What is a DDoS attack and why should you care?
DDoS attack is an acronym which stands for Distributed Denial of Service attack.It is an attack representing multiple compromised systems attack a single source. If you haven’t witnessed a DDoS attack then you are lucky enough because these attacks may result to intense damage of the system.
In simple words, a DDoS attack requires an attacker to gain control of a network of online machines to carry out an attack. A DDoS attack typically occurs when a huge amount of bots which are organized in Botnets , start attacking internet services. If your site has been targeted then this attack may shut down your entire site. If the attack is big for a web server to handle then there are only a few options left for the site owners other than to wait for the DDoS attack to get over.
For a detailed understanding here are a few examples of a DDoS attack:
- Forwarding a lot of SPAM through “Zombie” machines. These complex networks of zombie machines and control hosts are what we call as “botnet” in the industry.
- Distributing malware to as many machines as possible and connecting these infected machines to the central host which provides control to these machines.
- Generating a lot of ICMP “Ping” packets to a target by using multiple machines. This is done with intent to overload the internet connection, the firewall or the target system itself.
The IOS model
A DDoS attack can target various components of the network connection. For a deeper understanding of the topic, it is important to know how a network connection is made. The network connection on the internet is made up of seven different layers. Each layer of the IOS model has a separate functionality stated below:
- Physical Layer: This is the lowest layer of the IOS model that handles the transmission and reception of the unstructured raw bit stream over a physical medium.
- Data Link Layer: The data link layer is responsible for the error-free transfer of the data frames from one node to another over the physical layer.
- Network Layer: The network layer is responsible for deciding the physical path for the data as per the network connection, controlling the operation of the subnet, priority of service and other factors.
- Transport Layer: This layer ensures that the messages are delivered in the right sequence without any error and with no losses or duplications. It facilitates the higher level protocols regarding the transfer of data between them and their peers.
- Session Layer: The session layer allows session establishment between the processes running on different stations.
- Presentation Layer: The presentation layer is responsible for formatting the data that is presented to the application layer. This layer can be seen as a translator for the network layer.
- Application layer: The application layer is the topmost layer of the IOS model which serves as a base for the application processes and users to access the network layer.
Types of DDoS attacks
There are various types of DDoS attacks ranging from Teardrops to Smurfs to Pings of Death. Such DDoS attacks affect different layers of Internet protocol. Below are the three major types of attacks:
- Application attacks: This is a type of DDoS attack in which the application layer of the IOS model is targeted by attackers. As the name suggests, it targets the 7th layer of the IOS model and is also known as a layer 7 DDoS attack. This attack is carried out with intent to overload the resources of the target. It is quite difficult to defend such attacks because it becomes difficult to identify whether the traffic is genuine or malicious.
- Protocol Attacks: The protocol attacks or the state-exhaustion attacks consume all the available state table capacity of the web application server or intermediate resources like firewall and load balances which results in service discrepancies. The protocol attacks utilize the vulnerabilities of the layer 3 and layer 4 of the protocol stack to make the target inaccessible.
- Volumetric attacks: Such attacks consume the bandwidth between the target and the larger internet. It is done by sending a large amount of data to the target through the process of amplification and another means of creating massive traffic. For eg. requests from botnets.
There is one major technique used by the crooks for executing a DDoS attack i.e. amplification. By way of this technique, the attacker turns a small DNS query into a larger payload which is directed to the targeted network.
How to cope up with a DDoS attack?
The key element for coping with a DDoS attack is to differentiate between the normal and attack traffic. For eg, if a company launches a new product and its website is flooded with eager customers then cutting off the traffic is a serious mistake. However, if the same company has a surge in traffic which seems to be malicious then it is important to alleviate the attack. The real test is to differentiate between the attack traffic and real site visitors.
There are various forms of DDoS attack. The attack traffic can vary from a single source attacks to complex and adaptive multi-vector attacks. A multi-vector DDoS attack uses multiple attack pathways to overwhelm the target in many ways. To fight a multi-vector DDoS attack one needs to implement a variety of strategies in order to cope up with different trajectories.
In layman language, if the attack is highly complex then it will be equally complex to differentiate between the normal and the attack traffic. The attackers aim to blend in the fake traffic as much as possible so that it becomes completely impossible to differentiate between the legit traffic and attack traffic. In order to differentiate between the legit and the attack traffic, a layered solution can be opted for best results.
There is no doubt that a DDoS attack can be a cause of huge business risk and create a long-lasting effect on any business. This is the reason why it is important for the business executives and IT administrators to understand the threats and risks associated with the DDoS attack and should be on the same page to ensure protection. The effective techniques which can be used include:
Black Hole Routing: Black Hole Routing is a solution that is available to almost all the network admins. This helps the network admins to funnel the traffic into the specific router. In simple words, if a website is facing a DDoS attack then its internet service provider can send the entire site’s traffic to the black hole for defense.
Web Application Firewall: The Web application Firewall (WAF) is a tool which can assist you coping with the layer 7 DDoS attacks. By putting a Web application Firewall between the origin server and the internet, the WAF acts as a reverse proxy. This prevents the server from certain types of malicious traffic. By filtering these requests the layer 7 attacks can be delayed.
Rate Limiting: Another effective technique of coping with the DDoS attack is to limit the number of requests the server accepts over a certain time period. This technique can be effective in slowing down the web scrapers from stealing the web content or coping with the force login attempts. Although, rate limiting alone is insufficient to handle a complex DDoS attack efficiently but it still remains a useful component of the overall strategy.
Risks associated with a DDoS attack
A DDoS attack can affect enterprises from all sectors, all locations and all sizes. It is really difficult to detect and block such attacks because the attack traffic can be easily confused with the legitimate one. Thus the site owners have to wait for the attack to get over to access the website again. These attacks can lead to severe damage which defiantly takes time to recover. All these factors result in lost traffic which in turn results in lost revenue.
How to know if you are at a vulnerable state?
There are many forms of attacks and many more are evolving each day. To cope up with such vulnerabilities it is important to upgrade your security measures on a constant basis. For this it is important to refer a security professional to perform an audit and determine whether your server is capable to cope up with these major vulnerabilities.
Expenses in repairing the Damage
Once a DDoS attack goes away, one has to spend a lot of time to make the system come back to its working state. It also takes time to check if everything is still working properly or if the high load has caused any unforeseen issue. There are cases when it involves a huge cost to recover from the damage.