Distributed denial-of-service (DDoS) attacks: meaning, types, and tools to mitigate
What does DDoS attack mean?
A distributed denial-of-service attack is a malicious attempt to disrupt normal traffic and make a targeted online service overload or even unavailable by overwhelming it or its surrounding infrastructure with a flood of traffic from other multiple sources.
DDoS attacks are similar to traffic jams as they overwhelm traffic channels and don’t allow traffic to easily reach the required destination.
DDoS attacks can compromise either the targeted website/network or all computer systems used and managed by the hacker. Exploited machines can involve computers, IoT devices, and other web-enabled resources.
How does a DDoS attack work?
By infecting computer systems (computers, IoT devices, etc.) with malware and spreading malicious software through emails, sites, and social media, an attacker creates a network of infected machines, with the ability of a remote control.
The group of infected machines is called “botnet”. Attackers create botnets for them to generate huge traffic floods to clog up and overwhelm normal traffic and overload the targeted service. For this purpose, botnets can send the target multiple connection requests or make computers send the large volumes of random garbage data.
As the traffic generated by botnets is designed using hundreds and thousands of sources and each bot represents a legitimate Internet-enabled device, it’s a real challenge to separate regular user traffic from the damaging one.
One should also note that since the number of originating attack traffic sources is really large, it’s not an option to simply block a single IP address.
What are the types of DDoS attacks?
Depending on the injected source, DDoS attacks can be divided into:
- Traffic attacks are usually operated by injecting Trojans and malware, making the targeted service or network flooded with large volumes of spam.
- Bandwidth attacks overburden the end service/network with TERAbytes or PETAbytes of garbage data, resulting in server crashes and in some cases even to complete shutdowns.
Different distributed denial-of-service attacks vectors target different parts of a network connection, composed of various layers, each one is designed for a certain purpose.
While almost all DDoS attacks include overwhelming and overloading a targeted service with malicious traffic (garbage data and multiple requests), distributed denial-of-service attacks can be divided into the application layer, protocol, and volumetric attacks.
1. Application layer attacks
An application layer attack is a category of a DDoS attack implying that an attacker targets the application layer. Sometimes called layer 7 DDoS attacks, application layer attacks deplete resources in the layer, making the targeted system overwhelmed and exhausted.
In this type of DDoS attack, an attacker targets not only the layer where web pages are generated and delivered in response to HTTP requests but also the network and bandwidth. Application layer attacks include HTTP Flood and Attack on DNS Services.
2. Protocol attacks
Also referred to as state-exhaustion attacks, protocol attacks disrupt service by consuming all the processing capacity of web application servers or intermediate communication equipment like firewalls and load balancers.
Protocol attacks identify and use weak sides in the 3d and 4d layers to make the targeted network unavailable. The examples of protocol attacks can involve SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS, etc.
3. Volumetric attacks
Volumetric attacks refer to the type of DDoS attack that uses large traffic amounts saturating the bandwidth of the website/web application. Volumetric attacks make a congestion by consuming all available bandwidth between the Internet and the targeted service.
In order to make the target unavailable, massive data amounts are delivered to the end service by using a form of amplification or other ways of massive traffic creation, such as requests from a botnet. The examples of this DDoS attack category can be introduced by NTP Amplification, DNS Amplification, UDP Flood, and TCP Flood.
How to prevent and mitigate DDoS attacks?
Since DDoS attacks can significantly harm companies (from financial institutions to news websites), making it really difficult to access important information and leading to request losses, mitigation of DDoS attacks becomes the major concern.
Dealing with a distributed denial-of-service attack the key difficulty is to separate normal traffic from the attack. The more complex and multi-vector attack is, the more complicated the task. Thus, the main attacker’s objective is to make a mitigation process as challenging as possible.
Another difficulty is that DDoS traffic can come in different forms, from un-spoofed single source attacks to complex multi-vector DDoS attacks, that use various pathways to overload the targeted service.
When using that mitigation practices that include dropping or limiting traffic in order to throw regular traffic out of the damaging one, you should note that a multi-vector adaptive DDoS attack can also adapt to the applying countermeasures.
In this case, a good option is to use a layered solution. Now, let’s consider the best tools to mitigate a distributed denial-of-service attack. To create the best DDoS attack mitigation strategy, network admins generally use them in various combinations.
What are the best tools to mitigate a DDoS attack?
1. Black Hole Routing
A simple and effective way to mitigate DDoS attacks is to Black Hole Routing, available to almost all network admins and allowing to funnel bad traffic into the created route. An admin defines restrictions that prevent legitimate normal traffic from dropping from the network. Also, in some cases, it’s better to throw all traffic into a blackhole.
2. Anycast Network Diffusion
Anycast represents a network addressing and routing tool, allowing inbound requests to be distributed to multiple locations. After other DDoS mitigation tools filter out some of the attack traffic, this one allocates the remaining attack traffic across various data centers, preventing locations from being overloaded with thousands of requests.
Anycast network enables to distribute distributed attack traffic impact to the point where it can be effectively managed. The complexity and efficiency of a mitigation process with Anycast depend on the size of a distributed denial-of-service attack as well as on the size and performance of the entire network.
3. Rate Limiting
Rate limiting is the practice implying the limitation of the number of requests, accepted by the server over a certain time. In most cases, rate limiting isn’t used for mitigating a distributed denial-of-service attack alone, as it’s much more effective as a part of the entire strategy.
4. Web Application Firewall
For mitigating layer 7 DDoS attacks you can use Web Application Firewall (WAF). By putting a WAF between the Internet and web application (origin server), a network admin can prevent or mitigate layer 7 attacks.
A WAF allows filtering requests and can act as a reverse proxy, protecting a web application from damaging traffic and making clients pass through the WAF before reaching the server.
By monitoring and filtering HTTP traffic, a WAF assists in protecting the targeted service from such attacks as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection.
Since a WAF is a protocol layer 7 defense, it can’t be used for mitigating all kinds of DDoS attacks and is implemented as an important countermeasures’ component.