Siege against the machine: what is a DDoS attack and how to prevent it?
In 2022, according to research by cybersecurity-as-a-service provider StormWall, the number of distributed denial of service attacks shot up by 74%, leaving disruption and financial loss in their wake. Often referred to as DDoS, most of the incidents targeted the fintech industry, which suffered 34% of the attacks and saw a 12-fold increase in attack traffic. Politically motivated hackers contributed to the increase in the strength and duration of attacks, up to 2 Tbit/s and 3 days, respectively, developing tools that were eventually adopted by for-profit criminals.
The conclusion? Hackers got much, much better at launching DDoS attacks, while most businesses are more vulnerable than ever against them. In this article, we’ll be trying to answer the most burning questions around the inner workings of denial-of-service attacks and DDoS prevention. What is a DDoS attack and how does it work? Why do DDoS attacks happen? How common are DDoS attacks? And most importantly, what can organizations do to prevent denial of service attacks? Let’s dive in.
What is a DDoS attack and how does it work?
Any cyber incident in which attackers interrupt a service and deny legitimate requests’ access to it can be considered a denial of service attack. DDOS attacks focus on overloading the infrastructure that makes a service accessible rather than the systems used by the service themselves, as traditional denial of service attacks do.
To illustrate how this works, let’s use our favorite analogy. Think of using a cloud service as storing your passport in a safe at your neighbor’s house. The purpose of a DDoS attack isn’t stealing it directly but to keep you from accessing it. Now, if we replace your passport with task management software that a 5,000-strong workforce relies on daily, it’s easy to see how a distributed denial-of-service attack can wreak havoc on a company’s operations, reputation, and ultimately, bottomline.
The difference between DoS and DDoS attacks, explained
According to the UK’s National Cyber Security Centre, an attack becomes a distributed denial-of-service attack when it comes from multiple computers or vectors instead of just one, representing the most common form of DoS attack on websites.
Multiple can mean thousands or tens of thousands Internet users who flood a server, website or network resource with messages, connection requests or malformed packets. This in turn will cripple the target or even cause it to shut down completely. The participants of a DDoS attack usually fall into two categories: willing ones, such as members of illegal hacktivist groups, and unwitting victims whose machines have been compromised through malicious means like malware.
The three main DDoS attack types explained
A broad class of cyber threat, distributed denial-of-service attacks have one thing in common. That is, generating a massive flood of traffic to render the target inaccessible. Based on how they achieve this goal, however, three key types of DDoD attacks emerge.
1. Application layer attacks
Application layer attacks, or Level 7 attacks, target the applications cloud systems run on. More specifically, they exploit application functionalities that require very little data movement between the attacking botnet and the servers, such as authentication. The application services get overloaded with a high volume of application calls and saturate finite resources like disk space and available memory. HTTP flooding is a common example of application layer attacks, requiring minimal resources to orchestrate.
Getting back to our passport analogy: say, you need to pick up your passport before an international trip. When you walk over to your neighbor’s house, you see hundreds of people standing there claiming they too have important documents in the safe. Now, your neighbor has to check the ID of each and every one of them to decide if their claim is legitimate. Most of them, of course, won’t be. So you, despite having a legitimate request, end up waiting in line for hours only to miss your flight.
2. Protocol layer DDOS attacks
The aim of these attacks is to eat up the capacity of critical servers and devices that connect to the wider internet, like routers or firewalls. One way to orchestrate a protocol layer DDoS attack is to show users a fake version of a website or service they’re trying to access.
This is exactly what happened in 2018, when for two hours MyEtherWallet users who tried to access their crypto wallets were redirected to a phishing website run by malicious actors. Having missed warning signs such as the unsigned SSL certificate, some fell for the scam – and saw their wallets emptied.
In our analogy, this would be the equivalent of you being on your way to collect your passport from your neighbor and getting stopped by someone impersonating a police officer. Or pulling up at the wrong house, which looks exactly the same as the one with your passport in the safe but one that is completely empty. All the while the attackers may access the real safe with your documents in it.
3. Volumetric attacks
A classic among DDoS strategies, volumetric attacks leverage the brute force method of sending a flood of data packets to the servers of the service to consume its entire bandwidth and stop legitimate traffic. Despite their relative simplicity, they can be extremely damaging. Imagine getting stuck in a traffic jam as you’re heading to your neighbor to pick up your passport. When you finally arrive, there are throngs of people trying to get inside and the owners have even given up locking the doors and windows out of fear.
The bad and the ugly: the impact of DDoS attacks
In 2022, DDoS attacks grew in frequency, duration, and sophistication, with organizations mitigating an average of 29.3 attacks per day in the fourth quarter of 2022 alone. It’s important to note here that unlike other cyber threats, DDoS attacks themselves don’t target businesses’ data assets. Rather they serve as a cover for other malicious activities that can result in a data breach. As such, they can still have lasting consequences on the target’s financial standing, reputation, and performance. Here are some of the potential effects of DDoS attacks:
1. Revenue loss
Downtime caused by a DDoS attack can lead to abandoned carts, failed transactions and frustrated customers, costing businesses $22,000 per minute on average according to the Ponemon Institute.
2. Lost productivity
Customers aren’t the only ones who can be left without network access during a DDoS incident. Attacks can take anywhere from seconds to a whole week, preventing employees from working efficiently – or entirely.
3. New attack vectors
As we’ve already mentioned, DDoS attacks are a surefire way to distract IT and security teams. In doing so, they may open the door for cyber criminals to find and exploit other vulnerabilities within your network.
4. Reputational damage
According to research, high-profile data breaches can lead to 5-9% decline in a company’s reputation intangible capital. This can spell disaster for businesses in trust-based industries such as healthcare or banking.
DDoS mitigation: how to detect a DDoS attack?
To mitigate DDoS incidents, it’s crucial to have a better understanding of the telltale signs of a DDoS attack. According to the US Cybersecurity and Infrastructure Security Agency, these may include but are not limited to:
- Unusually slow network performance
- Sluggish application performance
- High processor and memory utilization
- Abnormally high network traffic
- Unavailability or inaccessibility of websites
How to stop a DDoS attack in 4 steps – or at least minimize the damage
1. Spot spikes in traffic that are unexpected or recurring. Just started a major sale? Then an increase in site traffic is probably nothing to worry about. Sudden bumps in request volumes, especially at recurring intervals, should always be seen as red flags, however.
2. Have you detected an anomalous traffic load? Start filtering the malicious request stream out of the legitimate traffic of the targeted server to ensure that users who need to access your service or applications can continue to do so.
3. Divert and redirect fake traffic to sinkholes. A commonly used tool for studying and containing DDoS attacks, sinkholing allows security professionals to prevent botnets from bogging down the computing resources that systems need to function.
4. Finally, make sure that all data related to the distributed denial-of-service attack is forwarded to and analyzed by your security teams as well as relevant authorities. Most importantly, keep monitoring your network assets for signs of a secondary attack.
How to prevent DDoS attacks? Denial-of-service attack prevention tips
- Find a DoS protection service that detects abnormal traffic flows and redirects it away from your network before it can do major damage.
- Have a DDoS response plan in place, including who should be alerted and who should do what exactly once an attack is detected.
- Periodically review security settings on your internet-connected infrastructure and keep up-to-date with good security practices.
- Boost network security by deploying firewalls, intrusion detection solutions, antivirus software as well as endpoint security tools.
- Move to the cloud and use multiple servers for a higher bandwidth, added security layers and a distributed server architecture that absorbs malicious traffic.