DDoS attacks: types, protection and mitigation

Tipos, protección y mitigación de ataques DDoS

DDoS attacks aim to take down online services by flooding them with an enormous amount of incoming traffic, originating from multiple sources. This type of cyberattack can have many negative effects on business profits, as well as damage a company’s reputation. Let’s see what a DDoS attack consists of and how to protect services and systems against this type of attacks.

What is a DDoS attack?

A DDoS attack or Distributed Denial-of-Service attack is a type of cyberattack in which a cybercriminal aims to disrupt, temporarily or indefinitely, the access to diverse online services — websites, applications, networks, APIs, etc.

To take down those services, cyberattackers flood the targeted machine or network resource with superfluous requests originating from many different sources, making it impossible to stop the attack by blocking a single source. As a consequence of this overload of unwanted traffic, the targeted services become unavailable to final users.

In other words, a DDoS attack creates a sort of traffic jam that stops legitimate requests to go forward.

DDoS attackers target a wide variety of resources:

  • educational platforms,
  • eCommerce sites,
  • financial services,
  • bank applications,
  • government websites,
  • medical systems, etc.

DDoS attacks are commonly used for:

  • Causing economic or social disruption.
  • Creating a smokescreen to distract the security team from a more sophisticated attack.
  • Extorting money from businesses.
  • Performing hacktivism for political or social reasons.

How does a DDoS attack work?

DDoS attackers exploit networks of infected Internet-connected devices to disrupt the targeted network or server with a flood of unwanted requests that originate from many different sources.

To infect and gain control over those Internet-connected machines and devices, cyberattackers take advantage of security vulnerabilities and use malware. Once a device is infected, it becomes a “bot” capable of spreading the malware to other devices, amplifying the size of the attack. This group of infected devices or “bots” is known as “botnet”.

Then, in order to attack a machine or network, the attacker instructs individual bots within the botnet to send requests to the targeted IP address. That overwhelming amount of incoming traffic leads to a denial of service and prevents normal traffic from accessing the attacked service.

DDoS attacks are easy to spread because infected devices do not often notice they are infected and attackers remain hard to identify. Therefore, the malicious traffic is difficult to detect.

Types of DDoS attacks

DDoS attacks can be categorized in three major types: volumetric or volume-based attacks, protocol attacks and application-layer attacks. Some of the most common examples of DDoS attacks are DNS amplification, SYN flood and UDP flood attacks.

Besides, sometimes multiple attacks are used together to attack several layers at the same time. For instance, combining a DNS amplification attack with an HTTP flood attack. This type of attacks using multiple pathways at once are known as “multi-vector DDoS attacks”.

Volumetric attacks

Volumetric attacks aim to saturate the bandwidth of the targeted resource or service. They are also known as “volume-based attacks”. By sending a large amount of traffic using a botnet, attackers slow down or prevent traffic from real users from flowing.

Here are some common types of volumetric or volume-based attacks:

  • DNS amplification. In DNS amplification attacks, attackers spoof their target’s IP address to send large quantities of requests, getting DNS servers to reply. By replying, DNS servers generate a large amount of traffic that floods the organization’s services.
  • ICMP flood. In ICMP flood attacks, ICMP (Internet Control Message Protocol) messages are used to overload the bandwidth of the target’s network.
  • UDP flood. In UDP flood attacks, cyberattackers use IP packets containing the User Datagram Protocol (UDP) to saturate ports on the targeted host. This type of DDoS attack is usually chosen for larger-bandwidth attacks.

Protocol attacks

Protocol attacks aim to consume and exhaust real resources from servers or intermediate equipment such as firewalls. They are also known as “protocol-based attacks” To do so, attackers use malicious connection requests that exploit protocol communications.

Here are some common types of protocol or protocol-based attacks:

  • Ping of Death. In Ping of Death attacks, cyberattackers send a packet larger than the maximum allowed size to cause the targeted server to crash. The large packet is fragmented into pieces when transmitted to the target of the attack in a way that when the targeted server tries to put the pieces back together, the size will exceed the limit and cause a buffer overflow.
  • Smurf DDoS attack. In Smurf DDoS attacks, attackers broadcast a large number of ICMP packets using a spoofed source IP from its target to a computer network using an IP broadcast address. If there is a large number of devices on the network, the replies to the source IP may flood the target’s computer with traffic.
  • SYN flood. In SYN flood attacks, cyberattackers use an infected client to send a large volume of SYN packets that never get acknowledged. As the Transport Control Protocol (TCP) establishes multi-step connections — synchronization, synchronization acknowledgment and final acknowledgement —, the server remains waiting for a response of numerous unfinished TCP connections and eventually runs out of capacity to accept new legitimate connections.

Application-layer attacks

Application-layer attacks aim to crash the web server with apparently legitimate requests. This kind of attack is easy to implement and difficult to stop or slow down, and it is usually targeted to specific applications. They are also known as “Layer 7 DDoS attacks”.

Here are some common types of application-layer or Layer 7 attacks:

  • HTTP flood. HTTP flood attacks cause an effect similar to continuously refreshing a web browser on a large number of computers simultaneously. The large amount of HTTP requests floods the server.
  • Low-and-slow. In Low-and-slow attacks, attackers use a small flow of very slow traffic and do not require a lot of bandwidth to implement the attack. These DDoS attacks are not easy to mitigate because it is especially difficult to distinguish malicious traffic from normal traffic. Therefore, it is easy for them to remain undetected for a long period of time, slowing or even denying the service to real users.

How to defend against a DDoS attack

In order to be protected against DDoS attacks, organizations need to have a strong anti-DDoS strategy. These are some of the most commonly used protection methods against DDoS attacks:

  • Anycast network diffusion. Using an anycast network to scatter the malicious traffic across a network of distributed servers so that it gets reasonable and manageable.
  • Blackhole filtering. Creating a blackhole route through which funnel traffic to a null route or “blackhole”, dropping it from the network.
  • Rate limiting. Limiting the number of requests a server can accept over a time frame. When an elevated level of traffic hitting a host is detected, the host will only be able to accept as much traffic as it can handle, without affecting availability.
  • Attack surface area reduction. Minimizing the surface area that can be attacked to limit the points of attack and to focus protection in a single place. This can be done, in some cases, by placing resources behind load balancers or a CDN. As well as by restricting direct Internet traffic to certain parts of the infrastructure.
  • Web Application Firewall (WAF) deployment. Using a Web Application Firewall — protocol layer 7 defense — to filter and monitor HTTP traffic between a web application and the Internet.

Nevertheless, depending on the complexity of the attack, a more complex solution might be necessary to handle the DDoS attack.

How to mitigate DDoS attacks

Since cutting off all traffic is not an option, distinguishing malicious traffic from normal traffic is the main concern when mitigating DDoS attacks. Besides, differentiating attack traffic from real customers’ traffic can become especially difficult when dealing with complex multi-vector DDoS attacks. Therefore, mitigation solutions will vary considerably depending on the type and complexity of a attack.

Are you under attack?

In case of an emergency or cyberattack, do not hesitate to contact us by filling the following form or by calling us to +31(0)20 309 3000.

Share it on Social Media!