What Is DDoS (Distributed Denial of Service)? Definition, Types, and Prevention Best Practices for 2022

A distributed denial of service (DDoS) attack is defined as a cybercrime that brings down an online system by overloading it with fake traffic from several compromised devices. This article explains a DDoS attack in detail along with its types and lists the top ten prevention best practices for 2022.

What Is a DDoS Attack?

A distributed denial of service (DDoS) attack is a cybercrime that brings down any online system by overloading it with fake traffic from several compromised devices.

A real-life equivalent of a DDoS attack is the truck blockade protest in Canada in February 2022. Truck drivers used their vehicles to block traffic in essential areas, thus making it difficult for regular traffic to pass through. The blockade also caused delays and standstills in various manufacturing sectors that depended on these routes for transportation.

A distributed denial of service attack is similar — parts of an organization’s network are bombarded with what looks like routine requests. These requests are fired simultaneously from hundreds of devices. This overwhelms the network, thereby rendering it unable to process the company’s internal or customer-facing services. This disruption mostly leads to financial, legal, and reputational damages.

Around 2.9 million DDoS attacks were launched in the first quarter of 2021, according to the seventh issue of NETSCOUT’s Threat Intelligence ReportOpens a new window in 2021. This was up by 31% from the same period in 2020. DDoS attacks have been seen across industry verticals such as healthcare and government. 2021 saw many DDoS attacks specifically targeting internet service providers (ISPs) and cloud service providers since all organizations nowadays rely on them for their daily operations.

DoS vs. DDoS attacks

A distributed denial of service attack is more powerful and damaging than a denial of service (DoS) attack. The objective of both is to bring a system or service down.

In a denial of service attack, a website, server, or network is flooded with traffic from a single device. This device is usually infected with malware that runs a script or installs a tool to create this traffic. DoS attacks can easily be traced back to the source. They can also be prevented by firewalls.

In a distributed denial of service attack, many devices are infected and instructed to create traffic simultaneously. The traffic from all these devices is directed to the service they aim to bring down. The distributed nature of the attack makes for high, unmanageable volumes that cannot be traced back to a single source. 

See More: What Is a Firewall? Definition, Key Components, and Best Practices

How does a DDoS attack work? 

A typical DDoS attack starts with the infection of one server or device by exploiting a known vulnerability. This vulnerability may be a security hole that malware can use, or it might just be inadequate authentication controls. This device is usually slated as the ‘master.’

The master identifies other vulnerable devices and gains control over them. All these systems under the intruder’s control are called zombies or bots. These bots are usually routers, switches, firewall devices, load balancers, servers, edge network devices, or even mobile towers. With the increase in IoT devices, there have been cases where CCTV cameras, smart televisions, printers, and baby monitors have been used as bots.

The attacker, also known as a botmaster or a wrangler, designates one of these devices as the command and control server (C&C). This command server is in charge of triggering the hijacking of all the other devices. The collection of these now connected bots is called a botnet.

The bots in the botnet wait for a signal from the C&C. The wrangler issues the command to manipulate the botnets to create attack traffic, pointing to the victim’s system. The DDoS attack begins when all the bots receive this signal and generate fake traffic.

Indicators of a DDoS attack

Distributed denial of service attacks rely on the fact that network administrators may not immediately spot them since they look like usual, flowing data. At the onset, a DDoS attack looks like a standard operational issue.

The typical indicators of a DDoS attack are:

1. There is an unexplained surge in requests to access a single service or web page.
2. One or a specific set of IP addresses makes consecutive requests over a short period.
3. Odd yet predictable traffic patterns are observed. For example, a spike every 10 minutes during off-hours.
4. Web pages start responding with a 503 HTTP error response, which means that the servers they connect to are either overloaded or have become unreachable.
5. Files, databases, or web pages become slow to access locally and remotely.
6. Several spam emails are received in a short time.

These symptoms can be spotted using well-configured network monitoring alerts, reports, and logs. 

DDoS attack examples

• In February 2020, Amazon Web Services (AWS), a leading cloud service provider, was the victim of a DDoS attack. According to their threat report, the attack generated a peak traffic volume of 2.3 Tbps, the largest DDoS attack ever recorded. AWS reported that it could mitigate the attack that had lasted a week. Many resources were spent on firefighting since AWS is the backbone of various applications across industries.
• A cloud-based code repository platform, GitHub was down for around 10 minutes on February 28, 2018. A DDoS attack exploited a Memcached vulnerability and generated peak traffic of 1.35 Tbps via 126.9 million packets per second. 

With both companies identifying the type of DDoS attack and the right tools, the threats were managed with minimal damage.

See More: What Is Network Security? Definition, Types, and Best Practices

Types of DDoS Attacks

The first step in mitigating a distributed denial-of-service attack is to figure out its type. The attack traffic can be generated in many ways. To understand this, one must have a basic understanding of the OSI network model. The OSI model is a conceptual framework that describes network connectivity in seven different layers. 

The first OSI layer is the physical layer which includes the hardware used to create networks, such as optical fibers, wireless connections, hubs, etc. Two of the middle layers are the network layer and the transport layer. They define how the data packets are structured and routed while deciding how this data must be shared between two points in the network. The TCP/IP is an example of the middle layer protocols. The application layer decides how this data is shared with the end-user. This can be in the form of web services, files, etc.

Most cyberattacks exploit vulnerabilities in any of these seven layers. DDoS attacks primarily leverage the application layer and the network and transport layers. Based on which layer they leverage, DDoS attacks can be broadly classified into three categories.

1. Application layer attacks

Application layer attacks are also referred to as layer-7 attacks. Application layer DDoS attacks overload the server by sending several resource-intensive requests. They focus on services on web pages and applications that require database or file access. While a single HTTP request is cheap to execute on the bot’s side, the response to these requests from the target’s side is computationally expensive. This leads to an overwhelmed system.

Application layer attacks can be hard to detect since they look like legitimate traffic. They are usually used together with other types of DDoS attacks.

One example of a layer-7 DDoS attack is HTTP flooding. HTTP floods are the equivalent of refreshing a web page multiple times. The floods are sophisticated enough to do this from IP addresses using different referrers and user agents. 

2. Protocol attacks

Protocol attacks are also known as state-exhaustion attacks. They disrupt services by sending large data packets to network equipment such as routers and firewalls. These pieces of equipment operate based on the network and transport layers discussed above. 

Data is structured, fragmented, transported, and reassembled at the destination in these layers. A protocol DDoS attack tries to clog up any of these pipelines. Most DDoS prevention solutions also operate at these levels to spot malicious request patterns.

One example of a protocol attack is the TCP connection attack or the SYN flood. Traditionally, a three-way handshake is established to complete the connection here. 

In the case of an SYN flood, the bots do not respond after the initiation and complete the handshake. This leaves the target server blocking an open port and waiting. When this happens on a large scale, all ports are occupied and cannot process further requests. This causes the server to shut down ultimately.

3. Volume-based attacks

As the name suggests, volume-based attacks attempt to take up all the bandwidth between a system and the larger internet. It involves making requests for large amounts of data using the target’s IP. Most traffic involved in a volume-based DDoS attack is bogus, unlike the other types of attacks that use or exploit the system’s services. 

No matter the category of the DDoS attack, there are three techniques that attackers use to overwhelm networks, which are:

1. Spoofing 

The current version of the internet protocol we use — IPv6 — does not allow traffic to be authenticated or traced to the source. The attacker modifies the header information that indicates the request’s source with spoofing.

This helps in two ways: first, it hides the data packet’s real source, making it difficult to block the actual bot; second, the DDoS attackers can trick other devices into thinking the target server has made several requests, thereby sending unnecessary data its way. The GitHub attack of 2018 used spoofing.

2. Amplification

The amplification technique is a tactic where the attacker uses a single spoofed request towards third-party services. The trick is in knowing that this request generates a significant, voluminous response. Legitimate services are tricked into sending hundreds of responses to the DDoS target when the bots initiate the request. Most DDoS attacks use a combination of spoofing and amplification.

3. Reflection

The reflection technique is used by attackers when they want to hide traces of their involvement. They do so by using bots to create requests to multiple services, spoofing them to look like they originated from the target.

The unwitting services send responses to all these requests to the single target system, thereby overloading it. Reflection makes it hard for the target to understand where the attack is coming from. The AWS DDoS attack used reflection.

DDoS attacks are often a combination of all these techniques and categories, with one form of attack distracting from the other. It is essential to develop a DDoS mitigation system to handle possible incidents. 

Without a process and system in place, administrators may be too overwhelmed to handle the sheer amount of data thrown into the system. A robust DDoS prevention system also stops the incident from escalating by spotting it in the initial stages.

See More: What Is Zero Trust Security? Definition, Model, Framework and Vendors

Top 10 DDoS Prevention Best Practices for 2022

DDoS attacks can be devastating for organizations, especially in today’s day and age when most systems are online. There is no shortage of unprotected devices to convert into bots. Most DDoS attackers buy zombie computers from the dark web for a few hundred dollars. With a readymade botnet in place, these attackers do not need to be tech-savvy to launch an amplification- or reflection-based attack.

With that in mind, here are some best practices to prevent distributed denial of service attacks from bringing your organization’s systems down.

1. Ensure optimal configuration of network devices

Firewalls and routers are the first line of defense in any infrastructure. Care must be taken while configuring these devices. DDoS tools allow administrators to identify certain rules for filtering requests. Web application firewalls must allow for custom rule creation, making integration with DDoS tools easier.

Organizations can also benefit from considering next-generation firewalls that use artificial intelligence (AI) to identify DDoS attack patterns. This would allow administrators to act sooner.

2. Track & manage all security updates

DDoS attackers look for vulnerabilities in network devices and protocols. For example, a DDoS teardrop attack prevents the network layer from fragmenting and reassembling data packets, causing clogs. It exploits a vulnerability that has been patched in the latest versions of Windows operating systems. Any system with an outdated version is vulnerable.

This indicates that security updates for every device and server within the network are critical. Patch management has to be automated. This needs to be scheduled regularly or when service providers have discovered and reported new vulnerabilities. New vulnerabilities are also reported on social media, particularly Twitter and public waste bins.

3. Educate users, especially when IoT devices are involved

IoT devices are the most vulnerable to DDoS compromise. IoT devices come with weak default passwords that users rarely change. Some IoT devices are even shipped without upgrade or patch capabilities. Users need to be aware that this seemingly minor oversight may cause entire services to fall, affecting them on a large scale.

It is prudent to send users regular tips for good password and device update cycles. Besides end-users, organizations must regularly train employees in security hygiene. Most bots are systems that have been compromised due to poor password management and social engineering attacks such as phishing.

4. Consider using a content delivery network

Content delivery networks (CDNs) are typically used to cache data such as images, web pages, and frequently accessed resources on the cloud. They are used to increase access speed and offload some traffic from the main servers. 

CDNS are deployed across multiple physical servers on a cloud, and traffic is distributed between them. This nature of the CDN has one delightful side effect — it makes DDoS attacks more difficult.

When a DDoS attack occurs, the CDN ensures that it doesn’t reach the origin server. The redistribution allows for more resilience toward large volumes of data, allowing administrators more time before the system goes down completely.

5. Set network baseline & traffic profile

Administrators need to know when they should flag traffic as suspicious. Standard parameters of the network have to be analyzed and noted. This is known as a network baseline.

• How many requests per second are expected for a particular feature in an application? 
• How many packets per second are expected through a particular firewall? 
• Which profiles are allowed to make specific requests? 

Define all such user roles and access controls. Once these metrics are laid down, they must be documented and used to create alerts. Suspicious behavior is flagged when these metrics lay outside the expected range. The baseline needs to be revisited at regular intervals, especially after changes have been made to the infrastructure or the services offered.

6. Have a DDoS incident response plan tested & ready

If successful, denial of service attacks tend to occur over a few days. A DDoS-specific incident response plan (IRP) is necessary to ensure minimal damage and optimal communication. 

This IRP must document which symptoms are flagged as DDoS attacks and the immediate steps to be implemented, such as notifying the internet service provider. A designated group of people with clearly defined roles must be listed, along with the mitigation plan and process. Organizations must also define communication protocols among the group and with all stakeholders.

7. Implement a comprehensive network monitoring system 

Network monitoring systems are ideally the first indicators of an ongoing DDoS attack. Accurately designed alerts allow for immediate action. Generated reports allow for forensic examination as well as industry regulation compliance. Logs must be designed to identify network traffic patterns.

8. Consider third-party DDoS testing

An incident response plan is only effective if it has been tested and tweaked for better results. The same holds true for DDoS testing. Since DDoS attacks involve several systems, it is best to outsource the testing to a third party. Typically, these testing services simulate an attack to test system response. They also tend to test for a wide range of attacks, with information on the latest vulnerabilities.

9. Ask the right questions while designing a DDoS prevention system

Before setting up a network monitor, the entire infrastructure needs to be audited. It is essential to know what comes and goes out of every piece of hardware and software. Phased-out systems that are no longer necessary should be unplugged from all networks. 

Once an audit is done, the right questions need to be asked. 

• Which parts of the infrastructure need protection? 
• Are there any single points of failure? 
• Are there any obvious paths to DDoS exploits? 
• When and where should the alerts be configured? 
• What are the financial and operational impacts of each kind of failure?

These questions should guide the configuration of multiple components within the network besides a DDoS prevention system that looks explicitly for suspicious patterns.

10. Choose the right deployment option

As with every other aspect of security-related infrastructure, there is no one-size-fits-all design for a distributed denial of attack prevention system. Core infrastructure services only require border gateway protocol routing. This is, of course, assuming that other security controls are in place around these critical assets. 

With web applications, it makes sense to deploy a permanently functioning DDoS protection system that uses DNS redirection. Typically, in the case of a third-party DDoS protection provider, all traffic is directed to their system before going to the actual system. These are usually integrated with content delivery networks for optimal protection.

Most designs call for a combination of various deployment options based on infrastructure and functionality.

Takeaway

As of 2021, 16 DDoS attacks occurred every minute, according to the seventh issue of NETSCOUT’s Threat Intelligence ReportOpens a new window in 2021. These attacks increased by 25% in just the first month of COVID-19 lockdowns. 

With stats like these, it is hard to ignore the fact that every organization needs a tested DDoS identification and mitigation plan. When folded into the existing infrastructure, it makes the company’s security posture very important.

Did this article help you understand DDoS in detail? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!

MORE ON SECURITY

• Top 10 Network Access Control Software Solutions in 2021
• Top 10 Content Filtering Software Solutions in 2021
• Top 10 Malware Protection Software in 2021
• What Is a Ransomware Attack? Definition, Types, Examples, and Best Practices for Prevention and Removal
• What Is Network Access Control? Definition, Key Components and Best Practices