An attacker makes a website or other service slow or inaccessible by flooding it with fake requests so that legitimate users can not access it. Single DoS attacks come from one source, while DDoS (distributed) attacks come from multiple locations.

What are the Reasons for the DDoS attack?

  • An attacker may want to damage the reputation of the victim’s website.
  • This kind of attack is also getting used as a way of extortion and blackmailing. For example, the attacker can ask website owners to pay a ransom for attackers to stop a DDoS attack.
  • Attackers may want to divert the company’s (security team) attention by DDoS and might be planning some other kind of cybercrime in the background, for example, data theft.

How does DDoS attack works?

Many hackers use Botnets (also known as zombie devices) to create DDoS attacks. A botnet is a way for a hacker to control thousands of devices at once. These devices could be computers, smartphones, or IoT devices such as smart refrigerators or webcams.

Hackers can get control of these devices in many ways. They may create and send some virus programs (by Email, social media, infected sites) to the internet, where it can propagate itself to other devices and infect them. Another way is to exploit the known vulnerability with a specific IoT device, for example, a weak login password.  After this, they build a BOT to scan the internet and hack as many of those devices as possible.

The hacker takes control of these devices by installing a small program on it. The hacker can publish a command, and all the devices in the Botnet will do whatever the hacker instructed them to do.

The attacker will research the target website to identify a weak point to exploit, and then he can craft a request that will target that vulnerability. Finally, the attacker will instruct their zombie computers to execute that request repeatedly. It will flood the victim’s web server with more requests than it can handle by its design and configuration.

What are the types of DDoS attacks?

Volumetric Attacks

It is the most common DDoS attack where attackers flood the victim server with false data requests. The server has to check the malicious data requests continuously and has no room to accept legitimate traffic. UDP (User Datagram Protocol) floods and ICMP (Internet Control Message Protocol) floods are the two primary forms of volumetric attacks.

UDP does high-speed data transmission without checking its integrity, which unfortunately makes it a prime tool for attackers.

Network devices use ICMP for communication. Attacking node sends a false error request to the target in ICMP focused attack. The target system has to handle these requests and cannot respond to real ones.

Application-Layer Attacks

Attacks that use the application layer focus primarily on direct Web traffic using HTTP, HTTPS, DNS, or SMTP.

Protocol Based Attack

A protocol attack damages connection tables in network areas.  These tables help in verifying connections. Attackers continuously send slow or deliberately malformed pings and partial packets. It causes memory buffers in the victim to overload and potentially crashes the system. A protocol attack can also target firewalls, which implies that a firewall will not stop DDoS attacks.

One of the protocol attacks is the SYN flood, which makes use of the three-way handshake process for establishing a TCP/IP connection. The client sends a synchronize(SYN) packet and receives a synchronize-acknowledge (SYN-ACK), and then returns an acknowledgment (ACK) before making a connection. During a DDoS attack, the client only sends SYN packets, causing the server to send a synchronize-acknowledge (SYN-ACK) and wait for ACK, which never occurs. It ties up network resources.

Often hackers combine these three types of approaches to attack a target from multiple fronts.

What are the prevention mechanisms available against DDoS?

Companies should create a DDoS attack response plan and a team to execute it in case of the attack. Below are the two strategies to detect and prevent DDoS attack –

Destination traffic shaping mitigation strategy by enhancing the Network Architecture

Locate servers in different data centers and Data centers should be on various networks. It will ensure if one server in one data center gets attacked, then another server can take the load.

Source-based Automatic defense against DDoS attack

It will save you in response time when we are under DDoS. DDoS Prevention system should do below things –

Before the DDoS attack

The system needs to leverage machine learning to understand what to protect and also will be able to record application behavior in a healthy condition. We can continuously profile our application and configure Policy. Any policy deviation (Behavioral Deviation) like a deviation from a healthy data rate perspective or request per second perspective will help us detect a DDoS attack.

During the DDoS attack

Automation has to follow pre-defined policies and redirect traffic and apply mitigation strategies to counter DDoS attacks while minimizing damage to legitimate users.

Our system needs to dynamically analyze the attack pattern using machine learning to extract Botnet behavior. Many of the DDoS attacks are made by hired DDoS attackers who use exiting infected devices to create the attack again and again. DDoS threat researchers have gathered information and created a threat list of IP addresses of known malware-infected botnets, which were part of earlier DDoS attacks around the world. It is also known as IP reputation. Threat intelligence and botnet use repetition are the key points in detecting and blocking DDoS attacks. It will detect and block the DDoS attack in real-time.

This system should also be able to generate the reports so all the stack holders can understand what happened and can take corrective actions. Here the key is that attackers are continuously innovating the ways to perform a DDoS attack; hence, we also need to update our automatic DDoS defense mechanism and be ready to fight against it.

A source-based mitigation strategy is computation-intensive but high where you want to protect your legitimate users.

Conclusion

We have learned what a DDoS attack is? How does it work? And how to detect and prevent DDoS attacks? Prevention is better than cure. A firewall alone cannot stop DDoS attacks; it can connect with DDoS detection and prevention system. There is a lot of cloud-based DDoS detection and prevention services available in the market. You can choose them to prevent your application or system from DDoS attacks.