Everything you need to know about distributed denial-of-service attacks
DDoS – or distributed denial-of-service attacks – first came to prominence in the late 1990s. Even now, they are one of the biggest threats to any organization doing business on the internet.
What is DDoS?
Distributed denial-of-service (DDoS) attacks are a way of attacking online infrastructure, including websites and online applications, by overwhelming the host servers.
This prevents legitimate users from accessing the services.
The term ‘distributed’ refers to the way these attacks invariably come from a large number of compromised computers or devices.
“They can be a relatively simple type of attack to trigger and for sites without enough protection very effective”, Gemma Allen, senior cloud security architect at Barracuda Networks, told The Daily Swig.
The aim is to interrupt normal operation of the application or site, so it appears offline to any visitors.
“A DDoS puts so much traffic in the queue that your browser thinks the site is offline, and gives up,” says Brian Honan, Dublin-based security expert at BH Consulting. “The legitimate traffic can’t get through.”
What are the aims of a DDoS attack?
The purpose might be blackmail, to disrupt a rival business, a protest (DDoS attacks are frequently associated with hacktivist groups) or as part of a nation-state backed campaign for political, or even quasi-military aims.
The 2007 DDoS attack on Estonia was directed by a nation state actor, for instance – in this case with links to Russia.
Security researchers also point to DDoS attacks being used as a diversion, allowing hackers to launch other exploits against their targets, for example to steal data. This is what is believed to have happened during the attack on UK mobile operator TalkTalk in 2015.
And, as Tim Bandos, vice president of cybersecurity at Digital Guardian, warns, DDoS attacks are not limited to online applications or websites. Any internet-connected device is at risk.
That broadens the attack surface to critical national infrastructure, including power and transportation, and the internet of things (IoT) devices.
How does a DDoS attack work?
“In their simplest form, DDoS attacks work by flooding a service with more of something than it can handle,” says Barracuda’s Allen.
“Of course, in reality, it’s not this simple, and DDoS attacks have been created in many forms to take advantage of the weaknesses.”
Allen explains that an attacker will start out with a discovery phase, setting out to identify weakness in the target site or application. They might even use a different form of DDoS to cover up that activity.
Then the attacker choses the best tool to exploit the site. They might buy an exploit on the dark web, or create their own.
On their own, though, most denial-of-service malware will have a limited impact on a well-resourced server. A DDoS attack works by operating at scale.
DDoS attacks work by flooding a service with more traffic than it can handle
As Joseph Stalin supposedly said of the Red Army during WW2, “quantity has a quality all [of] its own”. So with DDoS. The exploits themselves are simple, but launch enough of them and they will overwhelm even the best systems.
To do this attackers build, or buy, a large enough “Zombie network” or botnet to take out the target. Botnets traditionally consisted of consumer or business PCs, conscripted into the network through malware. More recently, internet of things devices have been co-opted into botnets.
“If we look at the DynDNS attack of 2016, one of the largest DDoS attacks to date, the attack occurred in phases,” says Allen.
“It first appeared in a single region and then expanded to a concerted global effort from millions of computers that had been breached and turned into a botnet.”
Types of DDoS attacks
A DDoS attack ranges from the accidental – genuine users overwhelming the resources of popular sites, such as in a ‘Reddit hug of death’ – to sophisticated exploits of vulnerabilities.
Simple attacks include the ‘Ping of Death’ – sending more data to the host than the Ping protocol allows, or Syn Flood, which manipulates TCP connection handshakes.
More recent and sophisticated attacks, such as TCP SYN, might attack the network whilst a second exploit goes after the applications, attempting to disable them, or at least degrade their performance.
James Smith, head of penetration testing at Bridewell Consulting, points to three common forms of DDoS attacks:
- Volumetric attacks
- Protocol attacks
- Application (layer) attacks
“All of these render the targets inaccessible by depleting resources in one way or another,” he tells The Daily Swig.
One of the largest, and most damaging, forms of DDoS is now the UDP amplification attack. UDP is spoof-able. And, as Corey Nachreiner, chief technology officer at WatchGuard Technologies points out, very small UDP requests can generate large bandwidth attacks.
RELATED Nation-state threat: How DDoS-over-TCP technique could amplify attacks
“UDP amplification gives threat actors asymmetric DDoS power,” he tells The Daily Swig. “The most recently discovered UDP amplification attacks can magnify the traffic of one host by a factor of 10,000 or more. When combined with traditional botnets, this gives attackers enough DDoS power to affect ISPs.”
A botnet attack is believed to hold the current DDoS record, flooding Russian tech giant Yandex with nearly 22 million HTTP requests per second in 2021 – a technique called HTTP pipelining.
This eclipsed the previous record held by a memcached UDP amplification attack – which doesn’t need botnets – since 2018. It notched 1.7tbps of bandwidth.
In 2021, The Daily Swig reported on a novel type of DDoS attack that could allow nation-state actors to censor internet access and target any website by abusing middleboxes.
Researchers from the University of Maryland and the University of Colorado Boulder used an artificial intelligence algorithm to reveal the technique, which is, they say, the first TCP-based DDoS amplification attack of its kind.
Ransom-related DDoS attacks, where attackers promise to halt assaults if victims pay a ransom, are also on the rise.
What is the impact of a DDoS attack?
A DDoS attack affects victims in a number of ways:
- Damage to reputation
- Damage to customer trust
- Direct financial losses
- Impact on critical services
- Impact on third parties and ‘collateral damage’
- Data loss
- The direct and indirect cost of restoring systems
Recent DDoS attacks
Not all DDoS attacks are in the public domain, but here are some that made the headlines:
- Yandex, August-September 2021: The Russian tech giant said it managed “to repel a record attack of nearly 22 million requests per second,” adding: “This is the biggest known attack in the history of the internet”
- Undisclosed financial company, July 2021: Cloudflare, a provider of DDoS protection services, said a client was subject to the then largest-ever recorded attack – a botnet assault that, at 17.2 million requests-per-second, was three times faster than the previous known record
- EXMO, February 2021: The UK-based cryptocurrency exchange was knocked offline by a “massive” DDoS attack that drove 30GB of traffic per second
- New Zealand stock exchange NZX, August 2020: The stock exchange was hit by a series of attacks that took services down for two days in a row
- Wikipedia, September 2019: The site was subject to a three-day long attack, which took it offline in EMEA and slowed it down in the US and Africa
Last updated: September 2021
What is the cost of a DDoS attack?
According to Kaspersky Labs, the average cost of an enterprise DDoS attack can approach $2 million.
Another report, by the Ponemon Institute, found that a DDoS attack will cost an average of $22,000 for every minute of downtime that results.
The exact cost of a DDoS attack will, though, depend on the organization, the product or service it supplies, and the effectiveness of its incident response and post-incident strategy. This could range from a few tens of thousands of dollars to millions.
In the case of a nation-state attack or an attack on critical national infrastructure, the cost could be far higher – leading to social unrest or even the loss of life.
So far, no deaths have been attributed directly to DDoS attacks, but the economic impact is all too real.
Read more of the latest DDoS attack news from The Daily Swig
How long does a DDoS attack last?
Again, this depends on the attacker, the target, and their defenses. An attack might succeed in just a few moments, if the victim’s servers have few defenses. Attacks can typically last up to 24 hours but around nine in 10 finish within an hour, according to Cloudflare.
A mammoth DDoS attack against against GitHub in 2018 – the largest ever until 2021 – only lasted about 20 minutes, due to the effectiveness of the site’s defenses.
If an attack does not take down the target in 24 hours, it does not mean the victim’s sites or applications are safe. Attackers can simply move on to another botnet, and try again with more data, or by using a different range of exploits.
The biggest-ever-DDoS attack clocked nearly 22 million HTTP requests per second
Are DDoS attacks illegal?
“In the UK the Computer Misuse Act 1990 ‘makes it illegal to intentionally impair the operation of a computer or prevent or hinder access to a program/data on a computer unless you are authorized to do so’. As a result, these types of attacks are criminal under UK law,” says Bridewell Consulting’s Smith.
But law enforcement can only act if they can find the attacker. “The biggest challenge can be finding the people to prosecute,” says Barracuda’s Allen.
“The attacks are distributed and the attacking devices are often unwitting parties. The true attackers are hard to trace and while they may claim an attack, it’s not like they give out their real names.”
How to prevent a DDoS attack from happening
Dozens of vendors offer web application firewalls (WAFs), often directly through hosting providers, with the cost starting at just a few dollars a month. Businesses can also implement hardware-based DDoS mitigation hardware, at their network edge.
At the enterprise scale, the large distributed network companies, such as Akamai and Cloudflare, offer high-end, distributed DDoS protection. So do vendors, such as Verisign, HPE, and Cisco.
The most basic defense against DDoS is a DIY approach, monitoring and then shutting down requests from suspect IP addresses.
Although this approach is largely free, Brian Honan warns it is unlikely to be effective, especially against sophisticated, large-scale attacks. He also recommends that organizations place their defenses as far away as they can from their servers.
“You might be able to deal with a DDoS in your datacenter, but all of your internet pipe will be used up. So it is questionable how effective that will be,” he said.
Planning is another key element of any DDoS mitigation strategy.
“Having a plan and procedure in place in case of a DDoS attacks is paramount and having monitoring capabilities in place to detect attacks is highly advised,” says Bridewell’s James Smith.
“Organizations also need to have a well implemented patching policy and ensure anything externally facing is up-to-date to help guarantee that any service software that may contain DDoS vulnerabilities is patched in a timely manner.”