What is
a Distributed Denial of Service (DDoS) Attack?

A DDoS attack begins with a botnet. A botnet is a network of computers that were infected with malicious software designed for DDoS attacks and other nefarious uses. Users may be tricked into downloading the infected software through phishing emails, infected websites, and even social networks by taking advantage of known exploits in software and operating systems.

Once these computers are infected, the botnet "wrangler" can control all of these machines without the user’s knowledge remotely from one application. Once the botnet grows large enough, the network can be used to launch an attack against any target.

Once a botnet is ready, the attacker can send a start command that will have every machine in the botnet sending a flood of requests to the intended target. If the attack makes it past defenses, it can quickly overpower most systems causing service outages and possibly crashing servers.

Many attackers that have created botnets offer their services for a price on online and darknet marketplaces, giving potentially anyone the capability of launching a DDoS attack.

DDoS attacks come in many forms, depending on what an attacker is trying to do. Three main categories are volume-based attacks, protocol attacks, and application-layer attacks.

Volume-Based Attack

This type of attack attempts to use all the available bandwidth between the target and the internet. One way this is done is through amplification, which involves flooding a DNS server with a spoofed IP address (the IP address of the target), which triggers much larger DNS responses to the target. SNMP and NTP protocols are also used in volume-based attacks. Eventually, the responses the target is receiving will clog the network and block incoming traffic.

Protocol Attack

Protocol attacks disrupt a service by exhausting the resources of network equipment like load balancers and firewalls. These attacks target the network and data link layers of the protocol stack. One type of protocol attack is called a SYN flood. This type of attack uses the TCP handshake to flood a network. The botnet sends the target a massive amount of TCP initial connection request SYN packets using spoofed IP addresses. The target machine's resources get exhausted, waiting for the final step of all these requests that will never happen.

Application Layer Attack

This type of DDoS attack targets applications running on your network, specifically web applications that respond to HTTP requests. HTTP requests are lightweight for a client but can require a lot of resources from the server to generate the response. One request can involve code execution, multiple image requests, and database queries. A botnet using an application layer attack can bring down a server by simply hitting the same web page from each of its nodes at the same time.

A symptom of a DDoS attack is a site or service that obviously and suddenly has become slow or unresponsive, but not every slow site is being attacked. Traffic spikes and legitimate server issues can cause the same type of unresponsiveness.

To determine if you are under a DDoS attack, you will have to investigate further with traffic analysis tools to determine what type of traffic you are getting, where it is coming from, and where it is going. Some signs of a DDoS attack include:

• Abnormal amounts of traffic coming from a single IP address or range of addresses
• Odd spikes in traffic that happen at strange times of the day, for a limited amount of time, or that follow a pattern
• A sudden flood of traffic to a single webpage or service
• A flood of traffic from users that have a similar profile, like geolocation, browser version, or device type

Protecting a network against a DDoS attack is not the most simple task. It is not like malware or viruses that you can remove from the infected systems. DDoS attacks come from outside a network and can seem like regular traffic until you look into the details. It's important to act quickly once a DDoS attack is detected because these types of attacks can bring down a website or service in minutes.

Secure Your Router

Your router is the gateway in and out of your network. If the bots in a botnet can't make it through the router, they can't affect any services on it. It is your first line of defense and should be configured to filter traffic by priority and block any threatening data or traffic.

Secure IoT Devices

Many people who secure their laptops and their phones don't think twice about leaving the default password on their IoT devices. Many IoT devices run full Linux operating systems that can be and have been targeted with malware that will make them a bot in a botnet. They are a favorite target because of this. Securing your IoT devices with a strong password will prevent them from becoming another bot in a botnet.

Use Machine Learning

Detecting a DDoS attack involves traffic analysis. It is possible to do this manually, but machine learning technology can detect malicious traffic quickly. Traffic can be analyzed in real-time for known DDoS patterns and anomalies, and any suspicious traffic can be blocked before it has a chance to slow down a service or website.

A distributed denial of service or DDoS attack is an attempt to block access to a website or service by flooding it with requests to overload the system. Attackers accomplish this by infecting an army of machines with malware that they can use to target any site or service they choose. Troubleshooting and preventing DDoS attacks is not straightforward and involves analyzing traffic for anomalies, but with the right tools, DDoS attacks can be marginalized or prevented.

Discover how Illumio products prevent the spread of breaches by stopping lateral movement.