Cyber Attack Guide – DDoS Attacks
Quite a lot of people plunge head-first into their new project and try to build their first websites without considering all the factors involved. Security is overlooked alarmingly often, and as a result, far too many projects come to a quick and completely avoidable end.
As an example, DDoS attacks are widespread and have been around for ages. Yet, many admins don’t have even the most basic understanding of what they are and how they work.
Let’s see if we can fix this…
Table of Contents:
The State of Cybersecurity
In 2017, researchers from the University of Maryland estimated that worldwide, on average, a cyber attack is launched every 39 seconds. More than likely, hacking attempts are even more frequent today.
In 2020, during the height of the COVID-19 crisis, Swiss authorities reported three times the usual number of cyber attacks. The fact of the matter is, with or without a global pandemic, cybercrime is a massive business that reaps hacked a lot of benefits.
Ransomware operators encrypt users’ and organizations’ files and extort money in exchange for their data. Malicious cryptomining scripts put enormous loads on unsuspecting victims and consume vast quantities of electric power to line miscreants’ pockets. Hackers breach business organizations to steal personal and sensitive data, which is then brokered and abused in all manner of ways.
You don’t even need to have any advanced technical skills to target an attack at someone. All you have to do is go to a hacking forum, pay someone for a DDoS service, and aim it at a site or server of your choice.
What Are DDoS Attacks?
It’s important to make a distinction between different types of cyber attacks.
For example, the goal of a DDoS attack isn’t to alter the way your site looks or steal user data. Beefing up your site’s admin password or updating your CMS will do little to protect you from it.
DDoS stands for Distributed Denial of Service, and, as the “Denial of Service” bit suggests, the goal of such an attack is to deny user access to a service or a resource. In other words, it’s supposed to knock your website offline or, at the very least, severely disrupt its performance.
How Do DDoS Attacks Work?
The ultimate goal of a DDoS attack is to overwhelm the website and the underlying infrastructure with fake traffic. In very basic terms, the attacker sends an enormous number of requests to a targeted site and puts a load on the hosting machine. If the junk traffic becomes too much, the server struggles to process all requests and eventually goes offline.
DDoS is one of the cheapest forms of cybercrime, and because attacks don’t result in any direct data theft, many people are left with the misconception that it is relatively harmless. In light of this, you may be amazed to learn how much effort goes into creating the infrastructure that powers DDoS attacks.
The DDoS lifecycle starts long before the target is even identified.
First, the attacker needs to create a botnet – a vast network of compromised computers, servers, and other internet-connected devices. Cybercriminals infect thousands of nodes (often referred to as zombies) and control them via a Command & Control (C&C) server.
The malware they use is usually pretty stealthy, and users are none the wiser to its existence. When the C&C sends instructions, the zombie starts sending as many requests as possible to the targeted server. Multiply this by thousands, and you have an enormous traffic spike. If the target is unprepared – it doesn’t stand any chance.
The motives behind DDoS attacks are extremely diverse.
Cybercriminals can use DDoS as retaliation, often employing it to make a point or draw attention to a particular problem. Every now and again, you might find business organizations aiming DDoS attacks at their competitors, especially prevalent in the gaming community. Far too often, cybercriminals may DDoS a website or a server even out of pure spite.
Whatever the motive, DDoS is a serious threat.
Every second of downtime and every user disappointed with your website’s performance is costing you money. Frequent, prolonged, or severe DDoS attacks could cause major damage, so you need to be familiar with the threat and know what you can do to protect yourself.
Types of DDoS Attacks
The goal and general principles of all DDoS attacks may be the same, but the techniques, technologies, and scope of damages vary wildly. Some categorization of DDoS attacks and the problems they cause should give you a clearer understanding of how the threat works and what system administrators should look out for.
There are three general categories of DDoS attacks:
- Volumetric DDoS attacks
This is the most common type of DDoS attack. The attacker establishes a large number of simultaneous connections and sends a massive volume of packets to the server in an attempt to use up the target’s bandwidth, put an extreme load on the hardware resources, and cause the network equipment to fail.
- Application DDoS flood attacks
These are the attacks most commonly aimed at web servers and websites. Instead of packets and connections, the attacker floods the target with HTTP requests in an attempt to overwhelm the web server and cause it to crash.
- Low-Rate DoS Attacks
This is a slightly different form of Denial of Service (DoS) activity. Unlike traditional DDoSing, it tries to exploit flaws in specific applications’ design and implementation. Usually, hackers rely on fewer simultaneous connections in this type of attack.
There are several distinguished categories of DDoS attacks based on the utilized protocol:
- ICMP Floods
One of the oldest forms of DDoS attacks tries to overwhelm the target using the Internet Control Message Protocol.
- Smurf Attacks
This is another way of targeting the ICMP protocol. This time, the attacker spoofs the target’s IP and sends an ICMP request to which other devices on the network respond and inadvertently flood the target with traffic.
- SYN Flood Attacks
SYN Flood Attacks exploit the TCP’s three-way handshake. The attacker sends a large number of spoofed SYN packets to which the targeted server has to respond.
- UDP Flood Attacks
Typically using a spoofed IP address, the attacker sends a lot of UDP packets to random ports on the targeted system. Because no other services use the said ports, the server responds with many ICMP packets, pushing the load up.
- Teardrop Attacks
The attacker sends many fragmented and oversized TCP/IP packets that older operating systems can’t process. Often, the result is an instant crash.
- DNS Amplification Attacks
The attacker sends requests to the worldwide DNS system and spoofs them, so they look like they’re coming from the target’s IP address. The requests are designed to initiate a large response from the DNS resolvers, which is sent the victim’s way.
- SIP Invite Flood Attacks
Session Initiation Protocol (SIP) is the standard protocol for VoIP communication. Attackers use it in their DDoS efforts by sending many spoofed invite SIP messages.
- SSL DDoS Attacks
Some attackers even target SSL certificates in their campaigns as the additional task of decrypting the processed information uses up more CPU power. Additionally, some of the older mitigation techniques don’t work against SSL traffic.
What to Do in Case of a DDoS Attack?
Because hackers use vast botnets of devices, it’s tough to determine whether a particular network packet is coming from a legit visitor or a zombie instructed to flood it with traffic.
As far as your server is concerned, many people are simultaneously trying to access the same resource. Despite the obvious challenges, your preparation and timely response are vital in protecting your site from prolonged downtime and permanent damage to your brand reputation.
Here are a few things you can do:
- Get more bandwidth than you’ll ever need
It’s not easy to estimate precisely how much bandwidth you’ll need, especially if you’re starting your first-ever online project. In any case, in the event of a DDoS attack, all calculations go out the window. Nevertheless, the more bandwidth your hosting account comes with, the more time you’ll have to react.
- Get to know your site’s usual traffic patterns
If you know how much traffic your site receives regularly, you’ll be much better equipped to spot anomalies and unusual spikes, which usually signal the start of a DDoS attack. Detecting the attack as early as possible puts you in a better position to take adequate damage mitigation measures.
- Take proactivе measures if you own the network
If you host the server on your own network, you can do several things to mitigate the damage. For example, you can put rate limits at your router, add filters if the junk traffic’s source is obvious, set your network equipment to drop malformed packets, and lower limits for SYN, ICMP, and UDP connections.
All these are important points to consider, especially if you’re going to take care of most server management tasks yourself. However, most people are not willing to do all the legwork on their own and instead rely on their host to protect them in case of a DDoS emergency.
You can easily see why…
The Role of Your Hosting Provider
If you’re under a DDoS attack, your hosting provider wants to stop it just as much as you do. It costs them a lot of expensive bandwidth, and the potential outages may cause them to miss their uptime guarantee. If this happens – costly compensations are due. The reputation damage could be even worse than the financial one, especially if the attack starts affecting other customers.
If the DDoS attack volume is too big, the host will eventually null route the requests to your site. This means all packets coming to it will be dropped before they arrive at their destination, and your website will become inaccessible. This is the worst-case scenario everyone wants to avoid.
To do it, hosting providers undertake a number of safety measures:
- DDoS run books (or playbooks)
In essence, a DDoS playbook is an incident response plan. It’s a step-by-step guide on who needs to do what in a DDoS attack.
- Traffic scrubbing services
The prevalence of DDoS attacks has opened a business niche for DDoS protection services. During an attack, a DDoS protection service uses many different factors to filter malicious traffic and keep the site online for legitimate users. It’s up to your host to redirect the traffic through it.
- Access Control Lists
An Access Control List (ACL) is a set of rules every packet needs to adhere to if it is to reach its destination on the network. The host can implement ACLs in the firewall, a router, and even a switch.
- Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding limits malicious traffic by checking whether the source IP address is reachable. If not – the server will drop the packet. This helps network administrators minimize packets from spoofed source IPs.
- State-of-the-art firewalls
The firewall is the most commonly used device for filtering traffic coming to and from the network. Modern firewalls offer a deep packet inspection functionality that examines every single request in detail and drops the ones that look suspicious.
This list is far from extensive but still outlines some of the essential precautions that hosts should take to protect their servers against DDoS attacks.
Today’s cybersecurity landscape allows pretty much anyone to launch an attack that brings an entire server down. DDoS services are readily available on underground markets, and employing them requires no technical knowledge whatsoever.
Meanwhile, the damages from DDoS attacks can be pretty devastating for both website owners and hosting providers. Luckily, preparing to fend off such threats from the start can easily ensure your online comfort for a long time.
Is DDoSing illegal?
Different countries have different laws, but DDoS attacks are universally recognized as a form of cybercrime. Such hacker attempts are deemed illegal in the US and can be considered a federal crime under the Computer Fraud and Abuse Act (CFAA).
What are DDoS attacks used for?
DDoSing can be used for anything – from pulling a friendly prank to sabotaging a global organization. DDoS attacks are often used by hacktivists who want to draw attention to a particular problem and business organizations that want to hit their competitors.
How do DDoS attacks work?
A DDoS attack aims to bring a website or an online service down by flooding the hosting server and its network with traffic. To achieve the traffic volume required to bring a website down, criminals use botnets – vast networks of infected computers, servers, and other devices spread worldwide.
How long does a DDoS attack last?
Hosting providers and website owners can take specific measures to filter and block the junk traffic, but they can do nothing to stop the botnet from sending waves upon waves of new requests. That’s why a DDoS attack can last as long as the attacker wishes (and has the needed resources) – we’ve seen some threats go out in an hour, and some have taken days to mitigate.