Imagine you have an e-commerce website. Your website is generating revenue, customers are buying stuff, sales are great, costs are down, and charts are going up. Everything is just a rainbow and sunshine.
One day suddenly, when you check the charts, you find that customers aren’t buying anything anymore. The next thing you realize is your URL stops working.
First, you brush it off, saying it must be just an internet issue. But as time goes on, you realize that it is only your URL that is not working. That’s when the panic starts to sink in. A probable situation is that you are attacked by some hacker, and it is highly probable that this is a DDoS attack.
What is a DDoS Attack?
DDoS attack stands for distributed denial of service. A DDoS attack is a malicious cyber attack that aims to shut down the servers, networks, or services of a website by sending fake traffic. This fake traffic from multiple sources floods the network, making it unavailable to legitimate users.
DDoS attacks are executed mostly by using bots. So, what are bots? A hacker uses malicious software and sends it to different computers and hardware, controlling these devices; each infected hardware or device is known as a bot. These bots network with other bots and create a disruptive network known as a botnet. This botnet has a lot of other functions as well.
Usual DDoS Symptoms
How to know if you have a DDoS attack? Here are some of the usual symptoms that might give it away.
- Large amounts of traffic come from clients with the same or similar characteristics. E.g., device type, browser type/version, IP or IP range, location etc.
- An exponential, unexpected rise in traffic at a single endpoint/server.
- A server starts repeatedly crashing for no reason.
- Your website is taking too long to respond to requests.
Responding to a DDoS attack
- Black Hole filtering: Go through incoming traffic and determine a limitation criterion. Use the criterion to route malicious traffic into a black hole, essentially dropping it.
- Casting: Distribute the traffic across multiple servers, increasing your capacity and decreasing the chances of individual servers getting overwhelmed.
- IP Blocking: If you notice unexpectedly high traffic from the same range of IP addresses, block them.
Types of DDoS Attacks
Application layer attacks
This attack targets and disrupts a specific app, not an entire network. So let’s take an example.
Normally, when a client sends an HTTP request, the server takes that request and collects all the information related to that page, packages it and sends it back to the client, whoever asked for it. All of this fetching and packaging is done in the application later. In this attack, the bots send HTTP requests, asking for the same resource repeatedly, and over time, it overwhelms the website or the servers, crashing it.
This is challenging to prevent because it is difficult to distinguish between a legitimate and malicious HTTP request.
This attack is also known as a network layer attack. This is done by exploiting the protocol. The most common is the SYN protocol attack. When two devices start to create a secure connection between them, we use TCP handshake protocol. In TCP handshake, the first client sends a SYN packet to the server’s response to wait by sending a sync and acknowledgment packet, and the client again sends back an acknowledgment packet.
The attacker sends a lot of spoofed SYN packages to the servers. And when the server sends a SYN acknowledge packet and waits for an acknowledgment packet from the client, whoever asked for it, they don’t reply. So the servers keep waiting for an acknowledgment packet while also getting a lot of SYN packets. It eventually crashes the server.
This attack consumes the target’s bandwidth with false data requests. The most common type of volumetric attack is the DNS amplification attack. What happens here is the attacker takes the spoofed IP address of the target, uses that IP address and sends it to the DNS server requesting many things.
So it just keeps on sending a lot of requests to the DNS server. And the DNS server takes all those requests and sends back the response. When it sends back the response, it sends it to the spoofed IP address of the target.
So the target website or server is completely overwhelmed by the DNS server. And it again causes the server of the target to crash. Most of these, or all volumetric attacks, rely on botnets.
Preventing DDoS attack
Even if you know how to respond to these attacks, it is very overwhelming when you are facing them. So it is better to prevent such attacks. Some of the methods to prevent them are:
- Real-time packet analysis: Analyze packets based on different rules as they enter your system, discarding the potentially malicious ones.
- DDoS defense system (DDS): A DDS can detect legitimate-looking content with malicious intent. It protects against protocol and volumetric attacks without requiring human intervention.
- Web application firewall: Web application firewalls (WAF) are a great tool to mitigate application layer DDoS Attacks. They allow you to filter incoming requests based on different rules, which can also be added on the fly in response to an attack.
- Rate limiting: Limit the number of requests a server can entertain over a certain period.
DDoS attacks threaten businesses as they lead to downtime, financial losses, and reputational damage. As these attacks become increasingly common and sophisticated, organizations should adopt a multi-layered defense strategy for their networks. It can include monitoring traffic, implementing firewalls, and intrusion detection systems.
Gurzu is a diverse team of creatives, technologists, data scientists, security experts, and entrepreneurs helping world-class customers get to their markets quickly with high quality products built with modern software technologies.