Distributed Denial-of-Service (DDoS) Attacks |
What is a Distributed Denial-of-Service (DDoS) Attack?
- The purpose of a Distributed Denial-of-Service (DDoS) attack is to overwhelm a website or online service by flooding it with excessive traffic, making it inaccessible to legitimate users.
- Attackers use botnets (networks of compromised devices) to send large amounts of traffic to the target, effectively shutting down services.
How DDoS attacks work:
Botnet:
- A large network of compromised devices, usually infected with malware, is controlled by attackers to launch a coordinated attack on a target.
Smurf Attack:
- In this method, attackers send fake Internet Control Message Protocol (ICMP) packets to many hosts, causing the targeted server to flood its network and shut down.
SYN Flood:
- Attackers initiate a connection request to the server but do not complete it, resulting in many incomplete connections.
- This overloads the server and prevents legitimate connections from being processed.
Signs of a DDoS attack:
- Slow internet speed.
- Difficulty accessing websites and online services.
- Long-term service disruption.
Types of DDoS attacks:
1. Volumetric attack:
- Volumetric attacks clog up the target’s bandwidth by flooding it with a massive amount of traffic, thereby exhausting network capacity.
How it works:
- These attacks use compromised systems (botnets) to send large amounts of data to the target, causing congestion and denial of service for legitimate users.
- Example: DNS amplification attack
- In 2013, Spam House, an anti-spam organization, was hit by a massive DDoS attack using DNS amplification, reaching a record 300 Gbps, disrupting their service globally.
2. Protocol Attacks
- Protocol attacks exploit vulnerabilities in network protocol communications to exhaust server resources or network infrastructure.
How it works:
- These attacks target the way connections are handled by network protocols.
- For example, SYN floods take advantage of the handshake process in TCP communications.
- In 2020 a SYN flood attack targeted Cloudflare’s network with millions of unfinished SYN requests per second, causing temporary disruption to some of its services.
3. Application Layer Attacks
- Application layer attacks target vulnerabilities at the application layer (layer 7) by affecting the specific functionality of a web application, database, or API.
How it works:
- These attacks send arbitrary traffic to consume the web application’s resources.
- For example, an HTTP flood attack mimics normal user behavior but sends so many requests that the server is overwhelmed.
- In 2018, GitHub was subjected to a massive DDoS attack that peaked at 1.35 Tbps via an HTTP flood, temporarily disrupting its services.
Effects of DoS/DDoS attacks
Service disruption:
- Legitimate users are unable to access the targeted service, leading to downtime and disrupted services.
- Example: In October 2016, a massive DDoS attack on domain name system (DNS) provider Dyn caused service disruptions to major websites such as Twitter, Netflix, and Reddit.
Financial losses:
- E-commerce platforms and online services can suffer significant revenue losses during disruptions caused by DDoS attacks.
- Example: Amazon reportedly loses about $1.6 million per minute during downtime.
Reputation damage:
- Repeated attacks can reduce confidence in an organization’s ability to keep its services secure, impacting customer trust and brand reputation.
- Example: In 2013, a series of DDoS attacks against major US banks such as JPMorgan Chase and Bank of America raised doubts about their ability to protect customer data, leading to a loss of customer trust.
Mitigation Costs:
- Organizations may have to invest in DDoS protection solutions, which can be costly in terms of both hardware and software.
- Example: GitHub faced the largest recorded DDoS attack in 2018, and as a result, the company had to invest significantly in DDoS protection to prevent future attacks, increasing operational costs.
Mitigation Techniques for DDoS Attacks
Traffic Filtering:
- Filtering malicious traffic using firewalls and intrusion detection systems (IDS) and allowing only legitimate requests.
- Example: Google uses intrusion detection systems (IDS) and advanced firewalls to filter out malicious traffic, ensuring that only legitimate users can access their services during a DDoS attack.
Rate Limiting:
- Limiting the number of requests a server can accept from a particular IP address within a specific time frame to prevent overloading.
- Example: Facebook implements rate limiting by limiting the number of requests from a single IP address, preventing it from being overwhelmed by a flood of connection attempts.
Content Delivery Networks (CDN):
- CDNs distribute traffic across multiple servers in different locations, reducing the impact of DDoS attacks on any one server.
- Example: Akamai provides CDN services to distribute traffic across multiple locations, reducing the impact of DDoS attacks on websites such as the BBC and eBay.
DDoS protection services:
- Services like Cloudflare and AWS Shield provide specialized protection by absorbing and filtering malicious traffic, thus preventing it from reaching the targeted server.
- Example: Cloudflare provided DDoS protection to GitHub during the 2018 attack, helping to absorb malicious traffic and keep the website up and running.
ALSO READ- AI and Cyber Chakravyuha , Scareware