An increasingly common cyber threat is a distributed denial of service attack (DDoS) that—as its name implies—renders websites and other online resources unavailable to intended users. DDoS attacks come in many varieties, with some directly targeting the underlying server infrastructure. Others exploit vulnerabilities in application and communication protocols. In some cases, DDoS attacks are a diversion from other malicious activities that try to infiltrate web applications.
A successful DDoS attack is a highly noticeable event impacting the entire online user base. This makes it a popular weapon of choice for hacktivists, cyber criminals, extortionists, and anyone else looking to make a point or champion a cause.
DDoS assaults often last for days, weeks and even months at a time, making them extremely destructive to any online organization. They can cause loss of revenue, erode consumer trust, force businesses to spend fortunes in compensation, and cause an organization to suffer long-term reputation damage.
A DDoS attack begins when an attacker exploits a vulnerability in a single device, which then becomes the DDoS master. The master then locates and gains control over other vulnerable devices, using malicious emails, malware infections, compromised credentials, or brute-force bypassing of authentication systems. This network of exploited devices is called a botnet.
The attacker also creates a command-and-control server to remotely control the botnet. A single botnet, which can consist of a million infected devices, can attack a targeted server without the knowledge of the compromised device’s owner.
There are three categories of DDoS attacks:
- Volume-based attacks saturate the bandwidth of the targeted server. Examples of such attacks include:
- UDP floods leverage the User Datagram Protocol (UDP) to send numerous UDP packets to random ports on the server, causing it to repeatedly check for the application at the port. When no application is found, the server responds with an ICMP Destination Unreachable data packet. This depletes server resources and can cause slowdowns or even a system crash.
- ICMP (ping) floods rapidly send ICMP Echo Request (ping) packets to the server, without waiting for replies. This consumes both incoming and outgoing bandwidth, resulting in system slowdowns.
- Protocol attacks consume server resources or intermediate device connections such as firewalls and load balancers. Examples of such attacks include:
- SYN floods send multiple SYN requests and is then unresponsive to the server’s SYN-ACK reply or SYN floods send multiple SYN requests from a spoofed IP address that cannot respond to the server’s SYN-ACK reply. In both cases, the server waits for a response, thereby binding server resources.
- Ping of death sends multiple malformed or malicious pings, causing memory buffer overflows.
- Application layer attacks flood the server with requests, causing the server to crash. Examples of this type of attack include:
- HTTP floods send multiple GET or POST requests, forcing the server or server to allocate maximum resources to respond to the requests.
- Slowloris repeatedly creates open connections to the server, but only sends a partial request. This eventually overflows the maximum, concurrent connection pool, preventing new connections.
DDoS Attack Mitigation Methods
Risk Assessment: Understand scope of risk, including infrastructure vulnerabilities, single-points of failure, and financial impact.
Detection and Blocking: Leverage visitor-identification technology to differentiate between legitimate visitors and malicious clients; blocking traffic from known ‘bad’ sites; detect and block automated clients or bots; challenging suspicious or unrecognized visitors with a JS test, cookie challenge, or CAPTCHAs.
Scrubbing: Absorb attacks into a global network of scrubbing centers.
Learn how Imperva solutions can help you mitigate DDoS attacks.