By now most of aren’t strangers to cyber-attacks. Even if you have never fallen victim you would have seen plenty of news surfing the digital space on how company systems get compromised each day. Out of these attacks, Dos or DDoS is a regular term that keeps popping up. What do these terms mean? How does one protect themselves from these type of attacks? Here’s what you need to know.
Before getting into DDoS, it is important to understand is a DoS attack. As the name implies DoS, or Denial-of-Service aims to disrupt a service preventing access to the intended user. A typical DoS attack will look to flood a system with requests. The idea is to overload the system and prevent it from fulfilling legitimate requests.
DDoS, or Distributed-Denial-of-Service is DoS attacks that occur from multiple sources towards a target system. Unlike DoS, this makes DDoS attacks harder to mitigate since blocking a single source will not help.
Variations of DDoS attacks:
Application layer DDoS attacks
Denial-of-Service attacks come in different forms. One of them is layer 7 DDoS attacks or better known as application-layer DDoS attacks. These attacks occur on layers 5 through 7 of the OSI model disguised as legitimate traffic. This refers to processes that operate via protocols such as SMTP, FTP, HTTPS, VoIP applications, etc. As such, application-layer attacks can disrupt search functions, information retrieval or other business-critical functions of a website.
SYN flood
These attacks manipulate the three-way handshake in TCP connection sequence. In a usual scenario, the host system would receive a synchronized (SYN) message that would begin the handshake. The synchronized message is followed up by an acknowledgement (ACK) message. Another ACK message is sent to the host system to complete the handshake. In a SYN flood attack, spoofed SYN messages are sent. This keeps the connection opened since no acknowledgement message is sent. Hence, disrupting the system.
HTTP flood
This occurs in the form of seemingly legitimate GET or POST requests. These are exploits by hackers.
UDP flood
The attack targets random ports on a system via User Datagram Protocol (UDP) packets.
NTP amplification
NTP amplification attacks exploit Network Time Protocol servers. In case you didn’t know, NTP is used to synchronize computer clocks. Thereby, an exploit on NTP servers aims to overload UDP traffic. This causes the server to malfunction.
Advanced Persistent DoS attacks
These attacks use a variety of attacks and can last for days, if not weeks. Attackers employing this strategy routinely switches between different targets in order to create diversions and escape DDoS mitigation measures.
DDoS attacks throughout history
The world’s first known DoS attack is believed to be the one against Panix, one of the world’s oldest ISPs. The ISP was hit with a SYN flood attack in 1996 leaving hardware service providers like Cisco in the dark.
In 1997, internet access was said to have been disrupted at the DEF CON event thanks to a DoS attack. Although a demonstration at the time, the release of the sample code resulted in several major corporations like Sprint and E-Trade getting attacked online.
In 2012, a wave of DDoS attacks targeted six US banks—Bank of America, US Bank, JPMorgan Chase, Wells Fargo, Citibank, and PNC Bank. Hundreds of servers were hijacked via a botnet called Brobot. The attacks were carried out through these servers with each reportedly generating over 60 gigabits of DDoS attack traffic per second.
Nine years later, encrypted messaging app Telegram was hit with a massive DDoS attack originating from China. This was in response to the Hong Kong protests as a countermeasure to limit communication among protestors.
Even by 2020 DDoS attacks continue to be one of the biggest problems in the digital space. According to Cisco report, the company expects DDoS attacks to rise from 7.9 million in 2018 to a little over 15 million by 2023. With attackers continuing to create bigger botnets the scale of these attacks will also likely increase. For example, even Amazon Web Services wasn’t safe. Last month, the global giant was hit with the largest DDoS attack ever recorded, at a whopping volume of 2.3 Terabits per second.
Setting protection against DDoS attacks
As we’ve seen, many DDoS attacks are largely dependent on vulnerable ports, protocols, and applications. Thereby, it is important to minimize the potential surface area for such attacks. One way of achieving this is by understanding what normal and abnormal traffic look like in your network. This gives a clear indication if a system is potentially under a DDoS attack.
Another way of mitigating these attacks are utilizing load balancers and Content Distribution Networks (CDNs). Load balancers basically help distribute traffic across multiple servers. Meanwhile, a CDN is a group of geographically distributed servers that aim to deliver internet content faster. Essentially, CDNs enable quick transfer of assets that are required to load content on websites. From a security perspective, this restricts direct internet traffic to parts of your infrastructure. Thereby, a properly configured CDN would help mitigate the risk of DDoS attacks.
Additionally, Access Control Lists and firewalls would help users control the kind of traffic that gets to a particular application. But on a broader perspective, it is vital to plan systems for scale. After all, the DDoS attack on AWS recorded a mammoth 2.6Tbps. As such, systems need to take bandwidth and server capacity into consideration. Ideally, your hosting provider should be equipped to handle large volumes of traffic and scale up or down on computational resources according to as needed.
You can also take things a step further by utilizing DDoS Cloud Scrubbing services to protect organizations from volumetric attacks. Cloud Scrubbing would help divert traffic from a company’s data centers during an attack.
Of course, these are only a few of the ways of setting up defence protocols against DDoS. Countermeasures to security compromises involve an extensive set of tools and processes that needs to be set in place. Furthermore, it is often an ongoing procedure.
Curious to know how your organization can up its cybersecurity defences? Feel free to give us a buzz on info@c-yber.com or call us up (+372) 602 3532 for more details.