Updated: May 13
In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
A distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers,” it generally means it has become a victim of a DDoS attack. In short, this means that hackers have attempted to make a website or computer unavailable by flooding or crashing the website with too much traffic.
Botnets can be comprised of almost any number of bots; botnets with tens or hundreds of thousands of nodes have become increasingly common, and there may not be an upper limit to their size. Once the botnet is assembled, the attacker can use the traffic generated by the compromised devices to flood the target domain and knock it offline.
DDoS attacks generally consist of attacks that fall into one or more categories, with some more sophisticated attacks combining attacks on different vectors. These are the categories:
Volume Based Attacks. These send massive amounts of traffic to overwhelm a network’s bandwidth.
Protocol Attacks. These are more focused and exploit vulnerabilities in a server’s resources.
Application Attacks. are the most sophisticated form of DDoS attacks, focusing on particular web applications.
Here’s a closer look at different types of DDoS attacks.
TCP Connection Attacks
TCP Connection Attacks or SYN Floods exploit a vulnerability in the TCP connection sequence commonly referred to as the three-way handshake connection with the host and the server.
Here’s how. The targeted server receives a request to begin the handshake. In a SYN Flood, the handshake is never completed. That leaves the connected port as occupied and unavailable to process further requests. Meanwhile, the cybercriminal continues to send more and more requests overwhelming all open ports and shutting down the server.
While it is clear that the target of a DDoS attack is a victim, there can be many other victims in a typical DDoS attack, including the owners of the systems used to execute the attack.
Although the owners of infected computers are typically unaware their systems have been compromised, they are nevertheless likely to suffer a degradation of service during a DDoS attack.
Application layer attacks — sometimes referred to as Layer 7 attacks — target applications of the victim of the attack in a slower fashion. That way, they may initially appear as legitimate requests from users, until it is too late, and the victim is overwhelmed and unable to respond.
These attacks are aimed at the layer where a server generates web pages and responds to http requests.
Often, Application level attacks are combined with other types of DDoS attacks targeting not only applications, but also the network and bandwidth. Application layer attacks are particularly threatening. Why? They’re inexpensive to operate and more difficult for companies to detect than attacks focused on the network layer.
Fragmentation Attacks are another common form of a DDoS attack. The cybercriminal exploits vulnerabilities in the datagram fragmentation process, in which IP datagrams are divided into smaller packets, transferred across a network, and then reassembled.
In Fragmentation attacks, fake data packets unable to be reassembled, overwhelm the server.
In another form of Fragmentation attack called a Teardrop attack, the malware sent prevents the packets from being reassembled. The vulnerability exploited in Teardrop attacks has been patched in the newer versions of Windows, but users of outdated versions would still be vulnerable.
Volumetric Attacks are the most common form of DDoS attacks. They use a botnet to flood the network or server with traffic that appears legitimate, but overwhelms the network’s or server’s capabilities of processing the traffic.
Types of DDoS Amplification
In a DDoS Amplification attack, cybercriminals overwhelm a Domain Name System (DNS) server with what appear to be legitimate requests for service. Using various techniques, the cybercriminal is able to magnify DNS queries, through a botnet, into a huge amount of traffic aimed at the targeted network. This consumes the victim’s bandwidth.
A variation of a DDoS Amplification attack exploits Chargen, an old protocol developed in 1983. In this attack, small packets containing a spoofed IP of the targeted victim are sent to devices that operate Chargen and are part of the Internet of Things.
For instance, many Internet-connected copiers and printers use this protocol. The devices then flood the target with User Datagram Protocol (UDP) packets, and the target is unable to process them.
DNS Reflection attacks are a type of DDoS attack that cybercriminals have used many times. The susceptibility to this type of attack is generally due to consumers or businesses having routers or other devices with DNS servers misconfigured to accept queries from anywhere instead of DNS servers properly configured to provide services only within a trusted domain.
The cybercriminals then send spoofed DNS queries that appear to come from the target’s network so when the DNS servers respond, they do so to the targeted address. The attack is magnified by querying large numbers of DNS servers.
Method 1: Take quick action
The earlier a DDoS attack in progress is identified, the more readily the harm can be contained. Companies should use technology or anti-DDoS services that can assist you in recognizing legitimate spikes in network traffic and a DDoS attack.
If you find your company is under attack, you should notify your ISP provider as soon as possible to determine if your traffic can be re-routed. Having a backup ISP is also a good idea. Also, consider services that disperse the massive DDoS traffic among a network of servers rendering the attack ineffective.
Internet Service Providers will use Black Hole Routing which directs traffic into a null route sometimes referred to as a black hole when excessive traffic occurs thereby keeping the targeted website or network from crashing, but the drawback is that both legitimate and illegitimate traffic is rerouted in this fashion.
Method 2: Configure firewalls and routers
Firewalls and routers should be configured to reject bogus traffic and you should keep your routers and firewalls updated with the latest security patches. These remain your initial line of defense.
Application front end hardware which is integrated into the network before traffic reaches a server analyzes and screens data packets classifying the data as priority, regular or dangerous as they enter a system and can be used to block threatening data.