The Meaning Of DDoS Attacks
In a distributed denial of service (DDoS) attack, the attacker sends out massive amounts of Internet traffic that is not actually needed, exhausting the resources of his target, and causing normal traffic to fail to reach his intended destination.
But what does this mean? Just imagine your favorite zombie movie. Swarms of infected creatures have the same goal-spread the “zombie plague” and destroy the civilized world. They overwhelmed the resources of law enforcement agencies, depleted military power, and disrupted medical services. Then people flocked to the highway in order to escape, causing the inevitable serious traffic jam. The same goes for DDoS attacks: the “zombie apocalypse” in the online world. It’s just that the threats are not zombies, but a large number of infected computers. They attack target websites at the same time, driving away humans and businesses.
A DDoS attack against a company’s website, web application, API, network, or data center infrastructure can cause downtime and prevent legitimate users from purchasing products, using services, obtaining information, or performing other normal access.
In a DDoS attack, the attacker uses a large number of compromised machines and devices connected to the Internet, including Internet of Things (IoT) devices, smartphones, personal computers, and web servers, to send a large amount of traffic to the target.
How does a DDoS attack work?
DDoS attacks use connected networks formed by devices connected to the Internet to cut off the connection between users and servers or network resources (such as websites or applications that users frequently visit).
In order to launch DDoS attacks, attackers will use malicious software or exploit security vulnerabilities to maliciously infect machines and equipment and gain control. Every computer or infected device is called a “crawler” or “zombie”, which can further spread malware and participate in DDoS attacks. These reptiles together form a zombie army called “botnets”, which use their numerical advantages to expand the scale of their attacks. In addition, people often don’t notice that IoT devices are infected. This is very similar to the troublesome zombie often found in zombie horror movies. The protagonists don’t even know that it has been infected. In IoT devices, This will cause legitimate device owners to become secondary victims or unknowing participants, while the victim companies still have difficulty distinguishing the identity of the attacker.
After the attacker has successfully established a botnet, he can remotely issue commands to each crawler.
Launch a DDoS attack on the target system. When a botnet attacks a certain network or server, the attacker will instruct the bot to send a request to the victim’s IP address. Each of us has a unique fingerprint, and devices have similar characteristics. Each device has a unique address that can be used to identify them on the Internet or local networks. Excessive traffic causes denial of service, making normal traffic unable to access websites, web applications, APIs, or networks.
Sometimes, botnets and their crawlers are rented out to other people who intend to launch attacks through “hire attack” services. This allows malicious attackers with no training and experience to easily launch DDoS attacks on their own.
Types of DDoS attacks
DDoS attacks are divided into many different types, and attackers often mix multiple attacks to cause serious damage to the target. The three key types are volume attacks, protocol attacks, and application-layer attacks. The purpose of all attacks is to seriously slow down legitimate traffic or prevent legitimate traffic from reaching its intended destination. For example, this may mean that users cannot normally access the website, purchase products or services, watch videos, or interact on social media. In addition, DDoS will cause resource unavailability or performance degradation, leading to business stagnation. It may cause employees to lose access to e-mail, web applications, or prevent them from working as usual.
In order to further explore the working principle of DDoS attacks, let’s specifically analyze the different attack paths that attackers may take. The open system interconnection model is also called the “OSI model”, it is a layered framework of various network standards, including seven different levels. Each floor of the OSI model has a unique purpose, just like each floor in an office building has different business functions. Attackers launch attacks at different levels according to the type of network or Internet-facing assets they want to destroy.
The seven network connection layers in the OSI model involved in DDoS attacks
Layer 7-Application layer
The application layer is at the top of the OSI model, closest to the end-user. It is the place where people connect with computers and devices, and it is also where the network connects with applications.
Layer 6-Presentation layer
Both data encryption and decryption take place in the presentation layer to achieve secure transmission.
Layer 5-Session layer
The session layer allows devices, computers or servers to communicate with each other and control ports and sessions.
Layer 4-Transport layer
At the transport layer, data is communicated through the Transmission Control Protocol (TCP), which is based on the Internet Protocol (IP), also known as TCP/IP.
Layer 3-Network layer
The network layer determines the physical path of the data to the destination.
Layer 2-Data Link Layer
The data link layer provides a way to transfer data between network entities. It is also used to detect and correct errors that may occur in the physical layer.
Layer 1-physical layer
The first layer is called the physical layer, and it is also the lowest layer. Here, the original bits are transmitted through physical data links connecting various network nodes.
The purpose of volumetric DDoS attacks is to congest the network with massive amounts of traffic and exhaust the bandwidth of the expected victim’s resources. Massive attack traffic blocked legitimate users’ access to applications or services, causing traffic to fail to flow in or out normally. Depending on the goal, blocking legitimate traffic may mean that bank customers cannot pay bills on time, e-commerce shoppers cannot complete online transactions, hospital patients cannot view their medical records, and citizens cannot view their tax records at government agencies. Regardless of the company being attacked, as long as people cannot use the services they expect to use over the network, it will have a negative impact.
The attack method used by volumetric attacks is a botnet composed of many systems and devices infected by a kind of malware. Under the control of the attacker, the crawler program sends out malicious traffic, exhausting all available bandwidth, causing congestion of the connection between the attack target and the Internet.
The impact of unforeseen zombie traffic may greatly slow down or prevent access to Web resources or Internet-facing services. Since crawlers will replace legitimate devices to amplify bandwidth-intensive DDoS attacks, but users are often unaware of it, it is difficult for victim companies to find malicious traffic.
Common types of volume attacks
There are many types of volumetric DDoS attack vectors used by malicious attackers. Many attackers use reflection and amplification techniques to overwhelm the target network or service.
UDP flood attack
UDP flood attacks are often chosen for DDoS attacks with large bandwidths. The attacker will try to fill the port on the target host with IP packets containing the stateless UDP protocol. Subsequently, the victim host looks for an application related to the UDP packet, and if it is not found, it sends a “target unreachable” message back to the sender. Attackers often use IP addresses to hide their identities. Once the target host is flooded by attack traffic, the system will lose response, causing legitimate users to be unable to use it normally.
DNS reflection attacks are a common attack vector. Cybercriminals send a large number of requests to open DNS servers by disguising their target’s IP address. In response, these DNS servers responded to malicious requests with forged IP addresses, and a large number of DNS replies formed a torrent, thus constituting a targeted attack. Soon, the large amount of traffic generated through DNS replies will cause the victim’s services to be overwhelmed and unusable, and cause legitimate traffic to fail to reach its intended destination.
ICMP flood attack
The Internet Control Message Protocol (ICMP) is mainly used for error information transmission and usually does not exchange data between systems. ICMP packets may be transmitted together with Transmission Control Protocol TCP packets, allowing applications and computing devices to exchange information over the network when they are connected to the server. ICMP flood attack is a layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the target network bandwidth.
Protocol attacks consume and exhaust the computing capacity of various network infrastructure resources (such as servers or firewalls) by attempting to use malicious connection requests for protocol communication. Synchronous (SYN) flood attacks and Smurf DDoS are two common types of protocol-based DDoS attacks. Protocol attacks can be measured by the number of packets per second (PPS) and bits per second (BPS).
SYN flood attack
One of the main ways people connect to Internet applications is through the Transmission Control Protocol (TCP). This kind of connection requires a three-way handshake from a TCP service (such as a Web server), which involves sending a so-called SYN (synchronization) packet from where the user connects to the server, and then the server returns an SYN-ACK (synchronization acknowledgment) packet, and finally, The final ACK (confirmation) communication is used as a response to complete the TCP handshake.
In an SYN flood attack, a malicious client sends a large number of SYN packets (usually in the first part of the handshake), but never sends an acknowledgment to complete the handshake. This makes the server wait for a response to these semi-open TCP connections, and these connections will eventually run out of capacity, causing the server to be unable to accept new connections that track the connection status.
The SYN flood attack is like a terrible prank for the entire graduating class in a large high school-all students call the same pizzeria at the same time, and everyone has to order a pizza. When the delivery person prepares the food, she will find that she has received too many pizza orders, the delivery truck can’t fit it, and there is no address on the order, so all food delivery will stop.
Smurf DDoS attack
The source of the name of this DDoS attack is that many smaller attackers can overwhelm larger-scale opponents by virtue of sheer quantitative advantage, just like the Smurf in a fantasy story.
In the Smurf distributed denial of service attack, the attacker uses an IP broadcast address to broadcast a large number of Internet Control Message Protocol (ICMP) packets with the target’s counterfeit source IP to the computer network. By default, most devices on the network will respond by sending a reply to the source IP address. Depending on the number of machines on the network, the speed of the victim’s computer may be severely slowed down due to traffic flooding.
Application layer attack
Example: HTTP flood attack
Application layer attacks are achieved by sending a large number of malicious requests to the application, measured in requests per second (RPS). This type of attack is also called a layer 7 DDoS attack, which targets and destroys specific network applications, rather than the entire network. Although this type of DDoS attack is difficult to prevent and resist, it is relatively easy to launch.
For example, it is easy to startle a group of horses and make them run around, but it is almost impossible to control them again. Application layer attacks are like this: easy to implement, but difficult to slow or prevent, and are specific to a target.
What is the purpose of DDoS attacks?
Distributed denial of service attacks (DDoS) attempts to overwhelm online services, websites, and web applications through malicious traffic from multiple sources, or exhaust the computing resources of target assets and paralyze them as a result. The goal of the attacker is to prevent legitimate users from using the target normally, and it has only one purpose-destruction. The targets of DDoS attacks are various resources that people rely on in daily life, including financial services, medical information, news organizations, education systems, and online shopping.
When launching a DDoS attack designed to cause damage to the enterprise, the motives of the attacker are varied. Common motivations may include:
- Hacking for political or social reasons
- Nation-state attackers attempt to cause economic or social chaos
- Cause competitors’ services or products to be unavailable, and try to take advantage of the opportunity to solicit business
- Use DDoS attacks as a “smokescreen” to divert the emergency response team’s attention from more difficult and complex attacks
- Extortion for financial gain
Recently, DDoS blackmail attacks have become an extremely common motive among cybercriminals. DDoS extortion attacks are also called DDoS extortion (RDDoS) attacks. In this type of attack, threat actors (such as Copycats, etc.) threaten companies with DDoS incidents and require companies to pay ransoms or meet the requirements in the extortion ultimatum, otherwise, they will launch a DDoS attack. Under normal circumstances, these criminals will first give the prestige to prove their ability to cause damage and increase the possibility of the company being the target of the attack paying the ransom. In order to avoid being caught, attackers often insist on requiring the extorted person to pay through cryptocurrencies such as Bitcoin.
The purpose of a DDoS blackmail attack is to ask for a ransom, just like a primary school student who has been stolen by a bully, and the bully asks the primary school student to hand over lunch money in exchange for the homework. In the complex cyberbullying world, the ransom is in digital form and cannot be traced.
How to defend against DDoS attacks
With the help of powerful DDoS mitigation strategies and action manuals, companies can resist DDoS attacks and reduce the damage they cause. The large-capacity, high-performance, and always-on DDoS protection measures provided by various cloud solutions can prevent malicious traffic from entering websites or interfering with communications via Web API. Cloud-based purification services can quickly resist large-scale attacks against non-web assets (such as network infrastructure).
In a dynamic and changeable attack environment, DDoS protection services provided by a defense solution provider that adopts a defense-in-depth approach can escort enterprises and end-users. The DDoS mitigation service will detect and stop DDoS attacks as quickly as possible. Ideally, this should be done immediately or within a few seconds after the attack traffic reaches the mitigation provider’s purification center. As attack vectors continue to change and the scale of attacks continues to expand, in order to achieve the ideal DDoS protection effect, suppliers must continue to invest in strengthening defense capabilities. In order to keep up with the pace of large-scale and high-complex attacks, it is necessary to have the correct technology to detect malicious traffic and to implement strong defensive countermeasures to quickly resist attacks.
DDoS mitigation providers can filter out malicious traffic and prevent it from reaching the assets that are the target of the attack. Attack traffic will be intercepted by DDoS purification services, cloud-based DNS services, or CDN-based web protection services. The cloud-based defense mechanism removes the attack traffic, making it impossible to reach the target.
DDoS cloud purification
DDoS decontamination can keep your online business running normally, even during an attack. Unlike CDN-based countermeasures, DDoS purification services can protect all ports, protocols, and applications in the data center, including Web and IP-based services. Enterprises direct their network traffic in one of two ways: through Border Gateway Protocol (BGP) route notification changes or DNS redirection (A record or CNAME) to the sanitization infrastructure against the provider. The purification service monitors and inspects the traffic to detect malicious activities. Once a DDoS attack is discovered, it will implement countermeasures. Under normal circumstances, such service providers support on-demand and uninterrupted configurations. Which configuration to choose depends on the security posture preferred by the enterprise, but for now, more enterprises than ever before are changing to uninterrupted Deployment mode for faster defense response.
A properly configured advanced content delivery network (CDN) can help defend against DDoS attacks. When a website protection service provider uses its CDN to specifically accelerate traffic using HTTP and HTTPS protocols, all DDoS attack traffic launched against the URL will be discarded at the network edge. This means that layer 3 and layer 4 DDoS attacks will be immediately defended because this type of traffic does not target web ports 80 and 443. The network adopts the form of a cloud proxy, which is placed in front of the customer’s IT infrastructure and transmits traffic from end-users to websites and applications. Because these solutions use an embedded operating model, Web-oriented assets will always be protected, without manual intervention, and will not be attacked by DDoS at the network layer. For application layer defense, enterprises should consider deploying a web application firewall to combat advanced attacks, including certain types of DDoS attacks, such as HTTP GET and HTTP POST flooding attacks designed to disrupt the application processing of layer 7 of the OSI model.
Advantages of DDoS mitigation services
By deploying security prevention and control measures against DDoS, companies can reduce their own attack surface, while reducing business downtime and reducing the risk of interruption. This type of defense can effectively prevent attacks while allowing legitimate visitors to access your business online normally. DDoS protection can prevent malicious traffic from reaching the target, limit the impact of attacks, and allow normal traffic to pass through to maintain normal business operations.
How to stop DDoS attacks?
In the defense process, your DDoS protection provider will deploy a series of countermeasures to prevent distributed denial of service (DDoS) attacks and reduce their impact. As modern attacks become more advanced, cloud-based DDoS protection measures help ensure security through the large-scale defense-in-depth and maintain the availability and excellent performance of back-end infrastructure and Internet-oriented services.
With DDoS attack protection services, companies can:
- Reduce the attack surface and business risks associated with DDoS attacks
- Prevent downtime that affects the business
- Improve the response speed to DDoS incidents and optimize incident response resources
- Reduce the time to understand and investigate service outages
- Prevent the loss of employee productivity
- Deploy countermeasures more quickly to defend against DDoS attacks
- Prevent the loss of brand reputation and profits
- Protect the entire digital asset environment and maintain application uptime and performance
- Minimize costs related to Web security
- Resist new and evolving threats
Australian Owned Banks are Dangerously Exposed to Cyber Attacks Read More