DDoS stands for Distributed Denial of Service.
It is one of the most well-known tactics that attackers use to disrupt a company’s operations.
As the name suggests, they flood the victim with so much traffic so that it is unable to respond to anyone else.
How does it work?
To flood the victim’s server, the attacker must send massive amounts of traffic or requests to it.
If the attacker uses its own computer to do so, its IP address would be flagged as the source of the jam and it will be blocked immediately, putting a stop to the attack. So it is important that the source of the DDoS attack remains undiscoverable.
“Distributed” in DDoS means that the attacks come from a wide range of computers, sources, instead of a single place.
But how does an attacker get access to a wide range of computers?
Well, they can certainly buy many computers, hire people to use each of the computer and send those traffic or make those requests.
But that would be a massive amount of effort.
Botnets
How can they acquire an army of computers to do their bidding?
Attackers can infect a large number of computers or IoT devices with malware. Once infected, these large armies of devices become “botnets”.
The malware allows attackers to control the botnets remotely, instructing them to send requests to a target whenever they are activated.
Since botnets can be any types of IoT device, from any geographical location, the source of the attack would seem very distributed, and the attacker’s identity remains hidden.
Alternatively, if the attacker isn’t sophisticated enough to launch this campaign to infect and recruit this botnet, they may choose to purchase botnets from dark webs.
Having recruited an army to your bidding, you can imagine the sheer size of traffic they can produce.
How to attack?
DDoS attack can target different parts of the victim’s organization.
Attack the network layer
This is usually the more common target for DDoS attacks.
The attacker floods the victim’s backend network infrastructure with traffic. The attacker sends large volume of junk traffic to their routers/switches to consume their network bandwidth, and overwhelm its capacity to process any more incoming traffic.
Another way is to exploit vulnerabilities in the network protocols to exhaust resources, such as the SYN flood attack that exploits the TCP handshake process.
I’m going to expand on this exploitation example with an analogy:
When you type www.google.com on your browser, your browser needs to make connection with Google’s server to bring you to the website.
This connection is made via a TCP handshake process, like 2 strangers making friends over a handshake.
The TCP handshake process involves a client (your browser) sending a synchronize (SYN) packet to the server (a friend) to request for a connection. In response, the friend will allocate resources to handle this potential new friendship, and sends a SYN-ACK response.
In the usual course of things, your browser will send back an Acknowledge (ACK) packet back to the friend to complete the handshake.
Say your browser is one of those infected devices. It will intentionally not complete the handshake, leaving the sad friend standing by, waiting for acknowledgement. This leaves the friend with many half-open connections, each consuming resources.
The friend can no longer establish new connections with other people who wish to connect with him or her.
That is how the DDoS attack exhausts the network’s bandwidth.
Network-based attacks are measured by
- network bits per second (bps). If you read my other post, you will know that ‘bits’ refer to the 0s and 1s that a computer processes. Higher bps means faster data transfer per second. This measures speed of a network link. You use this to measure the ‘strength of your wifi’.
- network packets per second (pps). This measures the number of data packets processed by a network device, like a router or switch, in one second. This measures that capacity of the network device.
Attack the application layer
Instead of targeting the network, the attacker can also choose to target the victim’s applications, such as WebApp, App, API, or service. This can be a frontend e-commerce website or a banking portal.
The attacker uses automated tools or scripts to generate a large number of seemingly legitimate requests, such as HTTP GET or POST requests, form submissions, or other interactions supported by the application.
Such attacks exploit vulnerabilities in the way web servers, applications, or services handle normal requests.
The infected devices can also open many connections to the victim’s application and sends partial HTTP requests, slowly sending data to keep these connections open.
These requests overwhelm the application’s resources, such as CPU, memory, and database connection. If they are insufficient to manage the requests, the application may crash.
Alternatively, it can also exploit vulnerabilities in the victim’s application code or design, such as inefficient database queries, or poorly optimized API endpoints.
The end goal is the same: to consume so much resources such that you cannot function properly anymore.
Application-based attacks are measured by
- requests per second (rps). This measures how many requests the application can handle in a second, usually API requests.
Scale of DDoS attacks
To give you an idea of the scale of DDoS attacks, here are some of the all-time high numbers of publicly-known attacks.
In Nov 2021, a Microsoft Azure customer was hit by a 3.47 terabits per second (Tbps) and a 340 million packets per scond (pps) DDoS attack, with the attack originating from more than 10,000 sources and multiple countries.
1 Tbps refers to 1 trillion bits per second:
1,000,000,000,000 bits per second (bps)
1,000,000,000 kilo bits per second (Kbps)
1,000,000 megabits per second (Mbps)
Most of our home internet connection today range from 100 Mbps. This means that the 2021 attack was around 34,700 x times faster than our internet connection.
We can see that there are more targets at network links (bps) and infrastructure (pps) than applications, although the latter is still growing.
What happens if i’m under a DDoS attack?
Your security controls had failed you.
Usually, there’s nothing much you can do in that situation, but to wait it out.
There’s usually some kind of intention behind the attack —to disrupt your operations temporarily in retaliation to some political message released by your company, or extortion for some money in return for not attacking you, or competitor’s efforts to sabotage your service and erode trust away from your customers
…the list goes on.
What’s more important is to be prepared before it happens
Since DDoS is one of the most fundamental security attacks, it’s important to protect yourself with the basic DDoS controls.
Firewalls and IDS/IPS: Intrusion Detection Systems and Intrusion Prevention Systems. These things try to identify malicious traffic and filter them out before they reach your servers.
A good Firewall/IDS/IPS would need to know what to look out for in your traffic. It should be integrated with some threat intelligence, or have embedded machine learning algorithms to identify unusual patterns in the network to block them early on.
Application-level DDoS attack require application-level protection, duh. Put up your Web Application Firewalls (WAFs) to filter out suspicious HTTP requests and responses.
CAPTCHAs on forms, login pages also prevent botnets or the armies of infected devices from flooding the application.
These are all ways to block attacks from overwhelming your systems.
If the attacks got through, your second-level of defense would be to manage the flood of the traffic via load balancing.
These kind of controls include Content Delivery Networks (CDNs) — they distribute the incoming traffic across multiple servers, so that they’re able to handle all of them all the same. Example of such a tool is Cloudflare, and Akamai.
Or you can build redundancy in your architecture to scale up and down automatically during traffic spikes.
