DDoS attacks: Definition, examples, and techniques

Distributed denial of service (DDoS) attacks have been office of the criminal toolbox for xx years, and they're only growing more prevalent and stronger.

Contributing author, CSO |

DDOS attack
Evgeniy Shkolenko / Getty Images

What is a DDoS assault?

A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This can be achieved past disappointment admission to virtually annihilation: servers, devices, services, networks, applications, and fifty-fifty specific transactions inside applications. In a DoS assail, it's one organization that is sending the malicious data or requests; a DDoS attack comes from multiple systems.

Generally, these attacks work by drowning a system with requests for information. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The effect is that available internet bandwidth, CPU and RAM capacity becomes overwhelmed.

The impact could range from a minor annoyance from disrupted services to experiencing unabridged websites, applications, or even unabridged concern taken offline.

How practice DDoS attacks work?

DDoS botnets are the core of any DDoS attack. A botnet consists of hundreds or thousands of machines, called zombies or bots, that a malicious hacker has gained control over. The attackers will harvest these systems past identifying vulnerable systems that they tin infect with malware through phishing attacks, malvertising attacks, and other mass infection techniques. The infected machines can range from ordinary dwelling or office PCs to DDoS devices—the Mirai botnet famously marshalled an army of hacked CCTV cameras—and their owners almost certainly don't know they've been compromised, as they go on to function normally in nigh respects.

The infected machines await a remote command from a so-called command-and-command server, which serves as a command center for the assail and is often itself a hacked machine. Once unleashed, the bots all attempt to admission some resources or service that the victim makes available online. Individually, the requests and network traffic directed by each bot towards the victim would be harmless and normal. Merely because in that location are so many of them, the requests ofttimes overwhelm the target organisation'southward capacities—and because the bots are generally ordinary computers widely distributed across the internet, information technology tin can be difficult or impossible to cake out their traffic without cutting off legitimate users at the same time.

There are iii primary classes of DDoS attacks, distinguished mainly by the blazon of traffic they lob at victims' systems:

  1. Volume-based attacks employ massive amounts of artificial traffic to overwhelm a resource such as a website or server. They include ICMP, UDP and spoofed-packet flood attacks. The size of a volume-based assault is measured in bits per second (bps).
  2. Protocol or network-layer DDoS attacks ship big numbers of packets to targeted network infrastructures and infrastructure direction tools. These protocol attacks include SYN floods and Smurf DDoS, among others, and their size is measured in packets per second (PPS).
  3. Awarding-layer attacks are conducted past flooding applications with maliciously crafted requests. The size of application-layer attacks is measured in requests per second (RPS).

Important techniques used in all types of DDoS attacks include:

  • Spoofing: Nosotros say that an attacker spoofs an IP packet when they change or obfuscate data in its header that should tell you where information technology's coming from. Because the victim can't see the packet's real source, it tin't cake attacks coming from that source.
  • Reflection: The attacker may craft an IP address that'due south spoofed and so it looks like it really originated with the intended victim, and then send that packet to a third-party system, which "replies" back to the victim. This makes it even harder for the target to empathise where an assault is truly coming from.
  • Distension: Sure online services can exist tricked into replying to packets with very large packets, or with multiple packets.

All iii of these techniques can be combined into what'southward known as a reflection/amplification DDoS attack, which has get increasingly common.

How to place DDoS attacks

DDoS attacks tin can exist hard to diagnose. Afterall, the attacks superficially resemble a overflowing of traffic from legitimate requests from legitimate users. But there are ways you can distinguish the artificial traffic from a DDoS assail from the more than "natural" traffic you'd expect to go from a existent users. Here are iv DDoS assault symptoms to watch for:

  • Despite spoofing or distribution techniques, many DDoS attacks will originate from a restricted range of IP addresses or from a unmarried land or region—maybe a region that yous don't ordinarily see much traffic from.
  • Similarly, you might notice that all the traffic is coming from the same kind of client, with the same OS and web browser showing upwards in its HTTP requests, instead of showing the diversity you'd wait from existent visitors.
  • The traffic might hammer abroad at a single server, network port, or web page, rather than be evenly distributed across your site.
  • The traffic could come in regularly timed waves or patterns.

How to stop a DDoS set on

Mitigating a DDoS assault is hard because, as previously noted, the assail takes the form of spider web traffic of the same kind that your legitimate customers use. It would be piece of cake to "terminate" a DDoS assault on your website simply by blocking all HTTP requests, and indeed doing and so may be necessary to continue your server from crashing. But doing that also blocks anyone else from visiting your website, which means your attackers accept achieved their goals.

If you can distinguish DDoS traffic from legitimate traffic equally described in the previous department, that can help mitigate the set on while keeping your services at least partially online: for instance, if you know the attack traffic is coming from Eastern European sources, you can block IP addresses from that geographic region. A adept preventative technique is to shut down any publicly exposed services that y'all aren't using. Services that might be vulnerable to application-layer attacks can be turned off without affecting your ability to serve web pages.

In general, though, the best way to mitigate against DDoS attacks is to just have the capacity to withstand large amounts of entering traffic. Depending on your situation, that might hateful beefing up your ain network, or making use of a content commitment network (CDN), a service designed to adapt huge amounts of traffic. Your network service provider might have their own mitigation services you can brand utilise of.

Reasons for DDoS attacks

A DDoS is a edgeless instrument of an attack. Unlike a successful infiltration, it doesn't net you any private data or get you control over your target'south infrastructure. It simply knocks their cyber infrastructure offline. Still, in a world where having a web presence is a must for just about any business, a DDoS attack can be a destructive weapon aimed at an enemy. People might launch DDoS attacks to knock business concern or political rivals offline—the Mirai botnet was designed equally a weapon in a war among Minecraft server providers, and there'due south prove that the Russian security services were at one signal preparing a similar attack. And while a DDoS assault isn't the same thing equally a ransomware attack, DDoS attackers sometimes volition contact their victims and hope to turn off the firehose of packets in commutation for some Bitcoin.

DDoS tools: Booters and stressers

And, sometimes, DDoS attackers are just in it for the money—not money from y'all, but from someone who wants to have your website out. Tools called booters and stressers are available on more than unseemly parts of the internet that essentially provide DDoS-as-a-Service to interested customers, offer access to set up-made botnets at the click of a button, for a price.

Is DDoS illegal?

Yous might come across an argument that goes something like this: it'due south not illegal to transport web traffic or requests over the internet to a server, then therefore DDoS attacks, which are simply aggregating an overwhelming amount of web traffic, cannot be deemed a crime. This is a central misunderstanding of the constabulary, however. Setting aside for the moment that the human action of hacking into a calculator to make it part of a botnet is illegal, near anti-cybercrime laws, in the U.Southward., the U.K., and elsewhere, are fairly broadly drawn and criminalize any human activity that impairs the operation of a computer or online service, rather than specifying particular techniques. Simulating a DDoS set on with the consent of the target organisation for the purposes of stress-testing their network is legal, however.

DDoS attacks today

As mentioned briefly in a higher place, it'southward becoming more common for these attacks to be conducted by rented botnets. Expect this trend to keep.

Another trend is the utilise of multiple attack vectors within an attack, besides known as Advanced Persistent Deprival-of-Service APDoS. For case, an APDoS attack may involve the application layer, such as attacks against databases and applications as well as directly on the server. "This goes beyond but 'flooding,'" attacks says Chuck Mackey, director of partner success at Binary Defense.

Additionally, Mackey explains, attackers oftentimes don't simply straight target their victims only also the organizations on which they depend such as ISPs and cloud providers. "These are wide-reaching, high-impact attacks that are well-coordinated," he says.

This is too changing the impact of DDoS attacks on organizations and expanding their run a risk. "Businesses are no longer merely concerned with DDoS attacks on themselves, but attacks on the vast number of business partners, vendors, and suppliers on whom those businesses rely," says Mike Overly, cybersecurity lawyer at Foley & Lardner LLP. "One of the oldest adages in security is that a business is but every bit secure as its weakest link. In today's environment (as evidenced past recent breaches), that weakest link can exist, and frequently is, one of the 3rd parties," he says.

Josh Fruhlinger is a writer and editor who lives in Los Angeles.

Copyright © 2022 IDG Communications, Inc.