DDoS Attack 101: Definition, Techniques, Risks & Prevention
A distributed-denial-of-service (or DDoS) attack involves a network of computers all connecting with your server at the same time. They overwhelm the system, and eventually, it goes down. Even legitimate traffic can't capture the attention of a server overwhelmed with a flood of requests.
DDoS problems aren't new. Companies have dealt with them for years. In 2013, for example, a coordinated attack took down all the servers in China, and the outage lasted for about four hours.
But experts say the technique is on the rise. For example, there were about 50 percent more DDoS attacks in the third quarter of 2020 than the year prior.
It's not always easy to spot a DDoS attack in progress. And once hackers launch it, cleaning up the damage is difficult. But investing in prevention could lower your risk of becoming a hacker's dream target.
How does a DDoS attack work?
Every server is built to both accept and respond to requests. A DDoS attack exploits that vulnerability by overwhelming the server with so much work that it simply can't keep up with the volume.
Hackers begin by developing a network of connected devices. They might target computers and laptops. But they could also focus on internet-connected devices, like doorbells or refrigerators. Attackers can infect anything with a connection with malware. And when they infect it, they can put it to use in an attack.
Experts say infected devices often continue to do their work, so owners may never know about the problem. And cleaning up an infected device is difficult, especially if owners never think to update software or download security patches.
Spotting bots isn't easy for a network administrator, either. Each one has a separate IP address and looks legitimate. When a problem strikes, it's hard to know where it originates.
But with an army of bots, an attacker can point them to your server and wreak havoc.
3 main types of DDoS attacks
All DDoS attacks begin by the hacker overwhelming the system. But programmers can achieve that goal in many ways. Three basic types of attacks exist, but they all have important variants.
1. Application-layer attacks
Hackers that use this technique focus their work on the part of the server that generates web pages when users ask it to. An attacker directs bots to request the page over and over again, overwhelming the server.
HTTP flood attacks are among the most common application-layer attacks. A hacker will direct bots to:
- Call up a specific URL
- Ask for specific images within a web page
- Ask for documents via GET requests
- Ask for frequent refreshes of pages.
Regular users may make these same requests as they visit your site and browse your resources. It's very difficult to separate the malignant traffic from legitimate work.
2. Protocol attacks
Hackers flood parts of your system, such as load balancers, with multiple requests that come quickly from all directions.
A SYN flood attack is an example of a protocol attack. A hacker sends many initial connection requests to the server and includes a spoofed IP address as the source. The server:
- Accepts the requests to connect
- Sends a response, asking to complete the connection
- Waits for that response
- Crashes after waiting for too many responses
3. Volumetric attacks
Experts say that about 50 percent of DDoS attacks launched are volumetric attacks. They're designed to flood your bandwidth and take the server down due to a lack of available space.
DNS amplification is a common form of volumetric attack. Hackers direct bots to make information requests that take up large amounts of data. They then direct that data back to the origin server. A hacker can create a large amount of chaos very quickly with an attack like this.
Common DDoS symptoms
If your servers are working properly, they're accepting requests and responding to them. Each server will tackle the same task when you're under a DDoS attack. So what's the difference?
Experts say telltale signs include:
- Suspicious location. You notice several devices clustered in one spot, and you may not normally get visitors from there.
- Unusual traffic spikes. You may see multiple requests every five minutes, for example, or you get hundreds in one minute.
- Poor performance. Your site loads very slowly, or it's inaccessible.
- Long-lasting outage. If your site goes down for a legitimate reason, the problem typically lasts for just a moment or two. If the issue persists for days, you could be dealing with a DDoS.
- Ongoing demands. Some hackers launch attacks for amusement. But others may contact you to ask for a payout before they'll stop their work.
It pays to watch your server performance carefully. The sooner you spot the problem, the better.
How to respond to a DDoS attack
When your server is under attack, you have plenty of choices. But know that most of them will impact legitimate traffic too.
Mitigation options can involve:
- Blackhole filtering. Develop restriction criteria, and drop off any traffic that doesn't meet those requirements.
- Scrubbers. Your IT team or hosting company examines how your traffic changed right before the attack, and that could identify the malignant addresses. A scrubber keeps them from connecting.
- Casting. You distribute your traffic among a network of servers. Increasing your capacity can stop traffic from overwhelming your ability to respond to requests.
Ways to prevent a DDoS attack
Stopping an attack is difficult, and your work is bound to be disruptive. Prevention can keep the problems from starting so your legitimate visitors aren’t inconvenienced.
Your company may benefit from:
- Application front-end hardware. Scrutinize packets as they enter your system, and manage them based on threat level.
- Application-level key completion indicators. Determine whether large amounts of incoming traffic are legitimate or part of a coordinated attack. Make capacity decisions accordingly.
- DDS. Address protocol attacks and volumetric attacks with a device that identifies problems early and reacts without your input.
- Firewalls. Place a layer of protection between the internet and your server. Filter requests with custom rules, or use a simple rule to block all incoming traffic from an attacker.
- Rate limiting. Define how many times a user can connect your server within a specific timeframe. Some users feel these services are "unfair" to heavy site users. But they can be effective in case of an attack.
Create a task force to examine your options, and ask all of these teammates to stay on standby to help in case of an attack. Strong planning and communications techniques will help you spring into action when a problem appears.
Get help From Okta
At Okta, we specialize in creating strong security tools for companies large and small. Whether you have a network made up of just one server or hundreds, we can help you protect your resources and stay safe from an attack. Find out more.
References
China's Internet Hit by DDoS Attack; Sites Down for Hours. (August 2013). CNET.
DDoS Attack Statistics and Facts for 2018-2020. (November 2020). Comparitech.
What Is a Botnet? When Armies of Infected IoT Devices Attack. (June 2019). CSO.
Distributed Denial of Service Attacks: Four Best Practices for Prevention and Response. (November 2016). Carnegie Mellon University.
Alert (TA13-088A): DNS Application Attacks. (June 2019). Cybersecurity and Infrastructure Security Agency.
What Is a DDoS Attack? Everything You Need to Know About Distributed Denial-of-Service Attacks and How to Protect Against Them. (October 2020). ZD Net.
How to Stop DDoS Attacks: 6 Tips for Fighting DDoS Attacks. (June 2018). eSecurity Planet.
Unfair Rate Limiting for DDoS Mitigation Based on Traffic Increasing Patterns. (2012). 2012 IEEE 14th International Conference on Communication Technology.