DDoS attacks

DDoS attacks

A Distributed Denial of Service (DDoS) attack is when the cyber-criminal uses many unique IP addresses, flooding the target with incoming traffic.

The first Denial of Service attack was demonstrated in 1997 during a DEF Con event in Las Vegas, disrupting internet access to the Las Vegas strip for over an hour. The following year major corporations began to suffer this type of attack for real.

Put simply, denial of service attacks are executed to prevent a service being accessed. For example, this may be a website, server infrastructure or an application.

These types of attacks can be lengthy causing major disruption to services, in Q1 2017 the longest DDoS attack lasted 120 hours and Q4 2016 an attack continued for 292 hours.

A successful DDoS attack can have serious consequences for organisations that rely on their online presence leading to loss of revenue, erosion of customer of customer confidence and reputational damage.

How do DDoS attacks work?

A distributed denial of service attack will come from a high number of internet connected devices sending multiple requests to either a server or a website, resulting in a high volume of traffic that overloads the target causing it to shut down or malfunction.

DDoS attacks can vary and there are more than hundreds recorded types, but majorly, they can fall into three main categories, depending on the part of the network infrastructure that is targeted:

  • Volumetric attacks

A volumetric attack will send a very high amount of traffic to a targeted network, until the stage where the network can’t process it anymore and crashes.

These kind of attacks usually originate from a number of malware infected internet connected devices under the control of the cybercriminal with the sole aim of to sending traffic and connection requests to the targeted online network resource.

This network of infected and remotely controlled computers is identified under the name of botnet (“bots”).

Botnets can consist of literally hundreds of thousands of compromised IoT devices such as IP security cameras and DVRs that have poor security protocols and are vulnerable to malware infection.

  • TCP State-Exhaustion Attacks

This attack specifically focuses on web servers, firewalls and load balancers (devices whose primary purpose is to ensure that servers are not overloaded with requests); the aim is to disturb the connection and disengage any device connected to the targeted server.

  • Application Layer Attacks

Also known as a layer 7 attack, this type of threat will overload a server with resource intensive processing requests.

Application layer attacks are the hardest to identify as, in comparison to a volumetric attack, they generate low volume traffic which may look legitimate to a perimeter defence solutions such as a firewall.

Very sophisticated attacks can also be a result of the combination of the three above categories.

Attacker motivation

With so many different types of potential threats, why would an attacker choose a DDoS attack as the “weapon of choice”?

State sponsored DDoS attacks are used to silence dissidents and disrupt critical infrastructures in other nation states. Cyber criminals use DDoS attacks as a means of extortion, demanding money in exchange for not disrupting a targets’ website or operational capability.

Hacktivists can criticise and vilify governments, businesses and individuals whilst cyber vandals are able simply to cause havoc just for “fun”.

DDoS attacks have even been used by businesses to disrupt competitors’ activities and online gamers have been known to use these types of attacks to settle personal scores or gain a competitive edge.

How can you protect your business?

DDoS attacks can be hard to prevent, but the following security practices and measures could allow you more time to spot and mitigate them.

  • Be vigilant – persistent, slow network performance for staff and unavailability of your website or other resources for your customers can be an indication that a DDoS attack is in play.
  • Understand your typical inbound traffic profile making it easier to identify the sharp spikes in traffic that often herald a DDoS attack.
  • Utilise that latest firewall technology enabling deep inspection up to the application layer and implementing policies to detect and prevent DDoS attacks.
  • Keep your firewall and other defence solutions patched
  • Allow more bandwidth than your webserver would normally need, this will allow you to accommodate any sudden and unexpected surges in traffic.
  • Create a DDoS incident response plan, so that you can quickly mitigate any attack.