There are a myriad of ways hackers and cybercriminals might attack your system. But while the majority of those attack vectors focus on vulnerabilities and weaknesses in the software and protocols running on the system, there is at least one that exploits the limitations of the hardware itself: a DDoS attack.
DDoS (Distributed Denial-of-Service) attacks can be devastating to the operations, information security, and reputation of a brand. At best, it’s a major disruption of business processes. At worst, it can result in a major data breach.
So, to help you protect your system (and to prevent your system becoming involved in such an attack), we’ve prepared this handy guide to what they are, how they work, and what can be done about them.
How Does a DDoS Attack Work?
The infection
DDoS attacks are essentially real (though digital) versions of zombie movies. Much like how the shambling horde overwhelms and overpowers the ragtag band of survivors, resulting in their doom, a DDoS attack is an assault from a swarm of otherwise innocent systems turned malevolent via infection.
The major difference being that while the movie monsters are disorganized and uncoordinated, a “botnet” is incredibly precise, and driven by an intelligent, sinister purpose. Here’s how it happens.
It starts with some unassuming malware. The hacker that wants to employ a DDoS attack starts distributing an unwanted program. They do this in a number of ways. Phishing emails, fake links and downloads, Trojan horse-style apps. They trick users into downloading and installing the malware on their own device, leading them to believe it’s something they want, or that it’s harmless.
Unlike most malware, though, the goal here isn’t to defraud the user who downloaded it. Aside from spreading itself via additional phishing emails and other methods, it just sits there. Waiting. Meanwhile, the malware is being installed on hundreds, thousands, and in some cases millions of other devices.
This collective of infected systems is called a “botnet,” and it’s like a fully loaded semi at the top of a hill—a whole cargo-load of potential power, waiting to come barreling down on a victim.
The attack
Once the botnet has large enough numbers, the hacker engages the malicious programs. They still don’t attack the original users, though. Instead, they turn those systems into puppets. They commandeer the devices, and they use them to do something rather mundane: visit a website.
Now, websites take queries from external devices all day long. That’s what the internet was built for. But each domain is limited in how many calls to the server it can field at once. The limit is based on how much hardware they have running on the back end to keep the site up.
Smaller organizations may only have a handful of servers. Larger organizations may have hundreds. Web hosts have whole buildings full of them. But no matter how many are in use, there is a finite cap on how much load the servers can handle all at once. This is what a DDoS attack exploits.
When the server calls are coming in by the thousands, or tens of thousands, the stress is too much for the system to handle. It only takes a little bit of computing power from each bot in the net to send the queries, but it takes a colossal amount of effort on the server’s part to answer them. Eventually, the hardware overloads, and the system crashes.
How to Know If You’ve Experienced a DDoS Attack
While the first clue of experiencing a DDoS attack is a sudden slowdown or disruption of service, legitimate spikes in traffic can also cause network congestion. So here are other telltale signs that aren’t due to normal traffic spikes:
- High levels of traffic coming from:
- A single IP address or range
- The same device type, web browser version, geolocation, or behavioral profile
- High levels of requests going to a single page or endpoint
- Odd traffic patterns like those spiking:
- At off-hours of the day
- Every 10 minutes
The key here in identifying the attack is recognizing abnormal behavior. Peak usage times often result in network congestion, but if the vast majority of your traffic is during business hours EST, and your system experiences a dramatic spike at 3 am EST, don’t assume it’s benign.
3 Types of DDoS Attacks
DDoS attacks come in multiple varieties, but they all share a common goal: rendering an online resource useless. The following types of attacks target varying components (layers) of a network’s connectivity and can be used individually or in combination to overwhelm a target’s servers, making their site inaccessible:
- Volume-based attacks overwhelm a target’s website or server by sending massive amounts of bogus traffic through using some form of amplification.
- DNS Amplification sends large requests to a target, then generates a long response that is also sent to the target.
- Network-layer attacks (also called protocol attacks and state-exhaustion attacks) send too many packets for targeted network equipment to handle (e.g., firewalls and load balancers).
- SYN flood is an example of a protocol attack that exploits the communication sequence between computers and each connection request.
- Application-layer attacks flood applications with bad requests. Two examples of application-layer attacks are:
- Layer 7 attacking, which targets the application layer where humans and computers interact.
- HTTP flooding works in a similar way as pressing “refresh” in a web browser, except it’s done repeatedly on many computers at once.
Recent DDoS Attacks
A U.K.-based telecommunications company, TalkTalk, was hacked and 4 million customer records were stolen. It was done through a multi-pronged assault that used a DDoS attack to overwhelm the company’s website. After this incident, TalkTalk customers have had a hard time trusting the company’s claims that their databases are secure and protected against further attacks.
To put such attacks into perspective, Dark Reading reports that “researchers recorded approximately 2.9 million DDoS attacks in the first quarter of 2021, marking a 31% increase from the same period in 2020.” The prediction is for DDoS activity to “exceed the 10-million attack threshold last year,” especially since January and February are typically the slowest months for attacks.
How to Avoid a DDoS Attack
Practically any online business or organization is at risk of being attacked, but a few industries are targeted more than others. They include:
- eCommerce sites
- Online casinos
- Telecommunications
- Financial services (including cryptocurrency exchanges)
- Healthcare
And while there’s no way to give your system infinite capacity to handle server load, there are a few things you can do to manage incoming traffic and requests, including:
- Reduce your attack surface area by using Load Balancers or Content Distribution Networks (CDNs)
- Restrict direct traffic to critical parts of your infrastructure
- Leverage Access Control Lists (ACLs) or firewalls to control or limit access from different traffic sources
Additionally, there’s a lot that can be done in the way of facilitating large spikes in traffic by building site or app architecture that enhances transit capacity, and investing in the hardware (or services) required to enhance server capacity.
Ultimately, though, prevention efforts only go so far, and none of them are silver bullets. So it’s best to couple these efforts with active monitoring and response so you can catch a DDoS in progress and halt it. This minimizes the likelihood (and length) of potential downtime, as well as helps prevent breaches resulting from the attack.
That kind of vigilance requires a dedicated team, though, and not every organization has that. If that sounds familiar, it’s worthwhile to consider a robust Managed Detection and Response (MDR) solution that can handle all the heavy lifting for you.
Don’t Join the Horde
You also want to make sure that your system and devices aren’t adding to the problem by getting infected and joining the botnet. This is actually pretty straightforward, however, so long as you can get everyone in the organization to follow the rules. This is done quite easily by simply not downloading malware.
Teach your team members to be suspicious of links, files, programs, or other bait-and-switch vectors if they can’t 100% verify their origin.
Phishing emails are probably the most common vector, and learning to recognize them for what they are is a critical skill for any user these days, especially with scammers getting better at spoofing the emails of people on our contact list.
Users should also be leery of any application (for desktop or mobile) where the publisher can’t be verified. Those warnings your computer, phone, or app marketplace give you are important, because verifying the publisher is part of how they weed out malicious software.
Beyond that, it’s a matter of avoiding the kinds of places online where malware likes to hide: the kind of places users might, for example, go to illegally download media (or, at least, where the hackers claim you can do so).
Bottom line, you can avoid being used as part of a botnet by avoiding infection – and luckily, unlike the numberless mobs of the undead, malware can’t infect your system unless you let it.
Stay Safe with Alert Logic
If this all sounds like good ideas, but a lot of work that your team doesn’t have the time or expertise for, we may be able to help. Since 2002, Fortra’s Alert Logic has provided organizations with unrivaled security and managed detection and response (MDR) service, covering public clouds, IaaS and SaaS brands, on-premises systems, and hybrid environments.
Our end-to-end, cloud native services integrate directly into your team, amplifying your ability to protect against and respond to threats without adding to your workload.
To learn how we make cybersecurity easy, request a demo today.
