for example) to gain access. Once logged in, cyber criminals easily infect and recruit the device into their cyber army.
Why are DDoS attacks dangerous?
The motivation behind a DDoS attack ranges from personal vendettas to political activism. Hacktivist groups launch some attacks, like the ubiquitous group Anonymous.
- Not only is DDoS a way for hackers to protest against Internet censorship and political initiatives, but it also offers an opportunity to achieve nefarious goals.
- For instance, the latest tweak in this epidemic is what’s called “ransom DDoS,” a technique used to extort money from organizations in exchange for discontinuing a massive incursion.
Thousands of avid gamers couldn’t get on Classic WoW because of a DDoS attack! The point is attackers don’t make money off of a DDoS attack – they’re simply doing it to cause pain. But conversely, Ransomware attacks from Advanced Persistent Threat (APT) groups are financially motivated, ransoming millions of dollars from their victims. Additionally, cyberterrorists use DDoS attacks to slow down websites of utility companies, banks, and even entire governments. In general, these motivations fit into the following attack types:
- Ideological attackers
- Corporate sabotage or business feuds
- Cybercriminal smokescreen
- Nation-State cyber-warfare
As organizations have grown more dependent on the Internet and web-based applications and services, availability has become the lifeblood of business, and as essential as electricity. DDoS is a threat to retailers, financial services, and gaming companies with an obvious need for availability. DDoS also attacks and targets the mission-critical business applications of any organization that relies on the internet to manage daily operations, including email, CRM, and many other applications. Industries, including manufacturing, pharma, and healthcare, have web applications that manage their supply chain, making it essential for their other business partners to have access to daily business operations. All these systems and processes, and more, are targets for today’s sophisticated cyber attackers.
What are the consequences of a successful DDoS attack?
When a public-facing web server or application is unavailable, it can lead to angry customers, lost revenue, and brand damage. When business-critical applications become unavailable, operations and productivity grind to a halt and an attack goes on for weeks, it’s possible for the business to cease operations.
Is it illegal to conduct a DDoS attack?
The short answer is YES, DDoS attacks are illegal, and the penalties are STIFF.
According to the Federal Computer Fraud and Abuse Act;
- conducting a DDoS attack can result in a
prison sentence of up to 10 years and a $500,000 fine
- while conspiring with an attacker in a DDoS attack, can result in a
prison sentence of up to 5 years and a $250,000 fine.
Does a VPN stop DDoS attacks?
If you are a home user, VPN services are a terrific way to not only stop some DDoS attacks but hide your identity, so they never occur. That said, though, if your VPN company could have poorly implemented DDoS protection, attackers might already have your IP address, in which case there’s not much a VPN can do. However, when used correctly and set up in advance of an attack, VPN services remain one of the best tactics to stay ahead of DDoS attacks.
So, DDoS is simply overwhelming. But it doesn’t have to be. Use a VPN to start, and install network and application firewalls. Also, host your website using a CDN, like CloudFlare or Akamai providers. Go without, and you will regret it. A DDoS attack is coming, it’s only a matter of when. Prepare now.
If you are an ISP or hosting company and you would like to find out more about how to prevent DDoS attacks from being mounted within your hosted network space, get in touch with our team.