A distributed denial-of-service (DDoS) attack floods an online resource—such as a website or cloud service—with fraudulent connection requests or other malicious traffic, typically by using a botnet. Unable to handle all that traffic, the target slows to a crawl or crashes, making it unavailable to legitimate users.
Distributed denial-of-service attacks are a type of denial-of-service attack (DoS attack), a category that includes all cyberattacks that slow or stop applications or services. DDoS attacks are unique in that they send attack traffic from multiple sources all at once—potentially making then harder to recognize and defend against—which puts the “distributed” into “distributed denial-of-service.”
According to the IBM® X-Force® Threat Intelligence Index, DDoS attacks account for 2% of the attacks that X-Force responds to. However, the disruptions that they cause can be costly. System downtime can lead to service disruptions, lost revenue and reputational damage. The IBM Cost of a Data Breach Report notes that the cost of lost business due to a cyberattack averages USD 1.47 million.
Strengthen your security intelligenceStay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter.
Unlike other cyberattacks, DDoS attacks don’t exploit vulnerabilities in network resources to breach computer systems. Instead, they use standard network connection protocols such as Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) to flood endpoints, apps and other assets with more traffic than they can handle.
Web servers, routers and other network infrastructure can process only a finite number of requests and sustain a limited number of connections at any one time. By using up a resource’s available bandwidth, DDoS attacks prevent these resources from responding to legitimate connection requests and packets.
In broad terms, a DDoS attack has two main stages: creating a botnet and carrying out the attack.
Stage 1: Creating (or renting or buying) a botnetA DDoS attack usually requires a botnet—a network of internet-connected devices that have been infected with malware that enables hackers to control the devices remotely.
Botnets can include laptop and desktop computers, mobile phones, Internet of Things (IoT) devices and other consumer or commercial endpoints. The owners of these compromised devices are typically unaware that they have been infected or are being used for a DDoS attack.
Some cybercriminals build their own botnets, actively spreading malware and taking over devices. Others purchase or rent preestablished botnets from other cybercriminals on the dark web under a model referred to as “denial-of-service as a service.”
Not all DDoS attacks use botnets. Some exploit the normal operations of uninfected devices for malicious ends. (For more information, see “Smurf attacks.”)
Stage 2: Launching the attackHackers command the devices in the botnet to send connection requests or other packets to the IP address of the target server, device or service.
Most DDoS attacks rely on brute force, sending a large number of requests to eat up all of the target’s bandwidth. Some DDoS attacks send a smaller number of more complicated requests that require the target to expend resources in responding. In either case, the result is the same: The attack traffic overwhelms the target system, causing a denial of service and preventing legitimate traffic from accessing it.
Hackers often obscure the source of their attacks through IP spoofing, a technique by which cybercriminals forge fake source IP addresses for packets sent from the botnet. In one form of IP spoofing, called “reflection,” hackers make it look as if the malicious traffic was sent from the victim’s own IP address.
DDoS attacks are not always the primary attack. Sometimes hackers use them to distract the victim from another cybercrime. For example, attackers might exfiltrate data or deploy ransomware to a network while the cybersecurity team is occupied with fending off the DDoS attack.
Hackers use DDoS attacks for all kinds of reasons: extortion, shutting down organizations and institutions they disagree with, stifling competing businesses and even cyberwarfare.
Some of the most common DDoS attack targets include:
DDoS attacks can cause significant financial harm to retailers by bringing down their digital stores, making it impossible for customers to shop until the attack is resolved.
Internet service providers (ISPs)When threat actors launch DDoS attacks on ISPs, they can knock all of a provider’s customers offline.
Cloud service providersCloud service providers are popular targets for DDoS attacks. Because these services host data and apps for other businesses, hackers can cause widespread outages with a single attack.
Financial institutionsDDoS attacks can knock banking services offline, preventing customers from accessing their accounts.
Software as a service (SaaS) providersAs with cloud service providers, SaaS providers are attractive targets because hackers are able to disrupt multiple organizations in one fell swoop.
Gaming companiesDDoS attacks can disrupt online games by flooding their servers with traffic. These attacks are often launched by disgruntled players with personal vendettas, as was the case with the Mirai botnet that was originally built to target Minecraft servers.
Government agenciesDDoS attacks are often used against governments, especially during times of war.
DDoS attacks are classified based on the tactics that they use and the network architecture they target. Common types of DDoS attacks include:
As the name suggests, application layer attacks target the application layer of a network. In the Open Systems Interconnection model (OSI model) framework, this layer is where users interact with web pages and apps. Application layer attacks disrupt web applications by flooding them with malicious requests.
One of the most common application layer attacks is the HTTP flood attack, in which an attacker continuously sends a large number of HTTP requests from multiple devices to the same website. The website cannot keep up with all the requests, and it slows down or crashes. HTTP flood attacks are akin to hundreds or thousands of web browsers repeatedly refreshing the same webpage.
Protocol attacksProtocol attacks target the network layer (layer 3) and the transport layer (layer 4) of the OSI model. They aim to overwhelm critical network resources such as firewalls, load balancers and web servers with malicious connection requests.
Two of the most common types of protocol attacks include SYN flood attacks and smurf attacks.
A SYN flood attack takes advantage of the TCP handshake, a process by which two devices establish a connection with one another. A typical TCP handshake has three steps:
In a SYN flood attack, the attacker sends the target server a large number of SYN packets with spoofed source IP addresses. The server responds to the spoofed IP addresses and waits for the final ACK packets. Because the source IP addresses were spoofed, these packets never arrive. The server is tied up in a large number of unfinished connections, leaving it unavailable for legitimate TCP handshakes.
A smurf attack takes advantage of the Internet Control Message Protocol (ICMP), a communication protocol used to assess the status of a connection between two devices.
In a typical ICMP exchange, one device sends an ICMP echo request to another, and the latter device responds with an ICMP echo reply.
In a smurf attack, the attacker sends an ICMP echo request from a spoofed IP address that matches the victim’s IP address. This ICMP echo request is sent to an IP broadcast network that forwards the request to every device on a network.
Every device that receives the ICMP echo request—potentially hundreds or thousands of devices—responds by sending an ICMP echo reply to the victim’s IP address. The sheer volume of responses is more than the victim's device can handle. Unlike many other types of DDoS attacks, smurf attacks do not necessarily require a botnet.
Volumetric attacksVolumetric DDoS attacks consume all available bandwidth within a target network or between a target service and the rest of the internet, preventing legitimate users from connecting to network resources.
Volumetric attacks often flood networks and resources with high amounts of traffic, even compared to other types of DDoS attacks. Volumetric attacks have been known to overwhelm DDoS protection measures such as scrubbing centers, which are designed to filter out malicious traffic from legitimate traffic.
Common types of volumetric attacks include UDP floods, ICMP floods and DNS amplification attacks.
UDP floods send fake User Datagram Protocol (UDP) packets to a target host’s ports, prompting the host to look for an application to receive these packets. Because the UDP packets are fake, there is no application to receive them, and the host must send an ICMP “destination unreachable” message back to the sender.
The host’s resources are tied up in responding to the constant stream of fake UDP packets, leaving the host unavailable to respond to legitimate packets.
ICMP floods, also called “ping flood attacks,” bombard targets with ICMP echo requests from multiple spoofed IP addresses. The targeted server must respond to all of these requests and becomes overloaded and unable to process valid ICMP echo requests.
ICMP floods are distinguished from smurf attacks in that attackers send large numbers of ICMP requests from their botnets. In a smurf attack, hackers trick network devices into sending ICMP responses to the victim’s IP address.
In a DNS amplification attack, the attacker sends several Domain Name System (DNS) requests to one or many public DNS servers. These lookup requests use a spoofed IP address belonging to the victim and ask the DNS servers to return a large amount of information per request. The DNS server replies to the requests by flooding the victim’s IP address with large amounts of data.
Multivector attacksAs the name implies, multivector attacks exploit multiple attack vectors, rather than a single source, to maximize damage and frustrate DDoS mitigation efforts.
Attackers might use multiple vectors simultaneously or switch between vectors midattack, when one vector is thwarted. For example, hackers might begin with a smurf attack, but when the traffic from network devices is shut down, they might launch a UDP flood from their botnet.
DDoS threats might also be used in tandem with other cyberthreats. For example, ransomware attackers might pressure their victims by threatening to mount a DDoS attack if the ransom is not paid.
DDoS attacks remain a common cybercriminal tactic for many reasons.
They require little or no skill to carry outA cybercriminal no longer even needs to know how to code to launch a DDoS attack. Cybercrime marketplaces thrive on the dark web, where threat actors can buy and sell botnets, malware and other tools for conducting DDoS attacks.
By hiring ready-made botnets from other hackers, cybercriminals can easily launch DDoS attacks on their own with little preparation or planning.
They are difficult to detectBecause botnets are comprised largely of consumer and commercial devices, it can be difficult for organizations to separate malicious traffic from real users.
Moreover, the symptoms of DDoS attacks—slow service and temporarily unavailable sites and apps—can be caused by sudden spikes in legitimate traffic, making it hard to detect DDoS attacks early.
They are difficult to mitigateWhen a DDoS attack has been identified, the distributed nature of the cyberattack means that organizations cannot simply block it by shutting down a single traffic source. Standard network security controls intended to thwart DDoS attacks, such as rate limiting, can also slow down operations for legitimate users.
There are more potential botnet devices than everThe rise of the Internet of Things has given hackers a rich source of devices to turn into bots.
Internet-enabled appliances—including operational technology (OT) such as healthcare devices and manufacturing systems—are sold and operated with universal defaults and weak or nonexistent security controls, making them vulnerable to malware infection.
It can be difficult for the owners of these devices to notice they have been compromised, as IoT devices are often used passively or infrequently.
They use artificial intelligenceDDoS attacks are becoming more sophisticated as hackers adopt artificial intelligence (AI) and machine learning (ML) tools to help direct their attacks. Adaptive DDoS attacks use AI and ML to find the most vulnerable aspects of systems and automatically shift attack vectors and strategies in response to a cybersecurity team’s DDoS mitigation efforts.
How to identify a DDoS attackThe sooner a DDoS attack can be identified, the sooner defense and remediation can begin. Signs that an attack is under way include:
Many of these behaviors might be caused by other factors. However, checking for DDoS attacks first can save time and mitigate damage if a DDoS attack is underway.
DDoS protection solutions help detect traffic anomalies and determine whether they are innocent or malicious. After all, a sudden flood of requests might be the result of a successful marketing campaign, and blocking those requests might be a business disaster.
DDoS mitigation efforts typically attempt to divert the flow of malicious traffic as quickly as possible.
Common DDoS prevention and mitigation efforts include:
Web application firewalls (WAFs)While standard firewalls protect networks at the port level, WAFs help ensure that requests are safe before forwarding them to web servers. A WAF can determine which types of requests are legitimate and which are not, enabling it to drop malicious traffic and prevent application-layer attacks.
Content delivery networks (CDNs)A CDN is a network of distributed servers that can help users access online services more quickly and reliably. With a CDN in place, users’ requests don’t travel all the way back to the service’s origin server. Instead, requests are routed to a geographically closer CDN server that delivers the content.
CDNs can help protect against DDoS attacks by increasing a service’s overall capacity for traffic. When a CDN server is taken down by a DDoS attack, user traffic can be routed to other available server resources in the network.
Detection and response toolsEndpoint detection and response (EDR), network detection and response (NDR) and other tools can monitor network infrastructure for indicators of compromise. When these systems see possible DDoS signs—such as abnormal traffic patterns—they can trigger real-time incident responses, such as terminating suspicious network connections.
Blackhole routingA “black hole” is part of a network where incoming traffic is deleted without being processed or stored. Blackhole routing means diverting incoming traffic to a black hole when a DDoS attack is suspected.
The downside is that blackhole routing can discard the good with the bad. Valid and perhaps valuable traffic might also be thrown away, making blackhole routing a simple but blunt instrument in the face of an attack.
Rate limitingRate limiting means placing limits on the number of incoming requests a server is allowed to accept during a set time period. Service might also slow for legitimate users, but the server is not overwhelmed.
Load balancingLoad balancing is the process of distributing network traffic among multiple servers to optimize application availability. Load balancing can help defend against DDoS attacks by automatically routing traffic away from overwhelmed servers.
Organizations can install hardware- or software-based load balancers to process traffic. They can also use anycast networking, which enables a single IP address to be assigned to several servers or nodes across multiple locations so that traffic can be shared across those servers. Normally, a request is sent to the optimal server. As traffic increases, the load is spread out, meaning that the servers are less apt to be overwhelmed.
Traffic scrubbingScrubbing centers are specialized networks or services that can filter malicious traffic from legitimate traffic by using techniques such as traffic authentication and anomaly detection. Scrubbing centers block malicious traffic while allowing the legitimate traffic to reach its destination.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4