A distributed denial-of-service (DDoS) attack is a common cyber-attack which is designed to disrupt the normal operation of a server and the website or application hosted. Often the purpose is to cause financial damages to the server owner or to prevent an operation or information access by limiting the public usability. The impact can also be even greater when the DDoS attack is more successful by causing long-term reputation damage.
The most effective are network flood attacks because they do not require many resources to clog the network of the targeted server. During the attack, the network remains blocked and limits the usage of the website or application. At the same time, it is impossible to filter the attack locally and no software solution can mitigate the attack because the network channel is already physically filled before it reaches the server. Besides, these attacks are fairly cheap to execute, whereas the protection is very expensive due to the need of larger network capacity and, very often, additional cloud protection as a separate service.
It is a fact that DDoS attacks are often not so long-running, lasting around 30 minutes on average, but there are also those that last much longer, from a few hours to several days, causing big damages to the business. As an example, one of the largest DDoS attacks was registered in February 2018 and targeted GitHub - a popular platform for developers and code management. The attack capacity reached 1.3 Tb/s. Fortunately, it was filtered by Akamai Prolexic, a company that offers DDoS mitigation services and GitHub partners with.
How does a DDoS attack work?
Under normal conditions and real traffic, the server and the client software communicate with each other without issues or latency, the server and network resources are enough to sustain normal spikes in usage.
During a DDoS attack, a lot of infected computer devices (called botnet) send collectively a tremendous amount of requests to the server or web application in order to overload them or clog the network. Because the malicious traffic mixes with real legitimate traffic, it is very hard to filter or mitigate the attack without also limiting real users.
When the attack comes from a single source it is called a DoS attack.
What are the most common DoS and DDoS attacks?
There are a lot of different registered DDoS attacks. The malicious actors continue refining the attack algorithms so that it looks like real and legitimate traffic and is harder to filter.
Take a look at the most common DDoS attacks below.
UDP flood DDoS attack
This is an effective and easy-to-execute attack. The goal is to flood the server network with a huge amount of UDP packets simultaneously and by doing it to overwhelm it with a bigger capacity of traffic, than the server network physical capacity and thus block the legitimate traffic from reaching.
SYN flood attack
This attack is based on a weakness in TCP protocol. In order to initiate a connection, the server and the client must follow the so-called three-way handshake. The attacker sends the initial packet (SYN) from a spoofed IP address, then the receiving server responds (SYN-ACK) that the packet has been received and the connection is open waiting for further actions. However, because the IP address is spoofed, the connection is not established but also does not close and stays in waiting state. This way the attacker exhausts the system resource of maximum simultaneous open connections by sending more SYN packets from fake IP addresses that remain open and waiting. When the limit is reached, the server cannot accept any other connections and it becomes unavailable for the real users.
Slowloris is a DoS attack that is performed from a single computer using a software application and is capable of incapacitating the attacked web server. Slowloris tries to keep as many open connections to the web server as possible by sending partial requests periodically and this way to disrupt its service with minimal bandwidth resources.
Amplification attacks are UDP flood attacks that use the DNS or NTP protocols to significantly amplify the bandwidth of the attack by leveraging open DNS resolvers and reflect significantly more bandwidth than the attacker’s resources. It works by sending a specially crafted request to multiple public DNS servers with a spoofed IP address - that of the target and with the DNS response being multiple times larger than the request. It is possible to amplify the amount of traffic to 20 Gbps with as little as 1 Gbps attack.
HTTP attack (or layer 7 attack)
This kind of attack simulates the traffic created by real users to your website by sending GET and POST requests. The target is to create too many website visitors than the server was setup for, and this way to overload it.
Application vulnerability attack
This kind of attack can be done by using vulnerabilities in the software and for example, use remotely executed code to crash the application.
In our next article, we will take a look at the most effective protection methods against DDoS attacks and their mitigation.