Posted: March 22, 2018 by

Last updated:

How do DDoS attacks work? And how do we protect our organizations from the growing size and number of attacks?

Depending on the type and size of your organization, a DDoS (Distributed Denial of Service) attack can be anything from a small nuisance to something that can break your revenue stream and damage it permanently. A DDoS attack can cripple some online businesses for a period of time long enough to set them back considerably, or even put them out of business completely for the length of the attack and some period afterwards. Depending on the kind of attack, there can also be— intentional or not—side effects that can further hurt your business.

Let’s see what we are up against and what we can do about it.

Introduction

DDoS stands for Distributed Denial of Service. It is a network attack that involves hackers forcing numerous systems (usually infected with malware) to send network communication requests to one specific web server. The result is that the receiving server is overloaded by nonsense requests, and they either crash the server or distract it enough that normal users are unable to create a connection between their system and the server.

This type of attack has been popularized by numerous hacker groups as well as state-sponsored attacks conducted by governments against each other. Why? Because they are easy to pull of. Often the attackers use bots or otherwise enslaved computers and devices to overwhelm the target with requests.

Recent attacks are bigger than ever

Recent examples of DDoS attacks include the record-breaking DDoS attack on code repository Github a few weeks ago. GitHub was taken offline for about 10 minutes by an attack that peaked at 1.35Tbps. That record did not last very long, because only one week after GitHub was knocked offline by the world’s largest distributed denial-of-service attack, the same technique was used to direct an even bigger attack against an unnamed US service provider. According to DDoS protection outfit Arbor Networks, that US service provider survived an attack that reached an unprecedented 1.7Tbps.

These attacks use Internet-facing, Memcached-enabled servers to amplify their magnitude. While Memcached servers should technically not be left exposed to the Internet, there are so many of them that are exposed that this vulnerability will be available to attackers for some time to come.

Consequences

A DDoS attack can cause:

Disappointed users that may never return

Data loss

Loss of revenue

Compensation of damages

Lost work hours/productivity

Reputation damages

These are the things we don’t want to happen. So it’s time to look at the defense mechanisms that are available to us.

Possible defenses

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. The reason why Github was able to survive the DDoS attack, for example, is because they were prepared. So, if you don’t have an “always-on” type of protection, make sure you at least have a plan or protocols in place that you can follow when the attack occurs.

Depending on the possible consequences that would do the most harm to your organization, the chosen solution should offer you one or more of these options:

Allow users to use the site normally as much as possible, even during the attack

Protect your network from breaches during an attack

Offer an alternative system to work from

The least you should do is make sure you’re aware of the fact that an attack is ongoing. The sooner you know what’s going on, the faster you can react in an appropriate manner. Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

On-premise protection (e.g. identifying, filtering, detection, and network protection)

Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing)

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to the cloud-based solution when it reaches a volume that the on-premise solution cannot handle. Some DDoS protection solutions use DNS redirection to persistently reroute all traffic through the protectors’ network, which is cloud-based and can be scaled up to match the attack. From there, the normal traffic can be rerouted to the target of the attack or their alternative architecture.

Other countermeasures

Besides defending ourselves from DDoS attacks, we should strive to limit the possible consequences. Have alternatives in place to keep the workflow, and ideally, the revenue going. Keep possible data of interest away from Internet-facing machines, so you don’t get added to the long list of data breaches.

Perform forensics after the fact. Knowing your enemy might help you stop the next attack.

Don’t be a part of the problem

The priority at this moment is to get the Memcached-enabled servers off the Internet, as these allow attackers to scale up their attacks by a huge factor. The attack on Github was about three times as powerful as the largest attack that didn’t use Memcached-enabled servers.

Businesses and consumers alike should also start worrying about securing their IoT devices in a manner that they can’t be used in a DDoS botnet.We have an excellent article called Internet of Things (IoT) security: what is and what should never be that explains in detail why and how you can make the IoT a safer place.

And maybe, just maybe, we should try and work out Internet protocols that are designed so that they do not offer opportunities for DDoS attacks. For example, some attacks saturate a server’s TCP buffers with bogus connections in a way that does not allow any new incoming requests. Essentially, your customer is standing in a line that does not move forward. SYN cookie protection is a step in the right direction to mitigate this problem. But there is not that much most companies can do about this, except maybe fund research.

Summary

DDoS attacks are so cheap ($10/hour) nowadays that anyone with a grudge can have an unprotected server taken down for a few days without spending a fortune. The possible scope of DDoS attacks has been increased significantly, now that attackers have started using Memcached-enabled servers. To put a stop to outrageously-large DDoS attacks, those servers should not be Internet-facing. Beyond that, organizations should take every step to be prepared for a possible DDoS attack so that it’s simply a blip in their day, instead of a business-ending fiasco.

Pieter Arntz