Distributed Denial of Service (DDoS) Attacks: Characteristics and Mitigation
A Distributed Denial of Service (DDoS) attack is performed by a botnet and tries to take down a target system. Several computers will bombard the victim with large volumes of spam traffic with the goal of overwhelming it and degrading its ability to respond to legitimate attacks.
DDoS attacks differ from most other types of cyberattacks because they don’t require a vulnerability in the target system. Instead, DDoS attacks often send legitimate requests to an application but in volumes that it can’t handle. In fact, a website or web application can even be accidentally DDoSed by legitimate users, as demonstrated by the failure of Ticketmaster to handle requests from fans trying to purchase tickets to Taylor Swift’s Eras tour.
DDoS attacks have become a significant threat and can negatively impact an organization’s brand reputation and ability to provide services to its customers. This article explores the DDoS threat, including the characteristics, impact, and potential mitigation strategies for DDoS attacks.
Understanding DDoS Attacks
The “distributed” in DDoS refers to the fact that a DDoS attack is performed by multiple different systems. In most cases, this involves a botnet of compromised devices, often Internet of Things (IoT) systems. However, cybercriminals are increasingly using cloud computing and virtualization technology to perform large-scale DDoS attacks.
The goal of a DDoS attack is to degrade a victim’s ability to provide services to legitimate users. While some DDoS attacks are designed to take down the target system, others are intended solely to harm its performance or increase costs to the business. These “low and slow” attacks are increasingly popular due to their ability to slip under the radar of DDoS prevention solutions looking for larger-scale attacks.
DDoS attacks have grown much larger and more common in recent years. In February 2023, Cloudflare reported blocking several DDoS attacks with 50-71 million requests per second (rps). This exceeded the previous record — set 9 months earlier — by 54%.
Characteristics of DDoS Attacks
A DDoS attack is designed to exploit a bottleneck or single point of failure in a target system. Some common examples of bottlenecks targeted by DDoS attacks include:
- Network bandwidth
- Number of TCP or TLS connections the server can support
- Number of sessions an application can support
- Memory and RAM
- Server CPU cycles
Depending on the target, one of these potential bottlenecks may have a lower capacity than the other. For example, a computer can theoretically maintain thousands of TCP and TLS connections; however, an application may run out of available memory or processing power before reaching this point.
Different DDoS attacks are designed to target different bottlenecks. The main categories of DDoS attacks include:
- Volumetric Attacks: Volumetric attacks — which include UDP floods and similar attacks — are designed to send more traffic to a system than it can handle. These attacks could overwhelm the network bandwidth or the server’s ability to handle inbound traffic.
- Application-Layer Attacks: Application-layer attacks attempt to exhaust the resources available to a particular application or service. HTTP floods and similar attacks may try to consume RAM and CPU cycles or fill up state-tracking data structures within the application itself.
- Protocol Attacks: Protocol attacks take advantage of the features of a network protocol to perform an attack. For example, SYN floods create large numbers of half-open TCP connections on the target server. Maintaining these half-open connections leaves the server less able to accept new connection requests until the existing ones expire.
A DDoS attacker may perform one of these attacks or multiple at once, a “layered” attack. Another common DDoS technique is the “burst” attack, in which the attacker performs short, high-volume DDoS attacks at random intervals to disrupt the target system.
DoS vs. DDoS: A Comparison
Denial of Service (DoS) and DDoS attacks are both designed to degrade the availability of a target system. However, they differ in a few crucial ways:
- Attacker Numbers: DDoS attacks are named for the fact that they involve multiple systems attacking the target. A DoS attack, on the other hand, involves a single attacker.
- Attack Vectors: DDoS attacks are performed solely by flooding the target with large volumes of spam traffic. While a DoS attack can do this as well, it can also be performed by exploiting vulnerabilities in a target application. For example, exploiting a buffer overflow vulnerability to trigger a segmentation fault (segfault) is another means of crashing a target application.
DDoS Attack Tools and Techniques
In a nutshell, a DDoS attack is an attempt to flood a target with spam requests to knock it offline or make it less able to handle legitimate user requests. These attacks are performed by multiple attacking systems and can use various techniques.
Often, DDoS attacks are performed by a botnet operated by the attacker. Botnets are typically created by infecting vulnerable systems with botnet malware. For example, an attacker could exploit weak credentials or unpatched vulnerabilities on IoT devices to install malware on these systems. This malware would allow the attacker to direct the infected devices to perform automated attacks such as DDoS attacks.
Some botnet operators will perform DDoS attacks themselves, while others will rent out their botnets to other users. On the Dark Web, a DDoS attack costs as little as $5 per hour to rent. This makes them very affordable to perform, expanding the range of potential targets.
An attacker can perform DDoS attacks in various ways. In some cases, an attacker might simply attempt to overwhelm a target with the sheer volume of traffic that a botnet can produce.
Attackers can also exploit how network protocols work to increase the effectiveness of their attacks. For example, a DDoS amplification attack increases traffic volume via the following process:
- The attacker identifies a service whose responses are significantly larger than the corresponding request. For example, DNS lookups produce responses larger than the requests because the requested data is added alongside the original request data.
- The attacker sends a request to the service with their IP address spoofed to that of the target. Typically, this involves using UDP since there is no handshake (like in TCP).
- The service processes the request and sends a response to the victim, who appears to be the one making the request.
As a result of an amplification attack, the victim is sent much more data than the attacker sends out. For example, a service running on vulnerable Mitel systems enabled 4.3x amplification of DDoS attacks in 2022. As a result, the attacker is able to perform a much larger attack than is possible with their botnet infrastructure.
Impact and Consequences of DDoS Attacks
A DDoS attack can have several potential impacts on an organization. Some of the most common include financial losses, reputational damage, and the threat of legal action.
Financial Losses
DDoS attacks can cause an organization to incur various financial losses. Some ways that an organization can lose money due to a DDoS attack include:
- Lost Sales: DDoS attacks often target customer-facing sites. While the attack is occurring, the organization may lose sales due to customers’ inability to access the site or their frustration with poor site performance.
- Customer Churn: These issues may also cause customers to switch to a competitor. As a result, the company may lose customers in the long term as well as during the attack itself.
- Infrastructure Costs: A DDoS attack consumes resources on the target system as it processes the attacker’s spam requests. These resources are used up without bringing in any profit for the organization.
- Lost Productivity: A DDoS attack may target corporate applications, rendering employees unable to do their job. Also, while an attack is occurring, the security team may be focused on mitigation rather than other duties.
- Ransom Payments: Some cybercriminals will perform Ransom Denial of Service (RDoS) attacks. These attacks will continue until the victim pays the ransom demand.
Reputational Damage
DDoS attacks are designed to take down an organization’s website or render it unusable. If successful, they can harm the company’s brand image since customers may believe that the organization is unable to provide services or protect itself against cyber threats.
Legal Action
DDoS attacks also have the potential to expose an organization to legal action. Many organizations have contractual and service level agreements (SLAs) that promise a certain level of service to their customers. A DDoS attack that renders the organization unable to provide these services may require it to provide compensation to its customers or expose it to legal action.
DDoS Protection and Mitigation Strategies
DDoS attacks are a growing threat to business because they are cheap and easy to perform. In general, scaling a DDoS attack is often cheaper than scaling a service’s bandwidth, RAM, and CPU to manage the rise in malicious requests. Some methods of protecting against the DDoS threat include:
- Traffic Monitoring: Traffic monitoring provides an organization with insight into normal traffic patterns on its network and potential anomalies. This enables the business to quickly detect and respond to a DDoS attack.
- Cloud-Based DDoS Protection: Cloud-based DDoS prevention services have the capacity to identify and filter DDoS traffic before it reaches an organization’s network. This enables the business to maintain normal services during a DDoS attack.
- Content Delivery Networks (CDNs): CDNs cache static web content in geographically-distributed locations. By distributing the hosting of an organization’s website, CDNs distribute traffic and make DDoS attacks more difficult to perform.
- Rate Limiting: Rate limiting throttles a user’s ability to make requests to a site. By blocking abuse of resource-intensive requests, rate limits can help prevent resource exhaustion attacks.
- Access Controls: DDoS attacks are often performed by networks of compromised machines. Access controls on resource-intensive operations make it easier to identify and block attempted attacks.
- Web Application Firewalls (WAFs): DDoS attacks may be designed to exploit vulnerabilities to amplify their effects. WAFs can identify and block attack traffic from reaching vulnerable systems.
Collaborative Defense and Incident Response
DDoS attacks are a growing threat, with many large botnets threatening attacks and cybercriminals offering attacks for hire. Collaboration can help companies to manage the risk of a damaging DDoS attack.
For example, DDoS attacks commonly originate from botnets composed of compromised devices. Victims of DDoS attacks can identify and block the IP addresses associated with these attacks. By sharing this information via threat intelligence feeds or forums, they can help other organizations to rapidly identify and block attempted attacks.
Another area where collaboration is invaluable for managing DDoS attacks is keeping track of the evolving threat landscape. DDoS attacks are an area of active innovation, with cybercriminals developing new tools and techniques to make attacks larger or stealthier. Sharing information about past DDoS attacks enables organizations to develop and test defenses against the state of the art in DDoS attacks.
Recent Examples, Use Cases, and Statistics
DDoS attacks can have wide-reaching impacts, stretching beyond the intended victim. Some of the largest and most famous DDoS attacks include:
- Dyn (2016): In 2016, Dyn, a major DNS provider, suffered a DDoS attack launched by the Mirai botnet that rendered popular sites such as Airbnb, GitHub, Netflix, PayPal, Reddit, and Twitter inaccessible.
- GitHub (2018): GitHub suffered a DDoS attack in 2018 that knocked the site offline with volumes of 1.3 Tbps. This attack didn’t use a botnet, instead using the amplification capabilities of memcached servers.
- AWS (2020): In 2020, AWS suffered a DDOS attack with volumes of 2.3 Tbps, a record at the time. AWS managed to mitigate the attack, but it was notable since it targeted a major cloud service provider.
Conclusion
DDoS attacks are a growing threat to the availability of an organization’s online services. As IoT devices have become more common, cybercriminals have been able to build larger, more powerful botnets. This, combined with innovations in DDoS attacks — such as the use of various services for DDoS amplification — has contributed to a significant growth in the size of DDoS attacks in recent years.
DDoS attacks typically don’t exploit vulnerabilities, instead relying on sheer volume to overwhelm a target system. Implementing DDoS mitigation strategies — such as DDoS traffic filtering and access controls — is the best way to protect against these attacks.
However, when implementing access controls and rate limiting, it’s important to use authentication methods that can’t be used by automated bots. A compromised password provides no real protection against DDoS attacks.
Kelvin Zero’s Multi-Pass solves this problem with phishing-resistant, multi-factor authentication based on biometric and possession-based authentication factors. Book a demo today to learn more about Multi-Pass and how Kelvin Zero can help your organization ensure their access controls and rate limits provide real protection against DDoS threats.