Distributed denial of service (DDoS)
A DDoS attack is a form of cyberattack in which the perpetrators seek to disrupt or crash a website, network or other online service by overloading it with a high volume of fake or junk requests.
There are several motivations for a DDoS attack. For cybercriminals, these typically include earning money by selling DDoS attacks as a service, blackmailing potential targets into paying a ransom, hacktivism and gaining a competitive advantage.
Sophisticated threat groups are known to use DDoS attacks mostly as a part of or as a distraction from other, more severe activities such as cyberespionage and cybersabotage.
Perpetrators of DDoS attacks use networks of distributed, compromised devices to disrupt systems by targeting one or more of the components necessary to establish a connection (see the OSI model) to a network resource.
Volumetric attacks are one of the oldest types of DDoS attacks. They utilise large volumes of traffic to fill the bandwidth capacity between the victim’s network and the Internet or the capacity within the victim’s network. The largest volumetric attacks are (currently) measured in Terabits per second (Tbps) equivalent to roughly 9,000 average Internet connections. For example, during a User Datagram Protocol (UDP) flood attack, the attackers overwhelm the targeted remote server by requesting information from an application listening on a specific port. The server checks, and/or replies to, every such demand, ultimately running out of bandwidth and becoming unreachable.
Protocol attacks. Per its name, protocol attacks misuse the design of the underlying communication protocol (OSI model layers 3 and 4) to exhaust the resources of the targeted system. One example of a protocol attack is SYN flood, which sends a large number of specific requests to the targeted server yet leaves replies to those requests without further action, keeping the “three way handshake” incomplete. When the number of unfinished connections exhausts the capacity of the server, it becomes unreachable for legitimate connections. Protocol attacks use specifically crafted packets to achieve their malicious goals and are thus measured in packets per second (PPS). The largest recorded attacks have reached hundreds of millions.
Application layer attacks (OSI model layer 7) target public facing applications via a high volume of spoofed or bogus traffic. An example of an application layer DDoS attack is an HTTP flood, which floods a specific web server with otherwise legitimate HTTP GET and HTTP POST requests. Even though the server might have enough bandwidth, it is forced to process a large number of bogus requests instead of their legitimate counterparts, thus running out of processing capacity. Application layer attacks are measured in tens of millions of requests per second (RPS).
4. Organizations don’t have to be the primary target to feel the impact of a DDoS attack, especially if it disrupts vital parts of internet infrastructure such as local or regional ISPs. In 2016, criminals flooded servers of major DNS provider Dyn . Other major online services became unavailable due to this DDoS attack, including Twitter, Reddit, Netflix and Spotify.
5. Some cybercriminal actors threaten to use their botnets for a DDoS attack against a specific organization unless a payment is made. These attacks are called DDoS ransom attacks and do not require the attacker to gain access to their targets’ networks.
6. Since 2020, DDoS attacks against victims’ websites also became a part of the “triple extortion” scheme used by high profile ransomware gangs, adding DDoS on top of stealing and encrypting targets’ data.
7. There are DDoS for hire services on the dark web that allow even inexperienced actors who have the money and motivation such as gaining an advantage over a competitor to organize a DDoS attack.
As the name suggests, the difference is mostly in the number of attacking machines. In the case of DoS, the attack typically utilises a script or tool, originates from a single device and targets one specific server or endpoint. In contrast, DDoS attacks are executed by a large network of attacker controlled compromised devices also known as a botnet and can be used to overload selected devices, applications, websites, services or even victims’ whole networks.
The most obvious telltale sign of a DDoS attack is poor performance or the unavailability of the targeted system or service. In case of a website, this might translate into long load times or inaccessibility to people inside and outside the organisation. There are also publicly available services monitoring DDoS attacks such as downforeveryoneorjustme.com or downdetector.com
A DDoS attack can also be identified via the monitoring and analysis of network traffic that identifies bogus or junk requests overloading one or more company systems. In some cases, an extortion message can also point to a possible or ongoing DDoS attack, demanding a ransom for dropping your organisation from the list of future targets or for ceasing an ongoing attack.
4. Organisations don’t have to be the primary target to feel the impact of a DDoS attack, especially if it disrupts the vital parts of Internet infrastructure such as local or regional ISPs. In 2016, criminals flooded the servers of the major DNS provider Dyn. Other major online services became unavailable due to this DDoS attack, including Twitter, Reddit, Netflix and Spotify.
5. Some cybercriminal actors threaten to use their botnets for a DDoS attack against a specific organisation unless a payment is made. These attacks are called DDoS ransom attacks and do not require the attacker to gain access to their targets’ networks.
6. Since 2020, DDoS attacks against victims’ websites have also become a part of the “triple extortion” scheme used by high profile ransomware gangs, adding DDoS on top of stealing and encrypting targets’ data.
7. There are DDoS for hire services on the dark web that allow even inexperienced actors who have the money and motivation, such as gaining an advantage over a competitor, to organise a DDoS attack.
DDoS attacks can be hard to mitigate for organisations that don’t have the right resources, such as hardware or sufficient bandwidth. However, there are things even small and medium companies can do to increase their protection:
Get effective protection with the capabilities to mitigate the risks related to DDoS attacks. ESET multilayered endpoint security solutions use sophisticated Network attack protection technology with advanced filtering and packet inspection to prevent disruptions.