In today's cyber-connected world, we all depend on our connection to the Internet, be it via Ethernet cable or by wireless WiFi connection to the Cloud. Unfortunately but not surprisingly, hackers and other cyber-criminals have discovered several methods to exploit our dependence for an Internet connection for a variety of illegal and sometimes even nefarious goals. Internet users, in return, have been provided ways to combat this, often by protecting their equipment and software with complex passwords and by purchasing or hiring online protection services. As DDoS protection countermeasures have been evolved and developed to keep up with the newer emerging software, so have the tactics used to infiltrate users' software and Internet connections.
What is DDoS?
One of the newer methods of cyber-infiltration and hacking is DDoS, which stands for Distributed Denial of Service. It is essentially an upgrade of a basic Denial of Service attack. To get an idea what such an attack must be like, imagine having a conversation at lunch with a close friend. Then, without warning, a third person joins in and begins talking to your friend at such a volume and/or speed that you are unable to get in a word anymore. This uninvited third person has effectively hijacked your conversation and taken away any control you had in it. This is what a denial of service cyber attack consists of. An uninvited entity swoops in and remotely floods a user's computer, system, or network with unwanted requests at such a rate that the equipment under attack is frozen and rendered useless.
Returning to the previous example, imagine if, instead of a third person out-talking you, it were an entire crowd or people that suddenly began talking to your friend, almost like a "flash mob". This is the situation with distributed denial of service attacks. While a denial of service usually uses one "zombie" computer to initiate the flood of requests, distributed denial of service attacks employ dozens or even hundreds of such computers to accomplish this task.
Types of DDoS Attacks
There are several types of DDoS attacks that can be placed into thee basic categories:
- Volume-based, which use high traffic to overwhelm a network's bandwidth.
- Protocol-based, which exploit the server itself.
- Application-based, which use or focus on web applications to carry out the attack.
Syn Flood DDoS Attack
Syn Flood attacks use what is called a "three-way handshake" to infiltrate a machine. Normally, the host machine receives a synchronized (SYN) message to initiate the handshake. The recipient server sends an acknowledgment (ACK) message which ends the handshake. However, an SYN Flood continuously sends a barrage of spoofed SYN messages, at rates faster than can be closed by the "handshake", that keep the connection open and shut down service. The Syn Flood ranks high as one of the most common DDoS attacks used by hackers.
UDP Flood DDoS Attack
UDP(User Datagram Protocol) is the connectionless network protocol that applications use to remotely connect with a device. UDP Flood attacks exploit this capability by sending UDP packets to random target ports on the recipient machine.
HTTP Flood DDoS Attack
HTTP Flood attacks disguise themselves as legitimate GET or POST requests and force the server to use its maximum resources due to the sheer volume of these requests being sent.
Smurf and Fraggle DDoS Attack
Smurf and Fraggle attacks may sound harmless, but they're nowhere near as friendly as the 80's cartoon characters they're named for. Smurf attacks broadcast ping requests to th target computer using ICMP and a spoofed address that makes it seem as though the target computer is asking for a response from all other computers in its network. When each of the computers sends a response, the server is overwhelmed by the traffic and either freezes or crashes. Fraggle attacks use the same methodology, but use UDP instead of ICMP.
Zero Day DDoS Attack
The latest and possibly most devastating denial of service attack to date, zero-day attacks takes advantage of previously unknown device vulnerabilities that have not yet been patched. Typically, users are not aware of these vulnerabilities until the attack takes place; therefore, they literally have zero days to mount a defense, hence the name.
In recent years, several businesses, large and small, have been victimized by DDoS attacks. Analysts have noted that these kinds of infiltrations have an increase in frequency as well as their ability to affect a variety of machines. Computers, servers, and even Internet of Things based devices have all played host to DDoS. Prevention is highly difficult given the high adaptability of DDoS attacks, but not impossible.
Early DDoS detection is one way to minimize the effects of a DDoS attack and reduce the likelihood of a similar DDoS attack occurring. The best way to accomplish this is for a user to become familiar with a traffic profile in its normal state. This will help to detect any unwarranted changes in that profile sooner.
Having overprovision bandwidth available to a network will provide a cushion of sorts to handle unexpected spikes in traffic indicative of a DDoS attack. In this situation, the user could have the time needed to take defensive measures. Adding router rate limits, packet filters, and aggressive timeouts for open connections, lowering SYN, ICMP, and UDP flood drop thresholds, and dropping spoofed packages would also help buffer the outright effects of DDoS attacks, giving the user time to implement stronger mitigation measures.
As current DDoS tend to be too powerful for a lay user, a mitigation specialist should be contacted during this buffering time or as soon after it as possible. The same goes for contacting the user's ISP or hosting provider. If they are made aware of the issue and have not been affected by it themselves, ISP and hosting providers can null route the user's traffic, resulting in potentially spoofed packets being dropped before they reach the target server.
Ready for the next step?
Spot user behaviors and device information that’s suspicious, and stop those fraudsters in real time. We track billions of devices and our fraud analysts add evidence to make this intelligence even more effective.