According to eSecurity Planet‘s 2019 State of IT Security survey, DDoS remains one of the cyber threats organizations are least prepared for, making this an important battle in the ongoing cyber war.
If you need a DDoS protection solution, see our top 10 DDoS products page.
What is a DDoS attack?
So what is a DDoS attack? It’s when hackers are able to flood an IP address with hundreds or thousands of messages, often through the use of botnets or through a coordinated hacktivist effort, taking the network to the point where legitimate users aren’t able to get through – hence, the denial of service.
DDoS attacks are also profitable while being affordable, leading more people to take advantage of this type of attack. Tim Pat Dufficy, managing director of ServerSpace, told eSecurity Planet: “The barrier to entry of DDoS attacks in terms of cost has largely gone. That means anyone can launch an attack: organized crime, a group of blackmailers, or just a disgruntled ex-employee or a competitor. And anyone can be the victim. One of our customers is a very small company that does training for people in the construction business, yet they came under attack for two weeks.”
While DDoS offer a less complicated attack mode than other forms of cyberattacks, they are growing stronger and more sophisticated. There are three basic categories of attack:
- volume-based attacks, which use high traffic to inundate the network bandwidth
- protocol attacks, which focus on exploiting server resources
- application attacks, which focus on web applications and are considered the most sophisticated and serious type of attacks
Different types of attacks fall into categories based on the traffic quantity and the vulnerabilities being targeted.
Common DDoS attack types
Here is a list of the more popular types of DDoS attacks:
SYN Flood exploits weaknesses in the TCP connection sequence, known as a three-way handshake. The host machine receives a synchronized (SYN) message to begin the “handshake.” The server acknowledges the message by sending an acknowledgement (ACK) flag to the initial host, which then closes the connection. In a SYN flood, however, spoofed messages are sent and the connection doesn’t close, shutting down service.
The User Datagram Protocol (UDP) is a sessionless networking protocol. A UDP flood targets random ports on a computer or network with UDP packets. The host checks for the application listening at those ports, but no application is found.
HTTP Flood appears to be legitimate GET or POST requests that are exploited by a hacker. It uses less bandwidth than other types of attacks but it can force the server to use maximum resources.
Ping of Death
Ping of Death manipulates IP protocols by sending malicious pings to a system. This was a popular type of DDoS two decades ago, but is less effective today.
A Smurf Attack exploits Internet Protocol (IP) and Internet Control Message Protocol (ICMP) using a malware program called smurf. It spoofs an IP address, and using ICMP, it pings IP addresses on a given network.
A Fraggle Attack uses large amounts of UDP traffic to a router’s broadcast network. It’s similar to a smurf attack, using UDP rather than ICMP.
Slowloris allows attackers to use minimal resources during an attack and targets on the web server. Once it has connected with its desired target, Slowloris keeps that connection open for as long as possible with HTTP flooding. This type of attack has been used in some high-profile hacktivist DDoSing, including the 2009 Iranian presidential election. DDoS mitigation with this type of attack is very difficult.
Application Level Attacks
Application Level Attacks exploit vulnerabilities in applications. The goal of this type of attack is not to go after the entire server, but applications with known weaknesses.
NTP Amplification exploits Network Time Protocol (NTP) servers, a long-time network protocol used to synchronize computer clocks, in order to overwhelm UDP traffic. This is an amplified reflection attack. In any reflection attack, there is a response from the server to a spoofed IP address. An amplified version means the response from the server is disproportionate to the original request. Because of the high bandwidth used when DDoSed, this type of attack can be devastating and high volume.
Advanced Persistent DoS (APDoS)
Advanced Persistent DoS (APDoS) is an attack type used by hackers who want to cause serious damage. It uses a variety of the styles of attacks mentioned earlier (HTTP flooding, SYN flooding, etc.) and regularly targets multiple attack vectors that send out millions of requests per second. APDoS attacks can last for weeks, largely due to the ability of the hacker to switch tactics at any moment and to create diversions to elude security defenses.
Zero-day DDoS Attacks
Zero-day DDoS attack is the name given to new DDoS attack methods that exploit vulnerabilities that have not yet been patched.
DDoS attack examples
- In fall 2016, the Mirai malware infected Internet of Things (IoT) devices, turning them into botnets that created DDoS attacks on security expert Brian Krebs, DNS solution provider Dyn, and the internet access across Liberia.
- In March 2013, CloudFlare, host for spam fighting SpamHaus.org, suffered what was then the largest DDoS attack in history, but it was mitigated quickly enough that it never took SpamHaus.org offline.
- The United Kingdom’s HSBC’s Internet banking services were unavailable for several hours in January 2016. It happened on what was payday for many of HSBC’s customers. The attack was mitigated quickly and the outage did not result in any compromise of customer records.
- The Dyre Wolf malware campaign used a combination of malware and DDoS attacks to go after bank accounts. The malware was delivered through the use of sophisticated social engineering tactics. The DDoS attack was used to cause a distraction so the wire transfer of stolen funds would go unnoticed until it was too late.
How can you stop a DDoS attack?
There are certain steps you can take to stop a DDoS attack which include identifying the attack early, having more bandwidth, defending at the network perimeter, contacting you ISP or hosting provider, calling a DDoS mitigation specialist, and creating a DDoS response plan.