DDoS (Distributed Denial of Service) attacks are a common danger for businesses in the digital age, but how do they work?
A DDoS attack is a cybersecurity attack designed to restrict access to an internet service, rendering targeted platforms, websites, or tools useless. Malicious attackers may achieve this by triggering a temporary interruption or suspension of the hosting server’s services, with wide-ranging impacts.
DDoS attacks are typically launched from multiple devices which have been compromised by the hackers. These tend to have global distribution, as part of what is generally known as a “botnet”. This is different to other denial of service (DoS) attack types, which depend on just one device connected to the internet to send a flood of overwhelming traffic to the targeted website, network, etc. There are three types of DDoS attacks:
Application layer attacks
This type of attack is intended to crash a victim’s web server using requests which appear legitimate and non-malicious. It includes GET/POST, low and slow attacks, and more forms of disruption.
With a volume-based attack, hackers aim to saturate a target website’s bandwidth through ICMP (or Ping) or UDP floods.
A protocol attack puts strain on resources (servers, firewalls, load balancers) through fragmented packets, Smurf DDoS, and other attacks.
DDoS types which commonly target businesses
Below, we explore some of the types of DDoS attacks that pose a risk to companies in different sectors.
An ICMP (or Ping) flood is made to overwhelm a targeted resource with ICMP Echo Request packets. Essentially, unlike other DDoS types, this one sends a high number of packets as quickly as possible — but without taking time to wait for any replies.
As a result, ICMP flood attacks may consume a business’s incoming and outgoing bandwidth as servers will try to use ICMP Echo Reply packets to reply. This can ultimately cause major slowdown in systems.
UDP (User Datagram Protocol) flood
Essentially, a UDP flood is a DDoS attack which causes a storm of UDP packets with an intent to cause floods in a remote host’s ports randomly.
Such an attack can cause hosts to continually search for application listening in certain ports. When applications aren’t located, the host will reply with an ICMP “destination unreachable” packet — which consumes resources and potentially causes inaccessibility.
This DDoS attack type is unleashed to take advantage of a vulnerability in the TCP connect sequence, in which a SYN request to trigger a TCP connection to the target host needs to be responded to with a SYN-ACK reply. It is then to be confirmed by the requester’s ACK response.
In this DDoS attack type, a requester would launch a number of SYN requests but doesn’t respond to the SYN-ACK response or triggers the requests from a spoofed address. In any case, the host system is left waiting for each request’s acknowledgement — leaving resources bound until no fresh connections can be initiated. This leads to a denial of service.
A Slowloris is an attack designed to help one web server bring another down without having an effect on other ports or services within the network targeted. How? By keeping as many of the target server’s connections open for as long as it can, by making connections to the server but sending just partial requests.
So, a Slowloris keeps sending HTTP headers without ever completing a request, and the server keeps all of them open. Eventually, this creates an overflow in the connection pool and causes denial of additional connections from innocent clients.
POD (Ping of Death)
The so-called ping of death is a DDoS attack type which involves sending several malicious pings to a target computer, giving recipient hosts oversized packets, which overflows those memory buffers which have been allocated for the received packet. This leads to denial of service for any packets which may be legitimate.
This works on the basis that an IP packet’s maximum length is 65,535 bytes, but Data Link Layers typically impose limits on a maximum frame size. In ping of death attacks, a massive packet becomes separated across more than one, causing the recipient host to reassemble it into the oversized packet.
Attackers use HTTP floods to target an application or web server by taking advantage of HTTP GET or POST requests which may appear genuine.
This type of attack doesn’t involve malformed packets or spoofing, and puts less strain on bandwidth than other DDoS types. HTTP floods tend to be most impactful when forcing an application or server to allocate all of the resources available in response to all requests.
Zero day types of DDos attacks refers to all new or unknown forms of threats, which depend on vulnerabilities for which patches are yet to be issued. Hackers usually exchange zero day opportunities regularly.
Attackers use an NTP amplification to target Network Time Protocol servers and overwhelm them with UDP traffic. These DDoS attacks are described as “amplification”-based because of the query to response ratio.
This tends to be between 1:20 and 1:200 or higher, enabling attackers to achieve major disruptions if they have access to multiple open Network Time Protocols.
What causes hackers to launch DDoS attacks?
In a relatively short period, the types of DDoS attacks covered above have become the most common form of cybersecurity risk. Both their number and volume have grown in the past few years: while briefer attacks are the norm, they often involve a larger packet-per-second volume overall.
So, what drives the attackers?
Businesses may leverage some of these DDoS attack types to disrupt a competitor’s service or website, to improve their own market performance. For example, one online retailer may employ a DDoS attacker to bring a rival site down ahead of a crucial Black Friday or Cyber Monday sale event.
Some hackers, referred to as “hacktivists”, launch DDoS attacks to disrupt businesses they may disagree with (in terms of workers’ rights, for example).
Cyber attacks on enemy nations
A government may authorize a DDoS attack to cause issues for other countries’ infrastructures or websites, for their own gain.
DDoS attacks may be initiated as a means to secure money from a business, such as through ransomware.
Hackers could create and launch their own DDoS attacks to get a short-term rush, with no sympathy for the people they affect.