What is a DDoS Attack?In general, a DDoS attack is a type of cyber attack that uses large numbers of computers and huge volumes of traffic to overwhelm a server or network, slowing it or rendering it completely unresponsive. DDoS attacks generally require that the attacker control thousands, tens of thousands or hundreds of thousands of computers – usually owned by normal, unsuspecting consumers all over the world – and create their own network out of these “zombie computers.” That large network of computers is then used to focus traffic, such as a simple request to view a web page or something more malicious, on a single target or group of targets. The targeted servers or networks, not designed to handle simultaneous requests from such large numbers of systems, often get bogged down or stop responding completely. The amount of traffic generated by these attacks is immense. Though there are multiple variants of DDoS attacks, the four “main” variants are as follows: Flooding or Volumetric Attack A flooding attack sends a large amount of traffic to a victim network to congest the network with traffic. With enough traffic (which today, is much easier through the use of botnets and other DDoS attack tools), the traffic crashes the victim network so legitimate users cannot access their accounts or make purchases online. Amplification Attack A different DDoS attack which “manipulates publicly-accessible domain name systems, making them flood a target with large quantities of UDP (user datagram protocol) packets. Using various amplification techniques, perpetrators can “inflate” the size of these UDP packets, making the attack so potent as to bring down even the most robust Internet infrastructure.” Often the attacking packets are spoofed (or faked) in order to hide the origin of the attack, or to defeat potential firewall defenses. Resource Depletion Attack Similar to an amplification attack, a resource depletion attack floods the victim server with bogus information packets to seize up the server, so it cannot respond to legitimate requests for information. Diversion or Ransom Attack Lastly, in this attack vector, the attacker commences a DDoS act against victim server to distract the security team and incident responders while the attacker uses different methods to penetrate the network. One popular variant of this attack is to flood the victim’s servers constantly until they pay a ransom (normally in untraceable bitcoin). A second variant of this attack is to divert the incident response team with a large-scale DDoS attack while implanting malware or Trojans on the network designed to steal data, information or PII, or exploit a known vulnerability.
Defending Against DDoS AttacksDefending against a concentrated and sustained DDoS attack can be akin to defending against a 4 on 1 “fast break” in a full court game of basketball – there are too many attackers and not enough of you. Your defenses are completely overwhelmed, and the attackers are headed to the basket for an easy score. Though it’s not always possible to defend against a large, organized DDoS attack without some impact to the targeted network, there are strategies that can help mitigate the effects of even the most vicious DDoS attacks:
- Recognize the signs of a DDoS attack: the first and best defense against a DDoS attack is the ability to recognize it early. Unfortunately, not all DDoS attacks are easy to distinguish from normal spikes in network or web traffic, or a sudden slowdown in network performance. Invest in the right technology, expertise and training to help you tell the difference, or use an anti-DDoS service as discussed below.
- Incident response planning: Be ready with a great incident response program and include in it a DDoS mitigation plan.
- Contact your ISP provider: If your company is feeling the effects of a DDoS attack, it is likely affecting your ISP provider, as well. Call your ISP provider to see if they can detect DDoS attacks and re-route your traffic in the event of an attack rather than have you call for support. When choosing an ISP, inquire whether any DDoS protective services are available, and consider whether you might want to engage a backup ISP in the event of an attack to keep your business running.
- Have your threat intel handy: Half the battle in today’s environment is knowing what to look for. What are the potential indicators of compromise that an attack is underway? What threat vectors are most popular? And how are your peers responding to those attacks? Join your local ISAC, use the threat intel service provider or network with your peers to understand the source of threats and attacks.
- Other Mitigation Defenses and Tools: There are two tools that companies should consider in addition to standard signature-based firewalls and routers (to reject known bad traffic) when thinking about mitigation strategies: (1) Load balancers to balance traffic across multiple servers within a defined network with the goal of creating additional network availability, and (2) a cloud-based anti-DDoS solution to filter or divert malicious DDoS traffic.