Your favorite website goes offline. That firewall in your office network isn’t filtering anything and is overwhelming the server machines that it is connected to. If an LDAP port is hit by a DDoS attack, you have no Active Directory securing the user accounts on your Windows client PCs. Maybe an IMAP server was hit, so now you have to actually phone your boss because she cannot communicate with you via email.
You sit in your cubicle, unable to log into your PC because LDAP was DDoS attacked. Accessing your work email on your phone is a waste of time because your employer’s email server won’t work if it’s the DDoS target instead. And to all of that, the web forums on fly fishing you usually kill time with are offline because they were hit by a DDoS attack as well! The network administrator steps out of the datacenter and announces to your office that the company’s firewalls and servers were hit by a DDoS attack. But there’s no need to worry, because she will bring everything back online within the next ten minutes. What happened?
What is DDoS?
DDoS is an acronym for Distributed Denial of Service. A simple Denial of Service could be a technical accident where something such as a memory buffer overflows and the affected device is forced to shut down because of it; however, DDoS attacks are no accident. They are deliberate, malicious cyber-attacks.
The targeted network appliance or server denies usual service because it has been deliberately overwhelmed with data packets. Imagine five hundred people trying to run through a doorway at the same time. The service that the doorway usually provides by allowing people to go from one room to another will obviously no longer work. The doorway has a finite capacity, same as a firewall and memory buffer in your server application.
DDoS attacks are conducted deliberately by cyber attackers. The most common way that DDoS attacks are conducted these days is by leveraging control of a botnet. A botnet is a network of “bots,” usually through the internet. The bots are usually PCs, mobile devices, and IoT devices which have malware on them that allows a cyber attacker to use their computing power through their command and control server. When the attacker finds a public IP address that they want to target, they will command their bots to send as many data packets to the IP as possible. All of those packets all at once will overwhelm whichever device and software the IP is connected to, and it will go out of service.
Occasionally these days but more frequently in the 1990s, a web server’s website could go offline if too many people try to download webpages from it at the same time. Big tech companies like Google and Amazon have massive datacenters around the world which consume more electricity than some countries. They can handle millions of people trying to use their web services at the same time. But if I install Apache on an old PC on my LAN and put a website on it, it won’t have anywhere near the same capacity. Hundreds of people trying to download a webpage at the same time might overwhelm my home router and my modest PC, and it will go offline. That’s the sort of denial of service that’s an innocent accident. But DDoS attacks are no accidents. They’re also distributed, which means that many different devices are working in unison to flood an IP with packets.
Explain Types of DDoS attacks
The OSI layer model describes seven layers which constitute a networked computing entity, usually through TCP/IP.
The seventh layer is the application layer. If a DDoS attack overwhelms the memory buffer of my server application, then it’s a layer 7 DDoS attack.
A common type of layer 7 attack is an HTTP flood. It’s when HTTP or HTTPS on a web server is targeted and overwhelmed with GET requests. Your computer made a GET request in order to download this webpage. Your computer, your web browser, and this web server all performed according to how they were designed. An HTTP flood attack exploits that design in order to do harm.
The third OSI layer is the network layer. The actual layout of a network, which machines are connected to which other machines and their paths are manifested at the third layer. The fourth OSI layer is the transport layer. All packets which go through TCP/IP, the backbone of both the internet and private networks, are either TCP or UDP. The headers of those packets help determine how they are routed through a network and that action is manifested at layer four.
Protocol attacks are a type of DDoS attack which uses the third and fourth OSI layers. A botnet could send a targeted IP address a bunch of spoofed SYN packets, which are just a way of saying “look at me!” A service running on a TCP/IP port is supposed to return SYN/ACK packets. “I see you, I acknowledge you!” But if too many bad SYN packets are sent, the SYN/ACK packets may not know where to go, and the device connected to the IP will likely go out of service.
Volumetric attacks are another common type of DDoS attack. All networks have a finite amount of bandwidth. A volumetric attack tries to fill a network’s bandwidth as much traffic as it possibly can, on as many TCP/IP ports and devices as possible. The goal for a cyber attacker is to fill a targeted network with so much of their rubbish that there’s no room for legitimate network traffic and the devices on the network are forced to shut down.
DDoS attacks are usually easy to recover from, but allow for worse cyber attacks
Network administrators value uptime more than most anything else. That’s understandable, when a server goes offline it makes a network service unavailable and a company could possibly lose business transactions and money. A proper server is supposed to be online at all times, including when it’s 3am on Christmas morning in your time zone. Many networks will build redundancy so that if some servers need to be shut down for any reason, other servers which perform the same function will be up and users will experience no disruption in service.
Recovering from a DDoS attack usually involves rebooting computers and network appliances and then restarting servers and other services. A cybersecurity minded network staff will record their incident response and analyze how they can better secure their network in the aftermath. But DDoS attacks can be recovered from relatively quickly. So why are DDoS attacks so attractive to cyber attackers?
Some cyber attackers may be hacktivists who just want to see a website they don’t like go offline for a few minutes or a few hours. But here’s the most common motive for a DDoS attack. DDoS attacks are a distraction. Network administrators should respond to them immediately so they experience as little downtime as possible. The problem is, while they’re doing that, they cannot watch their network for other attacks. Even if the DDoS targets are only offline for a few minutes, those few minutes may give an attacker plenty of time to conduct a data breach or acquire malicious remote access to your computers and network-attached storage.
DDoS attacks can be mitigated by having redundant servers and network appliances, having intrusion detection and intrusion prevention systems, improving firewalls, having redundant physical sites for your network, having redundant public IP addresses, having a good SIEM to feed your logs into, and skilled network and cybersecurity professionals to watch everything.