The open and anonymous internet is great for providing opportunities for innovation and connecting people across the world. However, the openness of the internet has its downsides. Many readily exploitable insecurities are giving bad actors the tools and methods for disruption and havoc.
One of the ways cybercriminals look to cause disruption is by utilising a fleet of infected or insecure internet-connected systems to overload their target with a distributed denial-of-service attack or DDoS for short. In this article, we are looking into what is DDoS, how it affects services, and what can be done to mitigate it.
What is DDoS
DDoS is a distributed denial-of-service attack where compromised systems are used to cause a failure of the targeted server, service or network by overwhelming the target or its supporting infrastructure with a flood of simultaneous internet traffic. The attackers commonly utilise previously infected computer systems such as other servers, home computers or Internet-of-Things devices to achieve much higher attack volume than would be possible with a single source network connection. Additionally, some attacks may exploit vulnerabilities or insecure features to redirect responses to queries to amplify the attack.
Networks of compromised computer systems that can be commanded centrally by the attacker are often called botnets. Many different kinds of malware can hijack an infected system to work as a bot in a larger network. The infection might not be immediately apparent as the malware may lay dormant for an extended period before being issued attack commands. Therefore, periodically scanning your systems for malware is important in keeping your servers from being enslaved to a botnet.
Upon command from the attacker, botnets may target individual victim IP addresses by responding to a request to the target. When enough of these requests are made at the same time, the targeted server or network may become over-encumbered by the attack resulting in a denial-of-service to normal traffic. These type of attacks can be difficult to identify as each bot in the network is a legitimate device on the internet which masks the attack.
Building a botnet to a scale that can cause significant DDoS attacks is time-consuming. To be able to monetise their efforts, botnet operators often rent out their capacity. Unfortunately, these DDoS-as-a-service require very little actual knowledge or skill to hire. Therefore just about anyone with enough ill-will towards their target and the willingness to break the law could cause DDoS attacks.
Types of DDoS attacks
Due to insecurities and misconfigured systems widely available online, criminals have several ways to build a distributed denial-of-service attack. Different DDoS attacks can use varying methods to target many different components of a network connection. While nearly all DDoS attacks focus on overwhelming the target device or network, attacks can be generally divided into three categories.
Application Attacks focus on a specific service or application by attempting to exhaust the resources used by the target. These attacks often target the applications that generate web pages and deliver the responses to requests.
Application-level attacks take advantage of the imbalanced in traffic volume of the client-server model to cause a high load to the service with little effort from the client-side. While a single request is usually resource-wise cheap to execute, it can be expensive for the target server to respond to.
HTTP flood is one of these types of attacks. It utilises a large number of HTTP requests to flood the server to prevent normal users from being able to access the web application.
A Memcached reflection attack is quite a recent method of DDoS which attempts to overload the victim with spoofed requests to a vulnerable UDP Memcached server. Similarly to other amplification attacks, it works by sending small initial requests to which the Memcached server responds with a much larger amount of data.
Protocol Attacks concentrate on exhausting the capacity of web application servers or intermediate resources like firewalls and load balancers. These attacks utilize weaknesses in different types of protocols to render the target inaccessible to normal traffic.
SYN flood is one form of protocol attack that uses a succession of SYN requests. It works by breaking the normal synchronise-acknowledge-acknowledge exchange by either simply never responding to the server or by spoofing the originating IP. This causes the server to wait and binds resources to the open connections.
Volumetric Attacks rely on a high amount of traffic to a targeted network to overwhelm its bandwidth capacity. These attacks work to flood the target to slow down or halt their services entirely. The severity of this type of attack depends on the volume the attacker can generate, often ranging from 100’s of Gbps up to over 1 Tbps.
DNS amplification attacks use insecure DNS servers to reflect and amplify traffic to obfuscate the origin of the attack and increase its effectiveness. The attacker uses a large number of small requests to query for very large DNS records while reflecting the responses to the intended victim by forging the return IP address.
NTP amplification is another reflection-based attack that abuses the Network Time Protocol. It exploits the disparity in bandwidth costs between the attacker and the target that causes small queries to result in large responses.
Common mitigation tactics
The effectiveness of a DDoS attack in disrupting services depends on the scale of the attack and the readiness of the target to mitigate it. Most mitigation strategies, aside from offsite protective services, rely on preventative internet infrastructure solutions.
Rate limiting the number of connections that a single client can open within a certain amount of time can mitigate potential DDoS attacks pre-emptively. In normal use, a web browser can open 5 to 7 TCP connections to a single website when loading all assets to display the page. In contrast, DDoS attacks often go way beyond this to maximise the effect. As such, anything above 10 concurrent connections could be considered unusual.
For rate-limiting, a load balancer can be a useful first line of defence against DDOS. As an example, HAProxy, which is primarily a load balancer proxy for TCP and HTTP, is also capable of act as a traffic regulator. HAProxy can be used to protect against DDoS attacks by denying or redirecting connections based on a variety of identifiers such as IP, URL or cookies.
Web Application Firewall
Another possible way of preparing against possible DDoS attacks is configuring a Web Application Firewall or WAF. When used as a reverse proxy, WAF can protect the targeted server from certain types of malicious traffic and assist in mitigating application-layer DDoS. Abusive traffic can be mitigated by filtering requests according to DDoS identifying rules depending on the type of abuse the target is receiving. The important feature of an effective WAF is giving the service administrator the ability to quickly implement custom rules to mitigate the attack.
One of the simplest countermeasures to mitigating a DDoS attack is routing the flood of connections to a “black hole” by discarding all data. Blackhole routing is an option available to all network administrators and this type of mitigation is often employed by ISPs. The internet network infrastructure providers may not be able to otherwise handle the incoming traffic without becoming overwhelmed. Therefore, the affected network provider may need to blackhole all traffic to the targeted IP address to protect other users on the network while effectively taking the target’s site off-line.
DDoS protection services
The most effective way of mitigating DDoS attacks is simply having more capacity to handle incoming data than the cybercriminals can muster. Any single server or service is unlikely to be able to accomplish this alone, therefore, having a helping hand from an external DDoS protection service, such as Cloudflare, can be extremely useful. Cloudflare is already famous for its extensive networking services providing Content Delivery Networking and domain name servers but they also offer DDoS protection. Cloudflare’s Anycast network absorbs distributed attack traffic by dispersing it geographically to the point where the traffic is absorbed by the network.
This type of network diffusion relies on the efficiency and capacity of the network needs to be larger than the DDoS attack. For example. Cloudflare reports having the network capacity for 25 Tbps which is an order of magnitude greater than the currently largest DDoS attack on the record.
Securing against exploits
Most important step all server administrators should take is making sure their services are secure and cannot be used in DDoS attacks. Part of this is periodically scanning the servers for possible malware as well as keeping the services up to date on the latest security patches.
As a networking provider for our users, we at UpCloud have designed our infrastructure to be resilient event against abuse such as DDoS. We monitor our network and infrastructure 24/7 to prevent DDoS or any other attacks which could affect servers running on our infrastructure. However, we do not offer DDoS-protection to the same extent as other dedicated services. If you have experienced DDoS before or might expect to see some in the future, we advise that you set up a third-party service such as Cloudflare’s DDoS protection.
Distributed denial-of-service attacks can seem like hacker magic, but once you understand the mechanics, the mysticism disappears. Although DDoS has become unfortunately common, it’s still quite rare for individual service providers or SMEs to come under attack. However, not at least considering mitigation methods before the first attack occurs will leave your services exposed to more disruptive effect than would otherwise be the case.
The unfortunate truth is, there is always someone willing to go to extreme lengths to object or simply cause trouble. As with any type of bullying, not giving the attackers the satisfaction of having disrupted your operations beyond a minor nuisance, they will soon lose interest. By preparing accordingly, anything can be weathered.