What Is a DDoS Attack and How Does It Work?

Understanding Distributed Denial of Service (DDoS) Attacks: A Comprehensive Guide

In the ever-evolving landscape of cybersecurity, Distributed Denial of Service (DDoS) attacks have emerged as a significant threat. What once was a minor nuisance has now transformed into a sophisticated and highly disruptive form of cyberattack, but what are DDoS attacks and how can security experts protect against them? What should aspiring students and IT professionals know before taking a security oriented certification exam like the CompTIA Security+, CySA+ or the new CompTIA SecurityX? Read on and find out!

What is a DDoS Attack?

A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic. It is a type of Denial of Service (DoS) attack that is achieved by utilizing multiple compromised computer systems as sources of attack traffic. These attacks exploit the default or even proper workings of network equipment and services, making them challenging to mitigate. The compromised computer systems are spread out over a wide area which is where the Distributed part of the name comes from.

The Evolution of DDoS Attacks

Years ago, DDoS attacks were largely perceived as minor annoyances perpetrated by novice attackers for amusement. However, the landscape has drastically changed. Today, DDoS attacks are a sophisticated and lucrative business. According to InfoSecurity Magazine, there were 2.9 million DDoS attacks in the first quarter of 2021, marking a 31% increase over the same period in 2020 . This exponential increase has led to significant downtime and financial losses for businesses worldwide. There is also an entire industry of Content Delivery Networks (CDN) that has sprung up to protect companies and their resources from DDoS attacks.

Major DDoS Incidents

Several high-profile DDoS attacks have highlighted the severity and potential damage these attacks can cause:

Amazon Web Services (AWS): In February 2020, AWS experienced a DDoS attack that kept its incident response teams occupied for several days, affecting customers globally.
EXMO Cryptocurrency Exchange: In February 2021, a DDoS attack rendered the organization inoperable for nearly five hours.
State-Sponsored Attacks: Countries like Australia and Belgium have faced state-sponsored DDoS attacks targeting critical infrastructure such as parliaments, police services, and universities.

How Does a DDoS Attack Work?

The Mechanics of DDoS Attacks

DDoS attacks leverage multiple, distributed network devices to generate a flood of traffic towards the target. These devices can include compromised computers, routers, switches, and even IoT devices. The main aim is to overwhelm the target's resources, making it impossible for legitimate users to access the services. What exactly those compromised computers do during the attack can vary, but a simple example is sending a large amount of HTTP or HTTPS traffic to a website (though other protocols could be used depending on the target).

Components of a DDoS Attack

Botnets: A botnet is a network of compromised devices controlled by an attacker. These devices, often referred to as "zombies," are used to launch the attack.
Command and Control (C&C): This is the central server that coordinates the attack, sending instructions to the botnet.
Traffic Generation: The botnet generates a high volume of traffic, including requests and data packets, directed at the target.

Types of DDoS Attacks

DDoS attacks can be categorized into three main types:

Application Layer Attacks (Layer 7): These attacks target the application layer of the OSI model. They often involve sending numerous requests to a specific application, such as a web server, overwhelming it with traffic. Examples include HTTP floods and Slowloris attacks.
Protocol Attacks: These attacks exploit weaknesses in network protocols, consuming resources of critical devices like firewalls and load balancers. Examples include SYN floods and Ping of Death attacks.
Volumetric Attacks: These attacks generate massive traffic volumes to saturate the target's bandwidth. Examples include DNS amplification and UDP floods.

DDoS vs. DoS Attacks

While both DDoS and DoS (Denial of Service) attacks aim to disrupt services, they differ significantly in their execution:

DoS Attack: Involves a single source sending malicious traffic to exhaust the resources of a specific target.
DDoS Attack: Involves multiple sources (a botnet), making it more challenging to block and trace the origin.

Today pure DoS attacks are not seen, due to their simple nature they are easily defended against which has made the DDoS varient significantly more common.

Common DDoS Tactics

Attackers employ various tactics to enhance the effectiveness of DDoS attacks:

Spoofing: Forging IP addresses to hide the attack's origin.
Reflection: Using legitimate services to bounce traffic towards the target, obscuring the attack's source.
Amplification: Sending small requests to services that reply with larger responses, magnifying the attack's impact.

Spoofing, reflection, and amplification are three tactics used to enhance the effectiveness of DDoS attacks, each with unique mechanisms. Spoofing involves forging IP addresses to hide the attack's origin, making it difficult for defenders to trace the source of the attack. Reflection leverages legitimate services to bounce traffic towards the target, effectively obscuring the attack's source by exploiting the default behavior of these services. Amplification takes this a step further by sending small requests to services that reply with much larger responses, significantly magnifying the traffic volume directed at the target and thereby increasing the attack's impact.

Major DDoS Attack Incidents

The history of DDoS attacks is marked by several significant incidents that demonstrate their potential for disruption:

Estonia (2007): A series of DDoS attacks targeted Estonian government, banking, and media websites, causing widespread disruption.
Republic of Georgia (2008): During the Russo-Georgian War, Georgian websites were subjected to DDoS attacks, impacting communication and information dissemination.
Spamhaus (2013): A DDoS attack on the anti-spam organization Spamhaus reached unprecedented levels, peaking at 300 Gbps.
Dyn (2016): A massive DDoS attack on DNS provider Dyn disrupted major websites like Twitter, Netflix, and Reddit.
GitHub (2018): GitHub experienced a record-breaking DDoS attack with traffic peaking at 1.35 Tbps.

These incidents were significant due to their size and target selection, showing that attackers have created botnets capable of huge scale and that can target even major providers on the internet. Interestingly it also shows examples of Cyberwarfare, where state-sponsored attackers may target other state and public resources to cause chaos and disruption.

Detection and Mitigation

Detection Strategies

Early detection of DDoS attacks is crucial for effective mitigation. Common detection strategies include:

Traffic Analysis involves continuously monitoring network traffic to identify unusual patterns, such as sudden spikes in traffic volume or repeated requests from the same IP address. This method helps in recognizing and responding to potential DDoS attacks in real-time by providing insights into traffic anomalies. It can be very resource intensive and therefor expensive to implement, particularly if done in real time.

Rate Limiting is a proactive measure that controls the number of requests a server will accept from a single source within a given timeframe. By setting thresholds, rate limiting can effectively reduce the impact of a DDoS attack by preventing any single source from overwhelming the server, though it may not distinguish between legitimate and malicious traffic. It is also a common tactic to protect against web-scrapers, spam and even different pricing tiers from customers. For example, several public APIs like Reddit and Twitter APIs use rate limiting as a means of ensuring lower tier customers are limited and must upgrade to access their APIs more frequently.

Anomaly Detection leverages machine learning algorithms to analyze traffic patterns and identify deviations from normal behavior. This sophisticated method allows for the detection of subtle and evolving DDoS attacks by learning what constitutes normal traffic and flagging anomalies, making it more adaptive and precise compared to static rules-based approaches like rate limiting. This method is also the most complicated and can be expensive depending on the scale of traffic a service receives. This particular type of detection is often delegated to 3rd parties, such as protecting your service behind a CDN which supports Anomaly Detection as a security feature of the service.

Mitigation Techniques

Once a DDoS attack is detected, various mitigation techniques can be employed to minimize its impact:

Traffic Filtering: Involves setting rules on network devices to identify and drop illegitimate traffic, preventing it from reaching the target server. This of course requires an effective way to identify the malicious traffic which can be trick to do without false positives (filtering out valid traffic accidentally).

Traffic Diversion: Commonly done for DNS based attacks, this technique is a type of DDoS cloud protection where an organization diverts its traffic to the DDoS provider using a DNS or other change. The change can be as simple as modifying the relevant DNS record so that they will eventually direct traffic to another resource. The diverted destination may be used to identify valid and invalid traffic or as a simple "sink hole" until the DDoS attack subsides.

Load Balancing: Distributes incoming traffic across multiple servers to ensure no single server is overwhelmed, maintaining service availability. This is often a technique used to scale a service when not under attack as well. When a DDoS is occurring a load balancer can be used to spread traffic out to many services, but this method requires a large amount of servers to protect against a DDoS attack and can be quickly overwhelmed by a large attack.

Content Delivery Networks (CDNs): Utilizes a network of distributed servers to spread traffic load across multiple locations, minimizing the impact on any single server and improving overall resilience. CDN providers specialize in protecting against DDoS attacks and protecting servers behind them. This method requires that the origin servers (the servers hosting the particular service like a website) are locked down, and only accept traffic that is being proxied through the CDN. CDN also bring cost saving and speed benefits, like caching static HTML pages, images and other files.

Response Strategies

Effective response to a DDoS attack involves a coordinated effort from various stakeholders. Companies and security specialists should create and regularly update a DDoS response plan and keep various stakeholders up to date on the plan. When an attack does occur, those stakeholders should be kept up to date on the status of the attack and the targeted infrastructure's availability. As DDoS attacks are often very large, working with your Internet Service Provider (ISP), Cloud Providers and CDN providers is critical to defend and recover from an attack.