DDoS stands for Distributed Denial of Service. DDoS is a type of attack in which multiple computers (for example a botnet) are used, to flood a single computer or a network with non-legitimate service requests to overload its resources. It is rare that a week goes by without news of some organization being impacted by a DDoS attack.
DDoS should not be confused with DoS where a single computer is used to flood victim’s system or resources. The major advantage of DDoS is that it gets harder to differentiate between legitimate and non-legitimate requests.
Types of DDoS attacks
There are countless types of DDoS attacks, ranging from straightforward and unimaginative, to highly complex ones. As defense mechanisms get stronger, cyber criminals respond with new and innovative types of DDoS attack.
1. Ping of Death (PoD)
Ping of Death, also called Teardrop attack, is a protocol-based attack. It involves sending multiple malicious pings to a computer to crash it i.e. causing denial of service. It is caused by deliberately sending packets which are larger than 65,536 bytes. When a large IP packet is sent, it is split into multiple IP packets. However, upon reassembling the size may become more than the allowed 65,536 bytes. Many operating systems are unable to process such packets which causes the receiving server to crash.
3. SYN Flood
SYN Flood method exploits the way in which TCP works. In this attack, a victim is flooded by succession of SYN requests in an attempt to consume server resources, so that it denies service to legitimate user. Most web servers nowadays use firewalls which can handle such SYN flood attacks and moreover even web servers are now more immune.
4. UDP Flood
UDP flood is a type of DDoS attack in which an attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams. The receiving host checks for applications associated with these datagrams and—finding none—sends back a “Destination Unreachable” packet. As more and more UDP packets are received and answered, the system becomes overwhelmed and unresponsive to other clients.
5. ICMP (Ping) Flood
ICMP flood is similar in principle to the UDP flood attacks. In this attack, the victim is overwhelmed with ICMP echo requests packets. These requests are generally sent as fast as possible without waiting for any replies. It is more dangerous than UDP flood attacks as it can consume both outgoing and incoming bandwidth. It typically overload’s victim server with ICMP echo requests, thus exhausting all its resources so that it can no longer process valid network traffic.
Slowloris is a tool that allows an attacker to use fewer resources to perform an attack. During these attacks a partial request is opened and allowed to stay active for maximum possible time. In these attacks HTTP headers are also sent with certain time interval, thus adding to requests made. This makes many partial connections active, consuming website traffic causing it to eventually go offline.
7. Peer to Peer Attacks
In this attack, instead of using a botnet to redirect traffic, a peer to peer service server is used to redirect traffic to target website. Thus anyone visiting the file sharing hub is redirected to victim’s website increasing its traffic and eventually making it go offline.
8. Reflected / Spoofed Attack
In computer security, a reflection attack is a method of attacking a challenge-response authentication system that uses the same protocol in both directions. That is, the same challenge-response protocol is used by each side to authenticate the other side. The essential idea of the attack is to trick the target into providing the answer to its own challenge.
9. Multi-Vector Attacks
Multi-Vector attacks are the most complex form of DDoS attacks. In this attack, the attacker combines multiple method and strategies of DDoS into one attack. These attacks are mostly used to target specific applications on the target server, as well as, flood the target with large volume of malicious traffic. These types of DDoS attacks are the most difficult to mitigate because the attack comes in different forms and target different resources simultaneously.
Earlier attackers used to hack a single server at a university or research center — places with a lot of bandwidth — and initiate their attacks from there. But to make attacks even harder to detect they use botnets now. Following are few techniques which could help in reducing the impact of a DDoS attack:
1. Bandwidth Oversubscription
This is the easiest way to defend an organization’s network against DDoS attacks. Mostly DDoS attacks are a game of capacity. For example, if there are 20000 systems each sending 1Mbps this means that 20Gb of data is hitting the network each second. Therefore, all one needs to do is to ensure that available bandwidth is more than 20Gbps. However, modern DDoS attacks are unpredictable and large in scale, it becomes difficult for a small or medium scale company to protect their network against them. Such companies can opt for routing their traffic through a content delivery network.
2. Content delivery network
A content delivery network, also known as content distribution network (CDN), is a globally distributed network of proxy servers deployed in multiple data centers.
Idea behind this is to use several data centers, spread across geographical locations, to serve content to visitors. This helps in eliminating a single point of failure and makes it harder to exhaust resources or saturate the links and balance the attack load.
In other words, content delivery networks utilize their large distributed server infrastructure to absorb the attack traffic and provide a degree of protection against DDoS.
3. Round-robin DNS
According to Wikipedia , “ Round Robin DNS is a technique of load distribution, load balancing, or fault-tolerance provisioning multiple, redundant Internet Protocol service hosts, e.g., Web server, FTP servers, by managing the Domain Name System (DNS) responses to address requests from client computers according to an appropriate statistical model. ”. In simplest implementation, round-robin DNS works by responding to DNS requests with multiple IP address instead of single IP address. This way load of traffic is distributed over servers. This method usually works best for organizations which have uniformly distributed servers of equivalent capacity.
4. System Hardening
You can often configure both your operating system and your applications to be more resilient to application layer DDoS attacks. For example, ensuring that non-required services and ports are disabled on all systems, connected to the enterprise network, is a good way of reducing the threat surface.
5. Patch management
Applying regular patches to the web server decreases chances of DDoS attacks, as it provides protection against any previously known vulnerability to be exploited.
6. Dark Address Prevention
Dark IP address are one which are not yet assigned to anyone by IANA. It’s always advisable to keep a list of these IP address and block them, as any request coming from them indicates IP spoofing.
7. Granular Rate Limiting
Most of the DDoS attacks have some similarity between packets in single attack. Granular Rate Limiting is a technique that identifies rate violations from past behavior. This method basically uses information stored from past and adapts over time.
8. Protect DNS server
This is something many administrators tend to forget. Being one of the critical pieces of a network it’s risky to leave it as an open resolver. Imagine, even if your website is working fine but none of your clients are able to resolve your domain name, it is as bad as website being down. So in order to cope up with such a situation the easiest way is to register with multiple DNS server.
Most of large scale service providers such as Google, Amazon, Facebook etc. have their own DDoS protection infrastructure and mechanism, which is expensive to implement and maintain. For small scale business it is always advisable to subscribe to some 3rd party DDoS protection service.