What are DDoS attacks?
DDoS attack stands for “Distributed Denial-of-Service attack”. However, let’s not get ahead of ourselves. First of all, we need to differentiate between the “regular” denial-of-service attacks (DoS attacks) and the distributed denial-of-service attacks (DDoS attacks).
DoS attacks are a type of cyber-attacks. The objective of a DoS attack is to make a service, machine, or network unavailable to its intended users. The method used in these attacks is sending an overwhelming amount of traffic to the target, most often in the form of numerous superfluous requests. This sub-type of a DoS attack is known as flooding. Alternatively, DoS attacks can be executed by sending certain information that can crash the targeted network, thus having the same consequence as flooding the target. This sub-type of a DoS attack is referred to as crashing.
The first publicly noted DoS attack occurred in 1996. The victim was Panix, an internet service provider (ISP). It was a flooding DoS attack. More specifically it was a SYN Flood attack. SYN comes from “synchronize” and it refers to the first step in TCP three-way handshake. The other two steps are the server’s SYN-ACK response (ACK standing for acknowledgment) and the client’s ACK response. When the client doesn’t provide the response, the server can get stuck on spending the resources while trying to establish a connection.
DoS attacks are, by definition, carried out from a single machine/system/host. This is where we come to the crucial difference between DoS and DDoS attacks. DDoS attacks are always executed from multiple hosts, most often by simultaneously sending an abundant amount of attack packages.
The network which executes the DDoS attack is called a botnet (or an army). It’s created by infecting unsuspecting internet users’ computers with malware and transforming them into so-called “zombies”. These infected computers then adhere to the attacker’s commands, while making it incredibly difficult to track the attacker himself. Over time, these attacks got more complex and more difficult to defend against.
What are the consequences of DDoS attacks and why do they happen?
The worst consequence of a DDoS attack is to make the target’s (which is most often a website) services unavailable to its intended users.
This can be manifested in numerous ways. From slowing down the website’s response time, to crashing it completely. The important thing is that most users are not willing to endure these hiccups in service. Most often when these incidents happen, customers of one service flock to the next most popular competitor.
Sometimes, the attackers do not want to crash the website completely. Instead, they aim to flood the servers just enough so they don’t crash, but increase their response time dramatically. This type of attack is referred to as degradation-of-service.
In basically every case of a DDoS attack server’s resources are at stake. The resources that are targeted most frequently are the server’s bandwidth, computing power, or operating system data structures.
Attackers’ motivation can come from various sources. Some attackers are financially motivated. If that’s the case, what can often happen is that an attacker will target a large company, and initiate a small-scale DDoS attack first. Its purpose is to let the target know how serious the attacker is. Afterward (or sometimes before the small attack) the attacker tries to extort the victim. In most cases, it is money that’s being requested.
Other motivating factors can be ideological, competitive, or even just the attacker’s boredom.
Protection methods against DDoS attacks
Now we come to the core of this article. What are the actual methods of protection against DDoS attacks? Before we continue, we should note 2 things. First, this list is not (and can’t be) exhaustive, because the field of cyber-security is constantly evolving. Second, there is no absolute way to protect yourself against DDoS attacks, in large part due to the first fact.
Also, an extremely important thing when implementing any type of protection solution is to make sure that as few regular users are targeted as possible. No protection is perfect, but we shouldn’t resort to indiscriminately stopping traffic – that’s the last thing we want. On the other hand, some “collateral damage” in the form of lost intended users is inevitable. Therefore, everything boils down to reducing this number as much as possible.
The best thing one can do is to constantly keep an eye on what’s going on in this field and upgrade their protection accordingly.
Diagnosis
One of the first preventive steps you can take is to do a diagnosis on your website. This can be done by a specialized tool, such as BotMeNot, which will test your protection against many types of bot traffic. This includes both useful and malicious traffic.
Having a plan in case of a DDoS attack
It’s hard to overstate the importance of being prepared for an attack and how easier it is to deal with it with certain protocols already put in place. Having a plan means identifying your weaknesses and working on fixing them. Also, having a plan means knowing what your response will look like, to the extent possible.
Intrusion Prevention System
The next thing you can do is to use an Intrusion Prevention System. Essentially, this means putting in place a system that will look for any type of malicious activity aimed towards your website. There are three types of Intrusion Prevention Systems:
- Signature-based detection – based on detection and recognition of unwanted traffic patterns. In most cases, botnets that are used to perform a DDoS attack exhibit different behavioral patterns compared to real intended users. The downside of this method is that in most cases it’s based on comparing the behavioral pattern to an existing data set. This means that it isn’t good at detecting new types of attacks.
- Anomaly-based detection – relies on having a model of wanted or expected traffic and then comparing all of the incoming traffic to it. Depending on the deviation from the expected model, it is decided whether there’s a DDoS attack going on or not. This type often incorporates machine learning in order to create models and detect deviations.
- Reputation-based detection – consists of having a database of known botnets and exploitable servers’ IP addresses. These are all assigned a reputation score and, in most cases, denied access to the server or directed to a CAPTCHA page.
Firewalls & Access-control Lists
Firewalls are another type of preventive measure, albeit a not so effective one. Firewalls can block out incoming traffic based on a set rule/parameter. This is only effective if the attack is coming from a single source, which you can block through protocols, IP addresses, or ports. If the attack is more complex, this measure becomes less effective.
Similar to firewalls are access-control lists (ACLs). These lists serve for what is called a stateless inspection, as opposed to firewalls, which perform a stateful inspection. What this means is that every individual packet is being inspected on its own, with disregard towards what came before him. This makes ACLs not very effective against DDoS attacks.
Network monitoring software
Another thing you can do is to use network monitoring software. These tools serve to watch and analyze the traffic on your network and define patterns of expected behavior. These patterns can, later on, be used as a model with which unusual traffic can be compared.
Threat monitoring systems
Threat monitoring systems refer to the practice of continuously monitoring networks and their components. By correlating data that is gathered by monitoring the networks these systems are able to identify different types of threats and risks. What’s noteworthy here is that these systems differ to a certain extent depending on what vendor is offering them. There’ll always be slight variations in the way data is gathered and analyzed.
Honeypots
Simply put, honeypots are a way of deceiving the attacker in order to stop a potential attack and get to know the attacker’s methods. They can be thought of as baits or traps for the attackers. They consist of seemingly legitimate data that the attacker perceives as valuable, legitimate, and most importantly – vulnerable. However, this data is isolated and monitored. This enables the protection service to analyze the attacker without them knowing
There are three main types of honeypots:
- Pure honeypots
- Low-interaction honeypots
- High-interaction honeypots
Blackholing & Sinkholing
These types of defenses are used when there is an ongoing attack with the objective of softening the attack’s strength and reducing the burden on the server.
Blackholing (or blackhole routing) refers to redirecting the malicious traffic to a null interface (the “black hole”). The problem with this approach is that it is very difficult to know in advance what traffic is legitimate and what isn’t. This potentially means denying legitimate traffic from your server. One of the ways this can be overcome is to blacklist the already known malicious IP addresses.
Sinkohling (or sinkhole routing) is similar to blackhole routing in that it redirects the malicious traffic. However, it doesn’t redirect it to a non-existent server, but rather to a valid one. There, the suspicious traffic can be analyzed and then redirected back if it turns out to be legitimate. A positive side of this method is that it’s very good at distinguishing between legitimate and malicious traffic. However, this type of routing is not suitable for dealing with large-scale attacks.
Recommended practices for stopping DDoS attacks
As we’ve already mentioned, attackers are constantly trying to come up with exploits of current defenses. This is why regular updates and maintenance of servers’ defenses are crucial for its safety and stability. It’s a widely recommended practice that should not be overlooked.
If possible, you should consider using cloud-based services for your business. There are two advantages to this. First, almost as a rule, they offer more bandwidth compared to the common “on-premise” solutions. The second thing is that they’re geographically dispersed, making them harder to target.
It’s also useful to mention techniques that aim to make servers able to endure a DDoS attack in case it happens. One such measure is to increase servers resources in order to render an attack harmless. This method is very expensive and not applied frequently.
Conclusion
We’ve come to the end of this article. After learning what DDoS attacks are and what are their consequences, you’ve read about the ways you can protect against them.
As you can see, the protection mechanisms can be very different from one another, but also very similar in which cases you can distinguish them by subtle differences.
What is important is that every server or website attracts different types of attacks, and thus, requires different types of protection solutions.
This means that you should always diagnose your website before choosing a suitable protection solution. The good thing is that there is a tool just for that. It’s called BotMeNot and it functions as a bot protection scoring service that runs tests on a website and reveals how protected that website is.