A distributed DoS attack performed simultaneously from a large number of devices over which attackers were able to gain control and, on command, generate streams of junk requests. Such an attack can cause a denial of service for a large company or network. In this article, together with Imperva, we will analyze this topic in detail. Go!
Operating Principle
The purpose of a DDoS attack is to achieve a denial of service for devices connected to the Internet: network equipment and infrastructure, various Internet services, websites and web applications, and the Internet of Things infrastructure.
The vast majority of attacks develop in the following sequence:
- collecting data about the victim and analyzing them in order to identify obvious and potential vulnerabilities, choosing an attack method;
- preparing for an attack by deploying malicious code on computers and Internet-connected devices that have been taken control of;
- generating a stream of malicious requests from a variety of devices controlled by an attacker;
- analysis of the effectiveness of the attack: if the goals of the attack were not achieved, the attacker can conduct a more thorough analysis of the data and re-search for attack methods.
In the event of a successful attack, the affected resource will show a significant performance degradation or will not be able to process legitimate requests from users and other services at all. Depending on what exactly the victim resource is, the consequences of a successful DDoS attack can be a sharp drop in performance or unavailability of the network, server, Internet service, website, application. As a result, the Internet resource “freezes”, legal users cannot access it at the right time, the network or server becomes temporarily “cut off” from the Internet, the Internet resource stops working correctly, and so on.
Motivation of malefactors can be various. The most common are unfair competition, blackmail attempts, conflicts of interest or belief, social or political protest. Also often there are attacks on the basis of revenge, from the desire to “practice” in the hacker’s criminal craft, as well as from vanity. However, in recent years, the desire of the perpetrators of DDoS attacks to earn extra money has come to the fore. And if the order for the attack is generously paid for, it can be very intense, last for many hours, be modified and repeated again and again.
The damage from a successful DDoS attack primarily lies in financial and reputational costs: lost profits, termination of contracts and outflow of users, numerous complaints and complaints from customers, a wave of negativity in the media and social networks and, as a result, a drop in the popularity of the Internet resource and its owner. Often, a DDoS attack is used as a cover for the main malicious impact during targeted attacks: while information security specialists concentrate on repelling DDoS and restoring systems, attackers amplify the main attack vector – for example, hack a service, steal confidential data, or install malicious codes.
Who are DDoS attacks against?
Most often, the objects of DDoS attacks are government, financial institutions, gaming services, e-commerce companies. Since the beginning of the pandemic, attacks on educational resources, video conferencing services, online cinemas, media and entertainment sites have increased dramatically.
The largest attack was carried out in 2013 against the international non-profit organization Spamhaus, which aims to fight spam. It can be assumed that the attackers interested in spreading spam were clearly dissatisfied with its successful activities.
In 2014, one of the most powerful DDoS attacks in history was carried out – this time against the Occupy Central movement, which was gaining strength in Hong Kong, advocating a change in the country’s voting system.
In 2015 and 2018, two more DDoS attacks that went down in history took place – against the world’s largest online resource for joint development and hosting of IT projects, GitHub.
Classification Of Ddos Attacks
The most commonly used way to classify attacks is by the OSI layer at which they were carried out. We list the most common types of attacks:
- Network layer (L3): DDoS attacks of this layer “work” over IP, DVMRP, ICMP, IGMP, PIM-SM, IPsec, IPX, RIP, DDP, OSPF, OSPF protocols. The targets of attacks are primarily network devices – switches (switches) and routers (routers).
- Transport layer (L4): impact is made via TCP and UDP protocols, as well as via DCCP, RUDP, SCTP, UDP Lite subprotocols. This level of attack usually targets servers and some Internet services, such as gaming.
- Application layer (L7): The attack is carried out at the application protocol layer. Most often, attackers use HTTP, HTTPS, and DNS. Attacks of this level target both popular network services and various websites and web applications.
Another common way to classify is according to the method of exposure:
- use of protocol vulnerabilities: they allow you to achieve a denial of service by influencing the attacked resource with incorrect requests, as a result of which the victim “goes into a stupor” trying to process them;
- overflowing traffic with a powerful stream of requests that the victim is unable to “digest”;
- impact on weak points in the architecture and logic of applications, which can severely disrupt the performance of a software complex connected to the Internet, especially if it has a weak level of security.
Ddos Protection
Before taking on the use of DDoS protection services, you should take care of increasing the degree of security of the Internet service – its ability to effectively repel attacks with minimal resource consumption. Otherwise, to protect the Internet service from impacts, you will have to spend a lot of effort and money. In a nutshell, to improve security, you need to:
- provide as little information as possible to the attacker;
- provide as much information as possible to the DDoS defender;
- provide clear attack filtering capabilities;
- ensure the reliability of the service under attack.
Opportunities for protection against DDoS attacks can and should be provided for in an Internet resource at the design stage of its architecture: good design will increase the availability of the resource and reduce the cost of protecting it from attacks.
As for the means of protection, they can be divided into local (on-premise), cloud and hybrid. On-premise solutions and anti-DDoS tools are both software and hardware (specialized network devices), and they can be installed by both customers themselves and their providers. The main users of local anti-DDoS solutions are large telecom operators (cloud and Internet providers) and data centers that can afford to have their own response service, are able to cope with powerful (hundreds of gigabits) attacks and offer anti-DDoS service to their customers .
Cloud solutions implement almost the same security functionality as on-premise solutions. In addition to packaged protection, anti-DDoS cloud service providers often offer services to protect sites from attacks by bots (hackers use the HTTP protocol in them), as well as technical support and maintenance during a DDoS attack. Cloud solutions seem to be the best option for most companies.
A hybrid solution is a set of an on-premise solution and a subscription to an anti-DDoS cloud service, which is connected automatically when an attack starts. A hybrid approach removes the attack volume limitations of on-premise solutions and takes advantage of both cloud-based solutions and on-premise tools. Hybrid solutions can be recommended for large enterprises that focus on customer interaction through online channels, as well as small service providers.
Depending on which Internet resources need to be protected, anti-DDoS tools and services are selected that have a particular range of protection functions:
- Packet flood protection based on packet filtering of the transport and network layers (L3 and L4) – this is enough to protect network devices;
- protection from both batch flooding and flooding at the application level (L3 – L7) – this is necessary, in particular, to ensure the operability of sites, since most attacks on them are carried out at the L7 level;
- protection not only from flooding at the L3 – L7 level, but also from “intelligent” DDoS attacks using “smart” bots that attack those parts of web applications that are most resource intensive when processing incoming requests, using Web Application Firewall functions ( WAF) – this is necessary to protect critical Internet resources.
According to the connection format, symmetric and asymmetric DDoS protection are distinguished. The first option involves installing the filter in a symmetric mode: both incoming and outgoing traffic of the protected server (or service information about this traffic) always passes through the filter. Asymmetric algorithms analyze only incoming traffic. As a rule, symmetrical protections are more effective, but the cost of ownership is higher, and the signal delay is also longer. Asymmetric tools are often more complex, but because they do not analyze outgoing traffic, some attacks cannot be completely filtered out in asymmetric mode.
In addition, special care should be taken to properly enable DDoS protection: it is necessary to reduce to zero the number of vulnerabilities that an attacker could exploit. It is on identifying weaknesses and protecting confidential data that Imperva specializes.
And of course, you need to pay close attention to the choice of a protection provider, since the real quality of its services, as well as the level of its competence in anti-DDoS issues, can extend over a wide range. By the way, Imperva provides data protection services.
Imperva provides protection against unauthorized DDoS. This ensures the security of confidential data of clients of various kinds of sites. Also, Imperva collects information about the user of the site. This end-to-end analytics clearly shows what the visitor of the web page is interested in. You can get more information by going to the Imperva website via the pinned link!