slider

Understanding DDoS Attacks and How to Detect Them: A Guide

DDoS attacks are a primary concern in Internet security today. This article explores the details of how DDoS attacks function and provides insights into how they can be detected and mitigated.


What is a DDoS Attack?

A Distributed Denial-of-Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. These compromised machines can include computers and other networked resources, such as IoT devices. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.


How Does a DDoS Attack Work?

DDoS attacks are carried out using networks of Internet-connected machines. These networks consist of computers and other devices (such as IoT devices) that have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred to as bots (or zombies), and a group of bots is called a botnet. Once a botnet has been established, the attacker can direct an attack by sending remote instructions to each bot.

When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-service to normal traffic. Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.


Identifying a DDoS Attack

The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. However, since various factors, such as a legitimate spike in traffic, can create similar performance issues, further investigation is usually required. Traffic analytics tools can help spot some telltale signs of a DDoS attack:

  • Suspicious amounts of traffic originating from a single IP address or IP range.
  • A flood of traffic from users who share a single behavioral profile, such as device type, geolocation, or web browser version.
  • An unexplained surge in requests to a single page or endpoint.
  • Odd traffic patterns, such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g., a spike every 10 minutes).

Common Types of DDoS Attacks

Different types of DDoS attacks target varying components of a network connection. Understanding how different DDoS attacks work requires knowledge of how a network connection is made.


Application Layer Attacks

Sometimes referred to as Layer 7 DDoS attacks (in reference to the 7th layer of the OSI model), the goal of these attacks is to exhaust the target’s resources to create a denial-of-service. These attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is computationally cheap to execute on the client side, but it can be expensive for the target server to respond to, as the server often loads multiple files and runs database queries in order to create a web page.

Example: HTTP Flood

This attack is similar to pressing refresh in a web browser repeatedly on many different computers at once. Large numbers of HTTP requests flood the server, resulting in denial-of-service. This type of attack ranges from simple to complex. Simpler implementations may access one URL with the same range of attacking IP addresses, referrers, and user agents. Complex versions may use a large number of attacking IP addresses and target random URLs using random referrers and user agents.


Protocol Attacks

Protocol attacks, also known as state-exhaustion attacks, cause a service disruption by over-consuming server resources and/or the resources of network equipment like firewalls and load balancers. Protocol attacks utilize weaknesses in Layer 3 and Layer 4 of the protocol stack to render the target inaccessible.

Example: SYN Flood

A SYN Flood is analogous to a worker in a supply room receiving requests from the front of the store. The worker receives a request, goes and gets the package, and waits for confirmation before bringing the package out front. The worker then gets many more package requests without confirmation until they can’t carry any more packages, become overwhelmed, and requests start going unanswered.

This attack exploits the TCP handshake — the sequence of communications by which two computers initiate a network connection — by sending a target a large number of TCP “Initial Connection Request” SYN packets with spoofed source IP addresses. The target machine responds to each connection request and then waits for the final step in the handshake, which never occurs, exhausting the target’s resources in the process.


Volumetric Attacks

This category of attacks attempts to create congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet.

Example: DNS Amplification

A DNS amplification is like if someone were to call a restaurant and say “I’ll have one of everything, please call me back and repeat my whole order,” where the callback number actually belongs to the victim. With very little effort, a long response is generated and sent to the victim. By making a request to an open DNS server with a spoofed IP address (the IP address of the victim), the target IP address then receives a response from the server.


How to Detect a DDoS Attack

The key concern in mitigating a DDoS attack is differentiating between attack traffic and normal traffic. Here are some steps to help detect and respond to a DDoS attack:

  1. Monitor Traffic Patterns: Use traffic analytics tools to identify unusual patterns, such as an unexpected surge in traffic or requests from suspicious IP addresses.
  2. Establish Baselines: Understand your normal traffic patterns to easily spot deviations that might indicate an attack.
  3. Analyze Traffic Sources: Look for spikes in traffic from specific geographic locations or similar device types, which can signal a coordinated attack.
  4. Use Intrusion Detection Systems (IDS): Deploy IDS to monitor and analyze network traffic for signs of malicious activity.

Mitigation Strategies

Mitigating a DDoS attack involves multiple strategies to counter different attack vectors:

Blackhole Routing

One solution available to virtually all network admins is to create a blackhole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route, or blackhole, and dropped from the network. If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a blackhole as a defense. This is not an ideal solution, as it effectively gives the attacker their desired goal: it makes the network inaccessible.

Rate Limiting

Limiting the number of requests a server will accept over a certain time window is also a way of mitigating denial-of-service attacks. While rate limiting is useful in slowing web scrapers from stealing content and for mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively. Nevertheless, rate limiting is a useful component in an effective DDoS mitigation strategy.

Web Application Firewall (WAF)

A Web Application Firewall (WAF) is a tool that can assist in mitigating a Layer 7 DDoS attack. By putting a WAF between the Internet and an origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic. By filtering requests based on a series of rules used to identify DDoS tools, Layer 7 attacks can be impeded. One key value of an effective WAF is the ability to quickly implement custom rules in response to an attack.

Anycast Network Diffusion

This mitigation approach uses an Anycast network to scatter the attack traffic across a network of distributed servers to the point where the traffic is absorbed by the network. Like channeling a rushing river down separate smaller channels, this approach spreads the impact of the distributed attack traffic to the point where it becomes manageable, diffusing any disruptive capability. The reliability of an Anycast network to mitigate a DDoS attack is dependent on the size of the attack and the size and efficiency of the network. An important part of the DDoS mitigation implemented by Cloudflare is the use of an Anycast distributed network.


Conclusion

DDoS attacks pose a significant threat to Internet security, but understanding their mechanisms and implementing effective detection and mitigation strategies can help protect against them. By leveraging tools such as traffic analytics, WAFs, and Anycast networks, organizations can better distinguish between legitimate and malicious traffic, ensuring the continuity and reliability of their services.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

https://www.netizen.net/contact


Copyright © Netizen Corporation. All Rights Reserved.