Distributed Denial of Service attacks are a type of cybercrime which uses numerous systems to perform an attack, aiming to exceed a website’s capacity to handle requests and therefore prevent the website from functioning properly for online users.
The attacker will flood a server with internet traffic to prevent users from accessing online services, overwhelming it causing ultimate disruption to an organization.
The attack is carried out by a network of internet connected machines such as computers or IOT devices infected with malware which are controlled remotely by the hacker through bots and botnets. Each bot will send a request to the targeted IP address and due to a bot being a legitimate device, it is difficult to separate normal website traffic from malicious traffic.
Targets usually include internet shopping sites, online casinos and other online service providers.
Types of DDoS attack
There are 2 categories of attack – application layer and network layer.
The hacker seeks to overload a server by sending a large number of requests requiring resource intensive handling and processing. This will include HTTP flood, slow attacks, DNS query flood attacks.
The hacker sets up to clog “pipelines” connecting to the network. Vectors include UPD flood, SYN flood, NTP amplification, DNS amplification.
Express criticism from government and politicians, big businesses or events.
Reliance on premade scripts and tools to cause grief. This type of attack and motivation usually comes from young hackers who are simply disgruntled or want attention.
The hackers demand money in exchange for stopping or not carrying out a DDoS attack.
There has been an increase in this type of attack being used as a competitive business tool. Can be used to prevent competitors from participating in big events such as Cyber Monday. It can also be used to completely shut down an online business for a period of time. This disruption caused to the website can cause both financial and reputational damage.
This motivation is state sponsored to silence government critics and internal opposition. It is also used to disrupt critical financial, health and infrastructure services in enemy countries. As this is backed by nation states, these attacks are well funded and orchestrated.
This motivation is to settle personal scores or disrupt online competitions. This usually occurs in multiplayer online gaming.
Identifying DDoS attacks
- Site or service suddenly becomes slow or unavailable – this may not be caused by a DDoS attack so would require further investigation
- Suspicious amount of traffic originating from a single IP address or range.
- Flood or traffic from users who share single behavioural profiles such as decide type, geolocation or web browser version.
- Unexpected surge in requests to a single page or endpoint
- Odd traffic patterns such as spikes at odd hours of the day or unnatural patterns.
It is difficult to differentiate real traffic against attack traffic as you do not want to cut real customers off. However, this is a key step in attempting to stop an attack before too much damage is done.
Increasing bandwidth and having specific DDoS attack defenses in place are two other ways to help mitigate or limit the damage caused by a DDoS attack.