What are DDoS Attacks and How to Guard Against them
In 2021 the most common Internet based attack so far is the Distributed Denial of Service, or DDoS attack. The main reason for this is how easy it is for hackers to execute them. Even ‘script kiddies’ who have limited hacking skills can launch one using a preconfigured hacking toolkit.
DDoS attacks are a relative of the SYN flood attacks of old, but now often use the Cloud to ramp up or multiply the damage. These attacks deliberately overload servers with traffic until they can no longer function properly. This presents a big problem for businesses because during the attack their servers are inoperable resulting in lost revenue and/or downtime. In this article, we’ll discuss DDoS attacks, and how businesses can guard against them.
What is a DDoS Attack
In a DDoS attack an attacker uses multiple, typically compromised, systems to send large amounts of traffic to a target, which overwhelms the target system and denies access from legitimate users. These attacks come in one of three different styles:
Application attacks will begin a transaction with a website, and then simply never finish that transaction. This keeps the ports open for as long as possible, and in the process uses up as much memory and storage as it can.
Protocol attacks make malicious connection requests with tailored headers in order to try and crash load balancers and firewalls, on top of the targeted servers.
Volume attacks use brute force to try and overwhelm the targeted server’s bandwidth as much as possible. This can also affect things upstream of the target’s server, even their ISP.
So, what would one of these attacks actually look like? Imagine for a moment that an attacker is trying to overload a mail server with phony requests. This would be an example of a volume attack. They are hoping to overwhelm one of the resources that the mail server needs to work, whether it’s the CPU, memory, storage, or bandwidth. It doesn’t matter which resource fails first, the attack will be successful as soon as the errors start to pile up and requests for mail service are denied.
However, DDoS attacks are rarely that simple. It’s not just one attack coming at the server from a single source (a normal Denial of Service, or DoS), because that kind of attack would be trivial to stop. All that needs to be done to halt a normal DoS would be to block the source from as far upstream as is possible; like at the backbone provider level.
A DDoS attack is far more serious than that because it uses multiple different devices in unison, often from a variety of different places and regions making the attack hard to distinguish from legitimate traffic. This is a common attack deployed using hacker botnets, as an example. These distributed attacks almost always target something high profile that is publicly accessible, like a website and recently has even been used to target VoIP providers disrupting telecommunications.
What is a DDoS attack supposed to accomplish? The disruption and loss of income for the targeted business or in some cases DDoS is used to leverage a ransom payment from the businesses being disrupted. Even when a DDoS attack doesn’t cause an outright crash, it can still be effective. Websites may end up slowing down to a crawl, which will drive away most legitimate users.
The long and short of it is that DDoS attacks are carried out by a malicious actor using Cloud and other compromised computer resources to attack a specific target. If a company is not prepared for it, it can do serious financial damage and typically preparation requires planning for this specific type of attack, before it happens.
How to Implement DDoS Protection
When it comes to DDoS attacks, the name of the game is detection and mitigation by an outside service. Conventional cybersecurity might help a company to mitigate a smaller DDoS attack, but the bigger threats need to be handled by professionals. This typically involves placing a layer capable of handling and filtering out DDoS attacks between the vital services to be protected and the rest of the Internet.
To facilitate detection, it is possible to use open-source solutions such as Naigos for small or medium sized network setups. On the commercial side, firewall companies often have proprietary monitoring, alerting and will provide mitigation recommendations or offer a Cloud based shield service that sits in front of your systems. Once a company has chosen their DDoS detection and prevention method and they have a proper monitoring solution in place, they need to fine tune settings so that it can detect attacks and ideally mitigate them automatically.
When working with a front end Cloud service to mitigate DDoS threats normally they’ll use a process called upstream filtering to blunt, and eventually eliminate, the hostile traffic. Filtering happens as a two-step process: First, they activate the availability protection service (APS). APS is a mini traffic scrubbing facility that uses the anonymous traffic information from hundreds of contributing ISPs to determine unsafe sources. Since DDoS attacks can drag on at low volumes even after the main attack has been blunted, this is critical.
Then the service will use a Cloud based routing solution that is designed to redirect traffic to nodes that scrub out the DDoS related packets. This consists of packet dropping, filtration, load balancing, and absorption techniques to neutralize the majority of the DDoS attack while blocklists are assembled. That’s the bulk of the attack blunted, and the APS can pick up the latent flow.
With the long term and short-term threats handled, a business should quickly be able to resume normal services.
What to do after a DDoS Attack
It’s usually pointless to dedicate company resources to seek out the perpetrators of a DDoS attack. They will be hiding behind several layers of anonymity.
Instead, one of the best things to do after receiving a DDoS attack is to report it to the relevant authorities. In Canada, the Cyber Center should be the first stop. Multinational firms (by far the most common targets for DDoS), should make sure to also inform the authorities in the countries that provide mirrored hosting. In the US that would be the FBI Cybercrimes division, via the Internet Crime Complaint Center, and in the UK it would be the Action Fraud Cyber Crime Team.
These dedicated government teams can work hand in hand with DDoS mitigation services to track down some of the nodes used to perpetuate the attack. From there, the kind of botnet that was used to coordinate the traffic might be identified. A surprising number of black hat hackers are caught because they brag about their ‘accomplishment’ on social media, making it far easier for law enforcement to identify them and bring them to justice.
When it comes to securing businesses against Internet threats Outsource IT will always offer a complimentary consultation and sound advice. Our business IT security offering proactively finds, logs and eliminates most threats before they lead to down time and irreparable damage. Contact an Outsource IT account manager to learn more.