What is a DDoS Attack and How Does It Work

Distributed Denial of Service (DDoS) Attack

A DDoS attack is not like other cyber attacks; this type of attack does not infect computers with malware or steal information. A DDoS attack makes a computer or network service unavailable by overloading it with a tidal wave of traffic that is too much to handle. A DDoS attack can be launched by almost anyone, even by people with low tech skills or by renting huge botnet armies through DDoS-as-a-Service (DaaS) for as little as $50 USD.

Because of this, businesses and organizations need to have a thorough understanding of how common but dangerous cyber attacks happen, as well as how to protect themselves against them. You can read more about the most common cyber attacks here, but for now let’s start with DDoS attacks:

What is a DDoS attack, and how does it work?

A distributed denial of service attack, also known as a DDoS attack, is a cyber attack where the cybercriminal floods a server or network with so much traffic that it cannot properly handle all the requests. This results in unusably slow response or loading times for legitimate users or, in worse case scenarios, complete bringing down the server.

DDoS attacks vary in terms of scale. Smaller attacks launch traffic less than 5Gbps, while large attacks can send hundreds of Gbps. However, when considering the scale of the attack, it must be compared relative to the size of the server being targeted. Many websites of smaller or medium-sized businesses do not need heavy traffic loads to completely overrun them, while larger websites will require significantly more traffic. Often, many businesses will be the targeted of multiple DDoS attacks in succession originating from the same cybercriminal over periods of time.

What is the difference between a DDoS attack and a DoS attack?

Denial of Service, or DoS, attacks. are when only one computer sends out enormous amounts of malicious traffic to attack a server. A distributed attack leverages hundreds, thousands or even millions of computers around the world to send traffic on a much larger scale - even without the knowledge of the owners of those computers. Think of it as one cannon firing verses one hundred cannons firing at the same time.

What are the motivations behind DDoS attacks?

DDoS attacks are launched for a wide variety of reasons, all malicious in intent. Motivations behind a DDoS attack may be:

• Political: If, for example, an individual or group wanted to somehow change the political scene to an opponent's detriment or their favored groups' benefit, they may resort to DDoS attacks.
• Hacktivism: Hacktivism is a form of protest done to make a statement. It is a merger of the words “hacking” and “activism.”
• Emotional drivers: Many DDoS attacks are motivated from an emotional standpoint and acted out of revenge, boredom, or hatred.
• Religious: Some DDoS attacks are religiously motivated.
• Terrorism: Some DDoS attacks, especially those against governmental organizations, are considered acts of terrorism.
• Financial: Making ecommerce servers unavailable prevents a business from making money which could put them out of business. Cybercriminals may also demand a ransom be paid to stop the attacks.
• And many other reasons…

The most concerning thing about DDoS attacks is that such a wide range of motivations mean almost any business or organization can be the target of a DDoS attack.

Who gets targeted by DDoS attacks?

As mentioned, any business or organization, large or small, may become a victim of a DDoS attack. However, certain industries are at significantly higher risk than others. Notably, the gaming and gambling industries are targeted significantly more than business and finance sites. These industries are extremely popular, have high-value content, and are extremely reliant on low latency responses for their users. DDoS attacks, even if not strong enough to completely bring down the server, will cause havoc for online games and gambling services where even a few seconds of latency (or delay) can severely damage the usability of the game or site, and thus the reputation of the host.

Many of the attacks in these industries are also born from emotional sources like anger leading to revenge and protest against a game developer.

How does a DDoS attack work?

DDoS attacks can be broken down into three major phases:

Phase #1: Finding computers to become botnets

The first stage of any DDoS attack is creating the botnet. A botnet is a collection of computers that will execute the DDoS attack and bring down or hamper the victim server. To do this, hackers will use malware to scan the internet for computers or IoT devices and infect them to gain control. Using a botnet has another benefit for the hacker: by distributing the attack out to other machines, it helps hide their own IP and identity.

Phase #2: Loading the infected computers with commands ready to carry out the attack

The second phase of a DDoS attack is loading these botnet computers with the commands necessary to execute the attack. All the individual machines infected are commonly referred to as zombie computers, agents, bots, or simply victim computers. These zombie computers are legitimate devices used by people who are simply unaware that their device is being leveraged by an attacker for a DDoS attack.

Phase #3: Using the botnet to execute the attack

In the last phase, the hacker executes the command across the botnet telling all the zombie computers to send traffic requests to the target website. The botnet sends abnormally high amounts of traffic which crash or severely slow down the victim server.

The hacker may also hide or use fake IP addresses, making it far more difficult for the targeted website to find and block the source of the attacks and get their website back up and running. On top of this, since the malicious traffic is coming from legitimate sources, it becomes extremely difficult for the website host to differentiate and block the attacking traffic from legitimate requests.

Different types of DDoS attacks

There are several types of DDoS attacks. When a victim is finally able to defend against an DDoS attack, the hacker may try an alternate method of DDoS attack using the same botnet. Different DDoS attacks target different levels of the OSI model of the victim’s network. Some of the most common DDoS attacks include:

• Application layer attacks: These are at the very top of the OSI model, where visitors interact with the website itself. One example would be HTTP flooding. HTTP flooding is sending so many HTTP requests that they completely overwhelm the server. Imagine the entire botnet trying to load the website all at once - the server simply cannot handle such a load. Unlike the other attack types discussed, application layer attacks have significantly less volume because of the TCP connection handshake required to create a connection.
• Protocol attacks: Unlike application layer attacks, protocol attacks target weaknesses in the network and transport layers of the OSI model – layers 3 and 4 respectively. Protocol attacks, such as SYN floods allow the hacker to establish a huge quantity of connections with the server. This is done continually without finishing the previous connections, rendering the server overwhelmed and unable to accept any new connection requests.
• Volumetric attacks: Volumetric attacks send continuous tidal waves of traffic. One type of volumetric attack is DNS amplifications. This attack sends huge amounts of small DNS requests spoofed to come from the victim server whereupon the DNS servers flood the target with huge amounts of DNS response traffic, amplifying the request traffic by 100 fold for example.
• Multi-vector attacks: Some DDoS attacks will target the victim server using more than one method at once. These attacks are difficult to stop as it takes longer to determine where the source of traffic is, and the protocols used.

DDoS Protection: How can businesses protect themselves from distributed denial of service (DDoS) attacks?

To protect themselves and their web servers from DDoS attacks, businesses need to look for security solutions from a reputable cyber security vendor like Sangfor. This is because of the nature of DDoS attacks; by targeting different weaknesses, no single solution can completely protect against DDoS attacks. At Sangfor, we offer businesses the capability to withstand and defend against DDoS attacks with minimal disruption to service. Some of the solutions that protect against DDoS attacks include:

• Blackhole routing: This direct all site traffic to a fake IP address in the event of a DDoS attack. While it will help protect the server from a period of down-time, legitimate traffic will still be guided into this “blackhole” and not be able to access the site.
• Rate limiting: A security device is used to control the amount of web requests or network traffic allowed through negating a DDoS attack. However, this will limit the amount of legitimate users trying to access it.
• A Next-generation firewall: A next-generation firewall like Sangfor Network Secure is instrumental in detecting and defending against DDoS attacks. It offers both inbound and outbound (in the event your systems are part of a botnet) attack protection. You can learn more about how Sangfor NGAF protects against DDoS attacks by watching this video.
• Botnet detection: Sangfor Botnet Detection helps you scan for botnets in your network through deep learning, visual display of traffic, and flow analysis. Using this advanced technology to detect botnets, Sangfor can help its customers defend against DDoS attacks.

Learn more with Sangfor

To learn more about distributed denial of service (DDoS) attacks and how to protect your business or organization from them, don’t hesitate to get in touch with a specialist from Sangfor.