The phenomenon of distributed denial-of-service (DDoS) attacks debuted in the mid-1990s and has since gone through big evolutionary changes. At its dawn, it was largely a prerogative of hacktivists who knocked major internet services offline as a sign of protest against online censorship and controversial political initiatives.
Fast forward to the present day, and the situation is much scarier. Not only are DDoS raids highly sophisticated and impactful, but they are also forming a huge cybercrime economy whose operators are increasingly adept at monetizing their foul play.
The latest addition to their genre is what’s called ransom DDoS. Its logic is to mount a destructive attack against an organization and then demand payment for discontinuing it.
At first blush, the idea behind DDoS seems simple: to inundate a network or a web server with more data packets than it can handle. It’s not a misconception, but this model is somewhat oversimplified.
There are numerous wicked tricks in malicious actors’ handbooks that allow them to diversify the attack vectors and select the one that exploits a specific victim’s pain points. For instance, if malefactors discover a vulnerable web application when probing an enterprise network for security weaknesses as part of the initial reconnaissance, they will probably use it as a launchpad for a DDoS attack.
Whereas most defenses you’ll find online are associated with the use of turnkey DDoS mitigation services such as Cloudflare, part of the protection is up to programmers. Crudely coded web applications can be susceptible to SQL injection, a dodgy mechanism that gained notoriety for being a common source of DDoS incursions.
Once such a loophole is identified, the attacker tailors an appropriate query and injects it iteratively into the target website to make the server crash. Cross-site scripting (XSS) bugs also exemplify imperfections, allowing criminals to deluge a site with rogue queries and malware.
Sanitizing the code of web applications to eliminate SQL, XSS, and other vulnerabilities is an area where programmers can and must kick in.
Besides strengthening the protection of a web service against the scourge of DDoS, this is a prerequisite for creating stable code that delivers a frictionless user experience.
Do You Know Your DDoS Attacks Points?
When it comes to cybersecurity, awareness is half the battle. If you know the weak links in your organization’s IT infrastructure that could be potentially exploitable by DDoS actors, you can prioritize the defenses and, at the very least, minimize the risk of encountering a single point of failure (SPOF) scenario.
Researchers single out three overarching categories of DDoS onslaughts: volumetric, network protocol, and application layer attacks. They differ in the targeted components of the network architecture and the mechanisms used to execute the raids.
Each one spans a handful of subtypes that run the gamut from TCP three-way handshake exploitation to powerful attacks weaponizing legitimate network stress testing tools.
The breakdown below will give you an idea of the contemporary DDoS threat landscape in the context of the common attack methods. If you are a programmer, the list can give you some actionable insights into the areas you can focus on to prevent your code from being mishandled by DDoS operators.
Volumetric Attacks
Also referred to as volume-based attacks, these DDoS incursions engage a large number of computers and spoofed internet connections to flood a network or a website with more traffic packets than it can process. The upshot of this traffic amplification tactic is that legitimate users can no longer access the resource.
- UDP Flood. To execute this attack, threat actors send a plethora of spoofed User Datagram Protocol (UDP) packets to a server until it becomes incapable of handling legitimate queries. Since UDP connections have limited source IP verification mechanisms, this incursion may fly under the radar of the target’s defenses.
- ICMP Flood. Also known as Ping Flood, this attack leverages numerous rogue Internet Control Message Protocol (ICMP) pings. A server is configured to reply to every such echo request with a separate traffic packet, so it eventually runs out of resources and becomes unresponsive.
- DNS Flood. Attackers overwhelm a DNS server with a slew of fake request packets mimicking a large number of IP addresses. DNS Flood is among the worst DDoS attacks in terms of prevention and mitigation.
- Fraggle Attack. This one uses multiple UDP packets containing a spoofed IP address of the victim’s router. The device fails when replying to itself incessantly and trying to work out what to do with these ostensibly normal requests.
- Advanced Persistent DoS (APDoS). This term applies when cybercriminals combine different amplification techniques to knock a network offline. A raid like this can last for weeks and tends to cause more damage than most counterparts.
- Zero-Day DoS. The name is self-explanatory: The attack capitalizes on undocumented imperfections in a network or a server to disrupt its operation. This explains the very low preparedness of organizations in terms of thwarting such onslaughts.
Network Protocol Attacks
Unlike volumetric attacks, network protocol attacks attempt to siphon off the server resources rather than bandwidth. They typically target firewalls or auxiliary internet communication devices such as load balancers. Numerous rogue protocol requests fired at these entities end up consuming all their capacity.
- SYN Flood. To set this attack in motion, criminals mishandle the TCP three-way handshake, used to establish a connection between a client, a host, and a server via the TCP protocol. The role of SYN (synchronize) packets in this model is to request a connection with a server. Crooks submit numerous SYN requests from a falsified IP address, which results in the denial of service for legitimate users.
- LAND Attack. The acronym stands for Local Area Network Denial. This stratagem involves sketchy SYN requests where the source and destination IPs are the same. These messages perplex the receiving server, which ends up going down while trying to respond to itself.
- SYN-ACK Flood. This protocol-based attack tampers with the TCP connection stage where a server submits a SYN-ACK message to acknowledge a client’s request. Criminals swamp a server with rogue packets of this kind. The server wastes its resources trying to figure out why it is receiving these messages in an improper order that contradicts the TCP three-way handshake logic.
- ACK & PUSH ACK Flood. This one confuses a server with numerous incoming ACK and PUSH ACK packets. Since the target cannot understand how to handle these messages, it reaches its memory and CPU threshold.
- Fragmented ACK Flood. An adversary bombards a network with fragmented ACK messages. Routers allocate too much processing power to try and reassemble these packets. The disruptive effect can be achieved with a relatively small number of such messages. To add insult to injury, these split packets can sneak past intrusion detection systems (IDS).
- SSDP Flood. SSDP stands for Simple Service Discovery Protocol. It constitutes the Universal Plug and Play (UPnP) set of networking protocols. To execute the SSDP flood attack, a malefactor sends small UDP packets containing the victim server’s IP address to numerous devices that use UPnP services. The server crashes due to countless queries it receives from these devices.
- SNMP Flood. This DDoS vector parasitizes the Simple Network Management Protocol (SNMP), which collects and organizes data associated with connected devices. Crooks send a bevy of tiny packets containing the target server’s spoofed IP to a router or a switch that uses SNMP. These devices are configured to reply to that source IP. The anomalous traffic eventually brings the server down.
- NTP Flood. The Network Time Protocol (NTP) is meant for clock syncing between networks. It can be abused by malicious actors who exploit crudely secured NTP servers to deluge a computer network with redundant UDP packets.
- VoIP Flood. This one homes in on easily accessible Voice over Internet Protocol (VoIP) servers. The target network is shelled with numerous rogue VoIP messages that appear to hail from different IPs and are wrongfully interpreted as legitimate.
- Media Data Flood. When this flood is taking place, rogue video and audio files are used to waste a server’s resources. A hurdle to identifying the peril is that these media objects come from different IP addresses and therefore may not raise any red flags.
- CHARGEN Flood. Launched in the 1980s, the Character Generator Protocol (CHARGEN) may be considered obsolete. Some printers, photocopiers, and DDoS operators still use it, though. Submitting small packets carrying a target server’s IP address to connected equipment that supports CHARGEN causes the devices to send multiple UDP packets back to the server, thereby exhausting its capacity.
- Smurf Attack. This one uses a malicious application called Smurf to flood numerous connected devices with ICMP echo requests containing the victim’s IP address. As a result, the server receives too many traffic packets to continue proper operation.
- Ping of Death Attack. Criminals swamp a network with ping packets whose size exceeds the maximum allowed value (64 bytes). When attempting to reassemble these unorthodox entities, the server crashes.
- IP Null Attack. This raid relies on IPv4 packets whose header parameter is set to null. Because the receiving web server may fail to process these odd messages, it encounters a denial-of-service condition.
Application Layer Attacks
As the name suggests, these DDoS onslaughts occur at the application layer (“layer 7”) of the Open Systems Interconnection (OSI) conceptual model. They piggyback on known or zero-day vulnerabilities in web applications. These attacks are considered to be the most sophisticated and most difficult to detect.
- HTTP Flood. The attacker bombards a web application with spoofed GET or POST requests to disrupt its operation. This vector often harnesses botnets consisting of zombified computers to mimic legitimate traffic.
- Single Session HTTP Flood. This one involves a single HTTP session that generates a series of requests cloaked within the same HTTP packet. Not only does this trick allow crooks to amplify the impact, but it also hoodwinks some network defenses that treat such traffic as benign.
- Recursive HTTP GET Flood. At an early stage of this attack, the adversary requests a number of webpages from a server and scrutinizes the responses. Next, every website component is requested iteratively until the server runs out of resources.
- Random Recursive GET Flood. This technique is leveraged to bring down blogs, forums, and other types of sites containing recursive pages. The attacker randomly selects page numbers from a valid range to impersonate a regular user and then generates a slew of GET requests to deteriorate the target’s performance.
- Spoofed Session Flood. To carry out this raid, the perpetrator uses a mix of a forged SYN packet, a few ACK packets, and one or more RST (reset) or FIN (connection termination) packets. Some protection systems don’t inspect return traffic, so this attack will slip below their radar.
- Low Orbit Ion Cannon (LOIC). Originally masterminded as a way to help security professionals run network stress tests, the open-source LOIC tool is also one of the DDoS operators’ favorites. It is often abused to flood a server with a plethora of TCP, UDP, and HTTP packets.
- High Orbit Ion Cannon (HOIC). Akin to LOIC, this is a network stress testing instrument that got out of hand. Criminals are heavily using its immense power to spread mayhem by DDoSing servers with a huge volume of GET and HTTP POST packets. HOIC can target up to 256 domains at the same time.
- Slowloris. This sophisticated incursion can be executed using just one computer. Crooks open multiple concurrent connections to a web server and maintain them continuously via fragmented extra packets and new HTTP headers. Since these requests never reach a completion stage, they wear out the target’s resources.
- Misused Application Attack. Threat actors infiltrate computers running resource-intensive applications such as P2P software and then reroute huge amounts of traffic from these client machines to a server.
- ReDoS. The term stands for “regular expression denial-of-service.” To make this attack pan out, malefactors overwhelm a specific program with algorithmically complex string search queries that deteriorate the performance of the underlying server.
Dodging the Menace
Even large corporations may lack the bandwidth to cope with a dramatic spike in traffic artificially precipitated by DDoS attackers. The standard network gear is equipped with limited DDoS mitigation mechanisms. This issue makes itself felt much more distinctly in the ecosystem of small and medium-sized businesses (SMBs), where building protection systems on a limited budget is the norm.
Under the circumstances, the best defenses are multi-pronged. One of the optimal ways to bolster DDoS protection is to outsource it to cloud-based solutions such as Akamai, Sucuri, Netscout, or Cloudflare, which provide advanced prevention and mitigation services on a pay-per-use basis. This is your plan B in the worst-case scenario.
To fend off application layer attacks described above, IT teams within organizations should follow proper code auditing practices. This will minimize the number of exploitable loopholes in web applications deployed within the enterprise environment.
A combo of an intrusion prevention system (IPS) and a web application firewall (WAF) will take it up a notch. A reliable IPS will safeguard your network against vulnerability exploitation, malware, and downtime. An effective WAF, in its turn, can secure your web applications from SQL injection, cross-site scripting, and cross-site forgery attacks that are part of DDoS actors’ repertoire.
An extra tip is to keep your systems up to date. Patching your digital infrastructure will curb malicious actors by providing them with little to no room for maneuver.
Is Your System Ready?
Although DDoS is an oldie in the cybercrime arena, it continues to be a serious concern you need to have effective countermeasures for. To top it off, it is rapidly evolving. Some of these raids rely on malware, IoT botnets, and open-source network stress testing frameworks to extend their reach. What’s worse, some of the novel attacks add extortion to the mix.
Assessing your IT infrastructure from the ground up to identify components most susceptible to volumetric, application layer, and protocol-based DDoS attacks will help your organization take the leap in terms of the protection.
In addition to proper coding hygiene, make sure you apply software patches once available and configure your network equipment to make the most of its built-in defenses. Also, consider leveraging a cloud-based DDoS mitigation service and an IPS to further harden your company’s security posture.