It’s common to see websites, whether for small online stores, news outlets or government portals, going down due to excess traffic. This may happen because of sudden unexpected success – in the case of ticket sales or new video game launches – but, more often than not, overwhelming website visits are caused by criminal DDoS attacks.
Distributed Denial of Service (DDoS) attacks are one of the most common forms of cyber attacks we have today. According to Google's Digital Attack Map, which monitors these types of attacks in real-time, they are responsible for one-third of all the downtime incidents online.
The reasons behind maliciously taking down websites are many: political activism, ransom (known as ransomware) and even a hacker's boredom. In this post, however, we'll take a closer look at how exactly DDoS attacks work, what are the most common types of attacks and how your business can prevent and deal with them.
How does a DDoS attack work
Imagine, for example, that you are taking boxes from your mailbox to your home. There is a limit to the number of boxes you can handle at a time before you drop something. Let's say that your limit is 10 boxes. If you get 100 boxes, you can make 10 trips and slow down the rest of your daily activities. But what if you get a thousand boxes? What if there’s a million? You might drop all of them and break down in frustration. The same thing happens to computers when they suffer a DDoS attack.
Basically, a Distributed Denial of Service (DDoS) attack happens when a malicious person uses an infected army of computers, known as a botnet, to send non-stop requests to their chosen website and overwhelm their traffic system. Each individual device is known as a bot, hence botnet (a group of devices), or even a zombie (an infected device). Once computers or IoT devices are infected with malware, hackers can control them remotely to make requests to desired targets without the device owner’s knowledge.
Your computer could be infected right now, sending a barrage of requests to Cambodia's Health Ministry website for a group of hacktivists. And so could your smart refrigerator, your wireless printer or a nearby car factory's security system. Almost any internet-connected device can be used as a DDoS bot. And most times cyber criminals target small businesses and unprotected devices because they are woefully unprepared for DDoS attacks.
But how can I identify a DDoS attack?
Well, the first sign that your enterprise is suffering a DDoS attack is the website or service suddenly going down or becoming very slow. But don't worry: maybe the event you are selling tickets to or the product you just launched was just a lot more successful than you expected and you did, indeed, get a spike in traffic you weren't prepared for.
To be absolutely sure, you should look at your analytics dashboard and check for a few signs indicating unnatural or suspicious traffic, coming from geographic places or going to pages you wouldn't expect such as:
- Too much traffic coming from a single IP address or IP range;
- Traffic floods from users with the same behavioral profile, like device type, geolocation, or web browser version;
- A surprising number of requests to a single page or endpoint in your website or application;
- Unnatural traffic patterns, like spikes at odd hours or every 15 minutes.
These are the general signs you should check for to find out if your website or application is suffering a DDoS attack, but there are other specific clues depending on the type of attack. Which leads us to...
The different types of DDoS attacks
The types of DDoS attacks vary according to the nature of the attack and their amplification methods. The type of attack can be defined by what it does and which component of the system it targets. Here, we will cover them from the simplest to the most complex: volume-based, protocol and application layer attacks.
Volume-based attacks are what some may think of as a classic DDoS attack, which works to saturate a network's bandwidth with massive amounts of data. This type of attack uses a form of amplification or utilizes requests from a botnet to create huge amounts of traffic and overwhelm a system.
Some examples of volume-based attacks are UDP floods, ICMP (Ping) floods and any other kind of spoofed-packet flood. Their size is measured in bits per second (Bps).
Also known as state-exhaustion attacks, protocol attacks are focused on exploiting vulnerabilities in network resources, overwhelming server setups such as firewalls and load balancers. Protocol attacks target Layers 3 and 4 of the OSI model to disable the network components that would otherwise deliver good traffic to apps and websites.
This kind of attack sends spoofed requests to network components, overwhelming them with fake data that they can't respond to, eventually leading servers to stop responding completely. Protocol attacks include SYN floods, fragmented packet attacks, Ping of Death, and Smurf attacks. They are measured in packets per second (Pps).
Application layer attacks
Also known as Layer 7 attacks, this type of strike aims to crash the web server and can be thought of as refreshing a web browser over and over across thousands of computers at once. Layer 7 attacks are the most sophisticated DDoS attack and can be tricky to uncover, as they are hard to distinguish from legitimate requests.
Application layer attacks can be very effective, even when originating from a small number of machines with a low rate of traffic. They include HTTP floods, low-and-slow attacks, GET/POST floods and can target Apache, Windows or OpenBSD vulnerabilities. The magnitude of Layer 7 attacks is measured in Requests per second (Rps).
Mitigating DDoS attacks
Dealing with DDoS attacks requires a number of different tactics, which include firewalls and other protection layers and should include strategic plans in the event of an attack. Some common solutions include using CAPTCHA tests to filter out the bad bots from legitimate human traffic to screen suspicious activity before it reaches your service.
When dealing with many modern DDoS trends, Forrester points out the need to include proactive strategies, such as creating a runbook informing your team how to respond to each process, defining escalation paths and what each individual should do at times like these. Limiting an application's attack surface and creating built-in redundancy is ideal to hinder attackers' opportunities of getting in.
At Azion, we have a few different products to monitor and block suspicious activity and keep your web applications running smoothly at all times. Azion’s Network Layer Protection lets you create lists based on network, user location, or ASN, or use automatically updated IP reputation lists. As a result, you can block and monitor suspicious behavior, or apply restrictions such as rate limiting to prevent requests from overwhelming servers.
Our Web Application Firewall (WAF) uses a scoring method that ranks threats for all requests, enabling blocking based on a desired sensitivity level. To top it all off, our DDoS Protection uses our globally distributed network which includes mitigation centers to provide the intelligence and capacity needed to mitigate even the most massive and sophisticated attacks.
In our digital age, the web is an important source of information, entertainment and even shopping, so pulling down a single website is not only detrimental to its owner, but to the entire online environment. DDoS attacks will continue to occur more frequently as our world grows ever more digital, and it's our responsibility to keep important websites and services up and running.