What is a DDoS attack?
A DDoS, or Distributed Denial of Service attack, is comprised of several infected systems which all target a specific system with the objective of rendering it inoperable. The infected systems combined are called a botnet and attack the victim by flooding their system with such a large amount of traffic thus causing it to crash. Unlike other attacks, DDoS attacks are not meant to steal information or impose security risks but rather are meant to make the website inaccessible which can cause great loss to any online business.
DoS vs DDoS
The difference between a DoS and DDoS attack is quite simple. A DoS attack usually targets a victim at the application layer, with the same intentions of rendering a website unusable. A DoS attack is accomplished by a single user using a single internet connection.
A DDoS attack on the other hand, takes advantage of using multiple infected devices across different IP addresses to deliver a similar attack, however at a much larger scale. DDoS attacks are harder to deflect than DoS assaults simple due to the large volume of devices contributing to the attack. DDoS attacks can be accomplished at the application layer however are also used at the network layer to target network infrastructure.
Types of DoS attacks
Denial of service attacks generally fall within the two following categories.
An application layer attack (also referred to as a layer 7 attack) can be either carried out via DoS or DDoS. The application layer is responsible for the for the functionality of HTTP, FTP, SMTP, etc. which is exactly what this category of attack targets. The attack seeks to overload the system's resources by depleting it's RAM / CPU for example. It does this by sending a large number of requests to the system.
Network layer attacks (also known as layer 3 or 4 attacks) are attacks designed to specifically target the victim's network infrastructure. These attacks are most commonly carried out via DDoS and can cause severe damage as well as cost significant amounts of money for the victim. Examples of attacks within this category include DNS amplification, SYN Flood, and NTP DDoS attacks. Each of these attacks takes advantage of different vulnerabilities that exist within certain protocols, parts of the server, etc.
DNS amplification for instance makes use of fake DNS queries to be sent to a DNS resolver which replies back to the victim and thus overwhelms their system due to the large number of responses.
SYN Flood makes use of the TCP protocol to perform a DDoS attack. TCP connections are established by the client sending a SYN packet to the server and then the server responding with an ACK (acknowledged). SYN Flood takes advantage of this by sending a large amount of SYN packets and ignoring the ACKs returned by the server. This method exploits the limited amount of TCP connections that are allowed to be open on a server thus preventing legitimate users from accessing the website.
NTP attacks take advantage of the Network Time Protocol to overwhelm the victim with User Datagram Protocol (UDP) traffic. The attacker in this case would sends multiple requests for "get monlist" which returns a list of the last 600 hosts who have connected to that server. The attacker would then spoof the requesting IP to that of the victim, resulting in the amplification of traffic to that server and eventually limiting its use.
How to mitigate DDoS attacks
There are a few ways to help protect yourself against DDoS attacks.
- Keep an eye on the inbound traffic hitting your server. The sooner you see an unusual spike in traffic that looks suspicious, the sooner you can start investigating.
- Add filters to your router to drop packets from suspicious sources
- Implement rate limiting in the event you are being attacked in order to avoid your server being overwhelmed.
- Use a DDoS protection service such as Sucuri.
KeyCDN closely mitigates DDoS attacks in the background to help keep our users' websites safe. Our edge servers are being continuously monitored to detect and rectify any possible attacks.
DDoS attacks are quite prevalent in today's Internet age, and although unpleasant, they are a fact that must be dealt with. Being prepared for a DDoS attack whether by using a DDoS protection service or closely monitoring traffic for any suspicious activity are important steps to take for any site owner.