Listen to Audio
The world is seeing a surge in distributed denial-of-service attacks (DDoS) attacks. Not only are the number of incidents spiking, but the attacks are larger and more sophisticated. Sometimes the DDoS threat is overlooked in the buzz around ransomware and high-profile hacking. To secure your network, you want to know how to recognize a potentially debilitating DDoS incident.
What is a DDoS Attack?
A DDoS attack floods a target server with traffic, blocking it from completing handshakes with legitimate connection requests. As a result, authorized users can’t access computer network systems or resources. Sometimes the system crashes completely.
Unlike its predecessor denial of service (DoS), a DDoS attack typically involves multiple hijacked systems working together in a botnet. This distributed model, which is the most common today, makes it much harder for IT experts to identify the attacker.
You may think of a botnet as a group of hijacked computers used to execute massive attacks. However, they can also consist of internet-of-things (IoT) devices, routers, and other devices controlled by a central server. Botnets have become commodities that owners often rent to other attackers in attack-for-hire schemes. This practice has broadened the pool of people capable of mounting a threat.
Today’s DDoS attacks often feature:
Command and control
An attack server sends commands to the botnet, controlling it as one unit.
Smart device exploitation
Operational technology devices have code and IP addresses and control physical systems such as electrical grids and drones. IoT devices such as smart thermostats can communicate with other systems. DDoS attacks exploit vulnerabilities in these new technologies to access targets, including critical infrastructure.
A multivector attack combines DDoS methods in an attempt to thwart defenses. An increasingly common and disabling attack pairs DDoS and ransomware.
A monoculture is a group of systems with the same exploitable vulnerability. Typical examples are IoT devices such as webcams.
Sophisticated DDoS attacks use AI to modify code on the fly to outwit security measures.
Types of DDoS Attacks
DDoS attacks typically take two forms, volumetric and application layer infection. They are often combined in an assault against the target.
Also called bombardment, a volumetric attack targets the IP layer by flooding a server with connection requests from spoofed IP addresses that appear legitimate. The incomplete handshake occupies the ports, blocking authentic requests. Users may experience slowness or denial of access.
A layer 7 attack targets the application layer, often using botnets to manipulate an application into supporting an intrusion. A frequent example is the use of IoT devices to generate traffic. Layer 7 attacks pose a significant threat to cloud and web applications serving many clients.
An Evolving Security Threat
According to Tech Republic, significant DDoS incidents increased 967 percent from 2018 to 2019. Events are also widening in scope. The most massive attack in Q1 2019, at 587Gbps, was 70 percent larger than its equivalent the year before.
DDoS strategies evolve with technology. Attackers are using AI and machine learning to find vulnerabilities, morph to evade detection, and change tactics. Increasingly, they pair a volumetric assault with another type of attack, such as ransomware.
The sheer cost of lost business has escalated in parallel. CompTIA reports that DDoS attacks can cost millions of dollars per incident. Consider that a compromised network’s downtime averages 7 to 12 hours. At an estimated $5,600 per minute, a business or organization could lose $2.3 million to $4 million.
How to Detect an Attack
Your IT security measures should include a robust DDoS protection solution. However, there is no foolproof prevention, and you want to know the signs of a possible intrusion. Be prepared to mitigate threats immediately and deploy your disaster recovery plan.
Your first clue is often user complaints about slow network performance or the inability to access a site. The intermittent, low-grade nature of some attacks may mimic technical issues, and you may first assume the service or hosting is down. Upon inspecting traffic, however, you will likely see abnormally high volume or an anomalous pattern. Network resources will be maxed out. A search for suspicious background programs will turn up nothing.
Keep in mind that attacks can occur in bursts or as long-term assaults. A burst typically lasts under one minute, whereas a prolonged attack can last hours or days. Bursts are harder to trace but can still cause considerable damage due to sheer traffic volume.
Signs of an attack:
- Users report severely degraded network performance.
- Users can’t access some or all websites.
- An IP address sends the same request at regular intervals.
- A server returns a 503 error due to service outages.
- TIL (time to live) on ping request times out.
- Logs show huge traffic spikes.
DDoS Traffic Patterns
Understanding attack traffic guises will help you fine-tune your detection service, effectively monitor reports, and even spot trouble first.
Beaconing refers to the communication between a botnet member and the central server and often has a distinct signature for which you can set alerts.
This attack may exploit weak or absent encryption. It spoofs IP addresses and sends connection requests that are never acknowledged, leaving the connection open.
The attacker overwhelms the target server with UDP packets.
This attack bombards the target with ICMP diagnostic pings.
The attack floods the application with HTTP GET or POST requests. It often exploits Apache and Nginx server vulnerabilities.
Memcached is a service that distributes memory caching in RAM across systems to improve website performance. Botnets can exploit insecure setups.
Reflection sends traffic through devices to deflect attention from the true attack systems.
The botnet sends traffic through devices that multiply otherwise normal outgoing traffic.
Take Protective Measures
No DDoS detection application can erase the need to plug holes in your network’s security or processes. Take these steps if needed:
- Lockdown IoT devices.
- Harden or replace legacy equipment.
- Address any misconfigurations.
- Remove from the network any IT assets unaccounted for.
- Check your public network profile through a site such as Shodan.
Your team can keep up to date on cyber threats through sites such as Common Vulnerabilities and Exposures (CVE). Global maps such as Bitdefender can help you pinpoint real-time threats that could affect your systems. In the wild west of DDoS attacks, you want to draw first.