Reports of DDoS attacks pop up in the news every few months. Servers crash, sites go down, and companies can lose millions of dollars while their services are disrupted. Services ranging from Netflix and Reddit to electricity providers, among many others, have experienced such attacks.

How are Distributed Denial-of-Service (DDoS) attacks executed?

Put simply, a distributed denial of service (DDoS) attack makes a web service unavailable. It works on the principle of overloading a website’s ability to handle multiple requests at one time. This overload means that legitimate visitors/users are denied access.

DDoS attacks are generally executed using a network of bots called botnets. A bot is simply a script or software program designed to do repetitive tasks. For example, web crawlers and search engines are bots. In the case of a DDoS attack, the repetitive task is making a request to a web server, over and over again.

A computer, server, or IoT device can become a bot if the user inadvertently downloads malware from a malicious actor. This bot then connects to the command and control servers, which have instructions for launching an attack. Once the malware has sufficiently spread and created an army of bots, the botnet is ready to be deployed for malicious purposes. The aim is generally a DDoS attack or for stealing data, sending spam, or distributing ransomware.

Different types of devices can be turned into a bot for an attack: computers, servers, even IoT devices. For example, in 2016, the domain name service (DNS) Dyn suffered a massive DDoS attack from a botnet. The Mirai botnet exploited security weaknesses in 30,000 WiFi cameras, which allowed hackers access to users’ WiFi routers and create a massive botnet. This attack had knock-on effects on thousands of other websites using Dyn’s services

Pick your poison

There are three different kinds of DDoS attacks. The most common are volumetric attacks, which comprise about two thirds of DDoS attacks. Volumetric attacks use a botnet to make requests to the servers all at once, overloading their bandwidth capacity. This prevents genuine traffic from getting through. A common type of volumetric attack is a User Data Protocol (UDP) flood attack. As the name suggests, this attack involves sending a flood of UDP packets, which the server then tries in vain to respond to.

Protocol attacks are the second most common type of DDoS attack, making up about 20% of cases. These attacks target weaknesses in the network layer (layer 3) or the transport layer (layer 4). SYN floods, a type of protocol attack, send a large number of requests to the target with spoofed source IP addresses. The sender’s identity is obscured by impersonating another address. This type of attack exploits the Transmission Control Protocol (TCP) handshake process. This is a three-step process that involves a client exchanging information with a server in order to establish a connection to send and receive data. In a SYN flood attack, the volume of these requests means the target cannot respond to all of them, exhausting its resources.

Application layer attacks (layer 7) make up about 15% of DDoS attacks. The application layer is where requests are made to a web server, for example to load a particular page and its resources. The botnet will overload this server with requests, causing the server to field multiple requests to load certain assets such as files or database queries. This would be analogous to working in a sandwich shop and suddenly being asked to make 63 footlong subs.

Deep impact of DDos Attacks

The business impact of a DDoS can be enormous. Prolonged disruptions to an e-commerce website could mean millions in lost revenue, not to mention the reputational damage of a service outage. Customers can get agitated and move away from your service, and legal issues may result from service disruptions.

Worse still, DDoS attacks are relatively cheap to pull off. For as little as $5 per hour, you can hire a botnet service to attack a target for 24 hours. Such services often advertise under the guise of offering ‘stressing’ services for people wishing to stress test their servers.

An ounce of prevention against ddos attacks is worth a pound of cure

Considering the danger and consequences of DDoS attacks, what can be done to prevent them? There are preventative measures both internally and with the help of external parties.

The Software Engineering Institute at Carnegie Mellon University suggests some practical tips for IT architecture. Steps like locating servers in different data centers or removing bottlenecks. Single points of failure reduce the likelihood of being taken offline by a DDoS attack. Firewalls and load balancers can also protect against layer 4 (transport layer) protocol attacks.

There are also a number of external services that offer DDoS protection. Amazon offers DDoS protection to all its AWS customers at no extra charge that should put off most attackers. However, for more serious attacks, there are higher tiers at additional cost.

For organizations focused on civil liberties but without the budgets of large tech companies, Project Shield offers protection. Built by Jigsaw and owned by Google’s parent company Alphabet, it protects the web services of election monitoring services and human rights organizations.

Finally, engineers are working on ways to stop DDoS attacks in new ways. One such method is Amazon’s recently-granted patent that uses the underlying concepts of the bitcoin blockchain to protect services from DDoS attacks. Under this system, a request made to the target’s web server would need to complete a cryptographic puzzle. This concept is called Proof-of-Work. An individual computer making this request wouldn’t be significantly encumbered by this requirement. However, a coordinated botnet attack would incur a high cost in the form of computing power to complete these puzzles. This deters attackers.

Conclusion

DDoS attacks have been proven to be an effective way to disrupt web services. Despite advances in mitigation and prevention techniques, DDoS attacks will remain a constant threat to organizations large and small. A good place to start is a mindset of privacy and security, starting with encrypted email and following good online security/privacy practices. This diminishes the chance your devices turn into a bot that contribute to DDOS attacks.

As one of the most secure and private email suites, we take security of our infrastructure as very important and strive to improve the security of our service in every possible way. Feel free to share with your us your feedback/comments.

Useful resources

Follow us on twitter/reddit and keep yourself posted at all times.

– Mailfence Team