What is a DDoS Attack?

There are 16 DDoS attacks per minute. Are your network resources safe? Learn how DDoS attacks work and to protect against them.

admin

21.11.2021

18 min read

A distributed denial of service (DDoS) attack is a malicious attempt to disrupt the normal flow of traffic to a network by flooding it with incoming traffic. 

DDoS attacks begin at multiple starting points to drive excessive bot traffic to a web server, which will block actual customers from being able to use it.

The goal of the DDoS attack is to send multiple requests to the compromised site that will exceed the capacity limit and can ultimately shut the entire site down.

There are 16 DDoS attacks per minute and over 23,000 recorded attacks per day. DDoS attacks date back to the mid 90s, and have increased by a staggering 151% in the first half of 2020 alone. 

Since the goal of a DDoS attack is to block traffic to the website, there can be detrimental business impact of DDoS attacks.

This can include a loss of revenue of up to $20,000-$40,000 per hour. Legit customers or genuine traffic will be blocked from accessing the company’s website due to the volume of requests slowing down the servers.

Looking to prevent DDoS Attacks?

How Does a DDoS Attack Work?

A DDoS attack is designed to overwhelm the system with requests and push the capacity limit to a point where it cannot receive any more requests from legitimate sources trying to access them.

When the number of requests exceeds the capacity, the website is limited and can shut down entirely. The level of service will suffer by either slowing down response times, or the requests won’t go through at all.

When a cybercriminal is intending to execute a large DDoS attack, they will typically perform a botnet DDoS attack. This is when an attacker wants to send a very large amount of requests to a victim’s website through a bot network of computers, also referred to as a “zombie network.”

During a botnet DDoS attack, the cybercriminal will have complete control over all of the overtaken computers which can create major problems for businesses in terms of both downtime and production. 

The DDoS attack’s main goal is to steal information by shutting off access to the website. A DDoS attack can not only take down a small business, it can also create havoc for a high-profile organization such as Amazon. 

In February of 2020, AWS claimed it mitigated a record-breaking 2.3 Tbps DDoS attack via AWS Shield which is Amazon’s DDoS protection service. And to put things into further perspective, a single minute of downtime can cost the e-commerce giant as much as $220,318.80.

How Long Do DDoS Attacks Last?

A distributed denial of service or DDoS attack can last up to 24 hours or until it is detected. An average DDoS attack can take hours to detect which translates to a loss of productivity and according to a recent survey, up to $100,000 in losses due to downtime for large scale enterprises. 

If left undetected for longer periods of time, a DDoS attack can have serious financial repercussions and severe damages to an organization’s reputation. What’s even more troubling is how much a DDoS attack sells for on the dark web. Any anxious attacker can simply hire out a DDoS as a service for as little as $10 per hour or fork out $1,400 to purchase exploit kits on the dark web.

How To Identify a DDoS Attack

Unfortunately, there aren’t any warning signs before a DDoS attack hits. Sometimes the attacker may send threats or demand a ransom with a targeted letter towards the victim stating that the attack might occur on a certain day and time. Other times the attack is carried out without warning and can linger around for hours before it is finally detected.  

Typically, a business will not see DDoS attack signs until a customer says something. Business owners don’t sit around on their own website refreshing the page to ensure things are working at all times.

Regardless of the motive of the attacker, it is important to understand the DDoS attack signs and practice DDoS attack detection techniques to keep your website safe.

When an administrator checks the server, a DDoS attack will not be outright detectable. It will only look as if the website is experiencing very heavy traffic. 

By the time an organization notices the DDoS attack signs, the damages may have already been done. This interruption in service can cause hours of missed income and customer service requests affecting business profit and reputation.

Businesses can make a DDoS attack detection checklist and pay close attention to any of these issues. The following are the most common issues to keep an eye out for:

• An IP address making multiple requests over only seconds of time
• A server response of 503 due to service outages
• The TTL (time to live) on a ping request timed out
• Employees noticing things are slowing down on their end
• Log analysis presenting a large and unusual spike in traffic

If any team member in the organization notices these critical clues, they must act quickly and create a full mitigation response plan.

Types of DDoS Attacks

There are a few different common types of DDoS attacks to be on the lookout for. They can be broken down into three types:

Volume Based Attacks

Volume-based DDoS attacks, the most common of the three attack types, flood a website’s available bandwidth. They are typically targeted toward enterprises and prevent legit traffic from entering. 

Volumetric-based attacks include UDP floods which overwhelm random ports on the host with IP packets containing User Datagram Protocol (UDP) packets, Internet Control Message Protocol (ICMP) floods aka Ping flood attacks which overwhelm targeted devices, and other spoofed-packet floods.

Protocol Attacks

The goal of Protocol attacks is to exhaust the server resources rather than the bandwidth. These attacks include SYN floods (known as half-open attacks) which send massive SYN requests to a server via TCP connection, fragmented packet attacks which break down IP packets and transmit them across a network, Ping of Death, and Smurf DDoS attacks (flooding the ICMP). 

Protocol attacks consume actual server resources or those intermediate communication equipment like firewalls and load balancers. It is measured in packets per second. Protocol attacks go after an organization’s network infrastructure bit by bit in order to consume all the resources needed.

Application Layer Attacks

Application layer DDoS attacks target specific vulnerabilities within an application itself. They are also known as a Layer 7 attack from the OSI Model which can bring down servers and require far less bandwidth to carry out the attack.   

Application layer attacks are extremely difficult to detect and are measured in requests per second (Rps). Examples of these attacks include SQL injections, HTTP floods, BGP (Border Gateway Protocol) hijacking or when traffic is maliciously rerouted by impersonating network prefixes, and Slowloris which allows one machine to take down another machine’s servers.

SYN Flood

In a SYN Flood DDoS attack, the attacker exploits weaknesses in the TCP connection sequence. They send multiple SYN requests but do not respond back to the host. Or, the SYN request is sent from a spoofed IP address. The host system will then wait for a response from the SYN, which will tie up resources and waste time where new connections with actual clients cannot be made, thus resulting in a denial of service.

UDP Flood

A UDP flood is any DDoS attack that floods a victim with User Datagram Protocol (UDP) packets. The attack will flood random ports on a remote host, and the host will have to continue to check the post and reply with a packet, but it is going to an unreachable destination. This will deplete resources, making the host unavailable to actual customers.

HTTP Flood

In an HTTP flood DDoS attack, the attacker will exploit seemingly legitimate HTTP GET or POST requests to attack a web server. This type of DDoS attack doesn’t use the typical techniques such as spoofing, packets, or reflection. So, this type of DDoS attack requires much less bandwidth than other attacks to take down the target. It is most effective when it forces the server to use the maximum amount of resources possible during a request.

ICMP Flood (Ping of Death)

ICMP Flooding, otherwise known as the ping of death, involves the attacker sending multiple malformed or malicious pings to a computer. The max packet length of an IP packet is 65,535 bytes. 

In a ping of death, the recipient ends up with a packet that is larger than 65,535 bytes when it is reassembled. This will overflow the memory buffers for the packet, which will cause a denial of service.

Slowloris

The Slowloris attack is highly targeted. It enables one web server to take down another one without affecting other services and ports on the network. It does this by holding connections on the server open as long as possible, making it unable to create new connections while it is tied up.

It sends more HTTP headers, but never completes the request. The Slowloris chooses a targeted server, and it keeps all of these connections open for as long as possible, leading to a denial of service from actual clients.

NTP Amplification

In an NTP Amplification attack DDoS, the cybercriminal exploits a publicly accessible network time protocol (NTP) to overwhelm a server with UDP traffic. It is called an amplification attack DDoS because the ratio of a query to response is anywhere between 1:20, 1:200 to more.

What is a DNS Amplification Attack?

A domain name system or DNS is a database that stores internet domain names and translates them into IP addresses. It Is important to know how to protect DNS servers from DDoS attacks.

A DNS DDoS attack is typically a two-step attack where the attacker manipulates an open DNS server using spoofed IP addresses to trick the server into letting them in. It will send massive requests to the DNS servers in an attempt to overload it. The DNS server replies to the requests which will start off the attack on the targeted victim.

Large amounts of traffic will blast the victim’s server and end up being larger than the spoofed request, which is why it is named the DDoS DNS amplification attack. The targeted company will usually be blocked from accessing any of their data which can cripple their systems and prevent actual traffic from accessing the server. 

A DDoS DNS reflection attack will mimic typical responses to the server, and they will generally look very similar. A pattern detection tool can be used to flag them and remove unwanted and potentially dangerous replies.

To protect the DNS server from a DDoS attack, organizations should block all unsolicited DNS replies and only allow replies from internal clients. 

DNS best practices include: 

• Use Active Directory (AD) Zones for easier deployment of multiple DNS servers
• Have at least two internal DNS servers to ensure that critical services are running
• Hide DNS servers and DNS information so sensitive info won’t be publicly visible
• Use DNS filtering to prevent access to unauthorized and potentially malicious websites
• Configure Access Control Lists (ACL) to protect against spoofing attacks

Anonymous DDoS Attack

The Anonymous group is synonymous with DDoS attacks. They are a ‘hacktivist’ group that has executed some very large DDoS attacks over the years including an attack on a CIA website in 2012. 

A DDoS attack by Anonymous typically targets political parties. The anonymous group does not have a centralized leader and anyone can join, which makes them all the more dangerous. The tools they have created can be used by even the most basic internet user.

The Anonymous group has made DDoS programs publicly available. The Anonymous DDoS attack tool or Anonymous ping tool is available free for download.

It includes tutorials and gives anyone with access to the internet the ability to run a DDoS attack on a target. The amount of effort is also very minimal. In fact, you don’t even have to possess any prior DDoS or DNS knowledge to execute the attack.

Advanced Persistent DDoS

An advanced persistent DDoS attack or APDDoS is an advanced persistent threat (APT) and requires specialized DDoS mitigation. These types of attacks can last for weeks at a time. The longest on record is 38 days.  

An attacker will attempt to penetrate as many infected computers as possible through malicious code such as SQL injection. Flood attacks can be launched to targeted IPs and slowly bring down a company’s servers and ultimately their entire network.

Zero Day DDoS Attack

A Zero Day DDoS Attack is any attack that is unknown or new. These types of attacks exploit vulnerabilities for which there are no patches yet. The term Zero Day DDoS attack is common amongst the hacker community, and they trade different vulnerabilities with each other to attack various systems. 

Zero-day exploit kits are routinely available on the dark web with prices ranging upwards of $300,000. Although, interestingly enough, hackers who sell Zero-day exploit kits also look to score higher bug bounty fees and sell their kits to organizations as well. 

Organizations shell out top dollar to these so-called dark web brokers to look for and patch any vulnerabilities or bugs in their site or applications. 

Bug bounties are a big business, in fact. Google has paid out over $6.7 million on bug bounty rewards in 2020 to help improve the search giant’s security.

Looking to prevent DDoS Attacks?

DoS vs. DDoS: What Is the Difference?

The main difference between a DDoS attack and a DoS attack is that a Denial of Service Attack (DoS) floods a server with traffic and makes a website and resources unavailable. 

A Distributed Denial of Service Attack or DDoS uses multiple computers and machines to flood a targeted resource. 

Both attacks have the same goal in mind, which is to overload a server and interrupt services. Although both sound similar, there are differences between the two:

DoS Attack

A DoS attack comes from a single location while a DDoS attack comes from multiple locations, making them much easier to detect. A DoS attack can be prevented with a Firewall as a Service or FWaaS which blocks all harmful or unwanted IP addresses and is easy to configure. 

DoS attacks are also easier to trace as they come from a single location. Botnets make tracing an origin for a DDoS attack far more complex and time consuming.

DDoS Attack

A DDoS attack is able to disguise its origin because it comes from so many different locations and can be deployed quicker since it is coming from multiple places. 

The increased speed makes detecting it more difficult and causes more damage with a worse outcome. It uses multiple remote machines known as zombies or bots, making it harder to track. DDoS attacks can send out larger amounts of traffic from various locations at once to overload a server without detection. 

You must constantly monitor your network and run tests to simulate these types of attacks. Immediate action should be taken the second you notice any anomalies in traffic which should be a red flag for any IT administrator or data analyst.

What Is The Difference Between DoS and Brute Force Attacks?

A brute force DDoS attack is a method done by trial and error to hack into a system by guessing passwords. The idea is that they will eventually guess correctly and get into it. Attackers can also use dictionary attacks where they can guess from common passwords from a dictionary to more complex rainbow table attacks

A hacker can try 2.18 trillion password/username combinations in under 22 seconds. Brute force attacks can be prevented by using strong passwords and by monitoring unsuccessful login attempts from the same IP address.

Passwords should be changed routinely and should be different for various platforms or applications.  A Denial-of-Service (DoS) attack, on the other hand, is used to shut down servers and websites.

DoS attacks can be prevented by increasing security and implementing identity-based access rules using a Zero Trust approach.

Famous Examples of DDoS Attacks

The first DDoS attack occurred in 1996 when Panix which is now one of the oldest internet service providers you may have never even heard of was kicked offline by a SYN flood. Since then, there have been major DDoS attacks all over the world. These are the 5 most famous DDoS attacks:

AWS DDoS Attack of 2020

The Amazon Web Services (AWS) DDoS attack of 2020 was the most extreme DDoS attack in recent times. It targeted an unidentified AWS customer by utilizing the Connectionless Lightweight Directory Access Protocol (CLDAP) reflection.

This type of DDoS attack relies on third-party CLDAP servers and amplifies the data sent to the victim’s IP address, usually by 56 to 70 times.

This attack lasted three entire days. Although having AWS hit by a DDoS attack was a big deal, it was not as devastating as other attacks have been overall. The attack does show how extensive a DDoS attack can be, and why AWS DDoS attack mitigation is so important.

GitHub DDoS Attack in 2018

In February of 2018, the GitHub DDoS attack knocked the repository hosting giant out for almost 20 minutes. The traffic from the attack was measured at 1.3 Tbps and traced back to over a thousand different systems across tens of thousands of unique end points. 

The attack relied on UDP-based Memcached traffic, a tool used to cache data and reduce the number of times an external data source must be read.

The attackers used the tool to spoof IP addresses to send more data toward the intended target. Fortunately for GitHub, they were using a DDoS protection service.

The Dyn DNS DDoS Attack in 2016

Dyn is the home to many high-profile websites such as Netflix, PayPal, and Reddit. This attack was so massive users were unable to access these popular sites.

On September 30^th , 2016, the Dyn DNS DDoS Attack occurred. Someone who claimed to be the author of the Mirai software released the source code on hacker websites.

This allowed for the Mirai DDoS platform to be replicated and mutated and spread globally.Mirai was attacked by a one terabit per second traffic flood, which made it the largest DDoS attack in history at the time.

The Mirai botnet exploits vulnerabilities in IoT devices such as home appliances, medical devices, and vehicles. The founders, Paras Jha and Josiah White were both caught and sentenced for their bogus DDoS mitigation services.

Spamhaus DDoS Attack in 2013

Spamhaus is an organization based in Geneva and London that maintains databases of IP addresses, domain names, and other internet resources like spam, malware, and other cybercrimes. They specialize in anti-spam software.

The attack targeted Tier 1 providers and was traced back to a Dutch company called Cyber Bunker which targeted Spamhaus after the company blacklisted them for spam.

Six Bank DDoS Attack in 2012

The DDoS attack on Bank of America happened on March 12, 2021. 

Six U.S. banks were targeted: 

• Bank of America
• JP Morgan Chase
• US Bank
• Citigroup
• Wells Fargo
• PNC Bank

The attacks were carried out by hundreds of hijacked servers from a botnet called Brobot. Each attack generated over 60 gigabits of DDoS traffic per second At the time, the attacks were unique because of how persistent they were.

The cybercriminals used multiple attack methods on their victims and the attacks on the banks affected revenue, mitigation, expenses, customer service, and bank branding and image.
A hacking group named Izz ad-Din al-Qassam Cyber Fighters was behind the attack.

DDoS Attacks Today

DDoS attacks are increasing. In the first half of 2021 alone, there were a reported 5.4 million DDoS attacks. 

The most recent was the Meris botnet attack. This attack was carried out by a botnet consisting of an estimated 250,000 malware-infected devices that have been noted to be behind multiple attacks in the summer of 2021.

Russian search giant Yandex claimed it managed to repel a record attack of nearly 22 million requests per second (RPS) in September 2021. 

As attacks continue to evolve by the day and become more sophisticated, detection will become more of a challenge for IT and security teams.

DDoS Attack Cloud Computing

DDoS attacks are cloud-specific as they are distributed between multiple devices.

That being said, it is important to have protection in place for a cloud DDoS attack. Organizations must have on-premise mitigation and cloud-based security services to protect against volume attacks and application-level attacks. 

DDoS threats must be mitigated from outside the network before they get the chance to access the cloud. Organizations must set strong policies, enforce Multi-Factor Authentication, and have a strong Secure Web Gateway (SWG) in place.

Azure DDoS Attack Protection

Azure DDoS Protection is multi-layered and defends against Layer 7 application attacks and Cross-site scripting (XSS) attacks which affect web applications via malicious scripts.

Perimeter 81’s Always On VPN integration offers security across all devices, IP whitelisting, and Automatic WiFi security for remote workers.

AWS DDoS Attack Protection

AWS Shield (talk about how it is Amazon’s defensive tool against DDoS attacks. It is also used in Salesforce) 

AWS is Amazon’s defensive tool against DDoS attacks. The AWS Shield is a managed service that protects web applications against DDoS attacks at no extra cost to AWS users. It protects against SYN/ACK floods, Reflection Attacks, and HTTP slow reads. If you are using AWS, it is automatically applied.

The AWD Shield is also used to protect against a Salesforce DDoS attack.

Google Cloud DDoS Attack Protection

Google Cloud Armor mitigates against DDoS attacks and The OWASP Top Ten security risks, similar to Azure, protecting against XSS and SQL injection (SQLi) attacks.  

Google Cloud Armor offers reCAPTCHA Enterprise which protects against fraudulent activities such as credential stuffing, account takeovers, phishing, and spoofing. Google Cloud Armor offers support for hybrid and multi-cloud deployments.

Looking to prevent DDoS Attacks?

DDoS Attack Map

One way to try to stay ahead of DDoS attacks is to monitor a DDoS cyber-attack map. They are a valuable tool to keep your business ahead of the game. There are several websites that provide a DDoS cyber-attack map so you can get a visual of what is actually going on. 

The problem is most of the DDoS cyber-attack maps are not in real time. Some maps are advertised as being live, which is not true. They compile records of past attacks. The maps also only show DDoS attacks.

The maps may not be helpful for actively avoiding a DDoS attack, but they are useful to study past attack patterns and plan for the future.

DDoS Attack Tools

It is extremely important to have DDoS attack prevention tools in place to protect your business. There are many on the market, so you will need to research DDoS attack software to find what is best for your company. 

The following are some of the top-rated DDoS attack tools on the market:

• SolarWinds Security Event Manager (SEM) 
• Tor’s Hammer
• LOIC (Low Orbit Ion Cannon)
• XOIC (
• DDOSIM (DDoS Simulator)
• RUDY (R-U-Dead-Yet)
• PyLoris 

Who Is Behind DDoS Attacks?

There can be many different motives behind a DDoS attack. Reasons could include politics, revenge, financial gain, or activism. The finger is usually pointed at governments, terrorists, ex-employees, and hackers looking to make a quick buck.It’s important to get a better understanding of the psychology behind DDoS in order to prepare for future attacks. Whatever the motive may be, your security team should have a plan of action to mitigate against potential attacks.

How to Mitigate a DDoS Attack?

Even though they can be hard to trace, it is important to practice DDoS attack prevention and DDoS attack mitigation. Implementing DDoS attack software is the first step in learning how to stop DDoS attacks. Next is the detection and responding.

Detection

DDoS attack prevention starts with detection. Since a DDoS attack will blend in with normal website traffic, substantial network traffic information needs to be obtained. Once the attack is detected, DDoS attack mitigation can be executed.Detection can be done manually or automated by software using a DDoS attack protection firewall. The detection needs to be factual and incredibly accurate.

Response

Once the attack has been detected, there are steps that should be taken in response. Your organization should already have procedures in place for when a DDoS attack happens to save you time and energy when an attack occurs.Make sure you have contacts established to respond to and assist in fixing the attack. During a response, the DDoS attack prevention software responds to the identified threat by dropping the dangerous traffic and absorbing the normal traffic.

Routing

A good DDoS attack mitigation solution will reroute traffic and break up the massive amounts of bot traffic to prevent the DDoS attack from happening.

Analysis

The network will analyze traffic for patterns such as repeating IP blocks and repetitive messages. Once the patterns are noted, the DDoS prevention software can prepare for future attacks.

Organizations should have a trusted cloud-based mitigation service that protects against Hybrid DDoS attacks and can quickly analyze data from attack traffic.

How to Prevent DDoS Attacks with Perimeter 81’s Zero Trust Framework

When it comes to DDoS attack protection, you cannot afford to gamble with your network security.  Perimeter 81’s Zero Trust model provides organizations of all sizes with DDoS attack security measures by limiting user access on a “need to know” basis.

Secure all ports and layers with the highest level of encryption for remote access. Prevent DDoS attacks from harming your network and keeping potential customers away with Perimeter 81.

Discover why Perimeter 81 was recently named a Forrester New Wave™ ZTNA Leader helping companies from across the globe embrace the cloud.