What is a DDoS attack?
Distributed denial-of-service (DDoS) attack is a malicious attempt to disturb normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attack is achievable by thwarting access to almost everything inside the systems. For example, servers, devices, facilities, networks, apps and even specific transactions. In simple words, a DDoS attack is basically like a traffic jam clogging up the highway, making regular traffic from arriving at its desired destination.
How does a DDoS attack work?
To carry out an attack, a DDoS attack requires an attacker to gain control of a network of online machines. Computer and other machines (such as IoT devices) get malware infection, turning it into a bot. Then the attacker has remote control over the bots network which is known as botnet.
Once a botnet is established, the attacker can direct the machines through a remote method by sending instructions to each bot. When the botnet targets a victim’s IP address, each bot will respond by sending request to the target. Potentially causing the targeted server or network to overflow capacity, leading to a denial of service to normal traffic. Because each bot is a legitimate Internet tool, it is difficult to separate the traffic of the attack from normal traffic.
3 Types of DDoS attacks
- Volume-driven attacks use large quantities of fake traffic to overload a resource like a website or server. Those include flood attacks by ICMP, UDP and spoofed-packet. The scale of an attack is measured in bits per second (bps).
- Protocol or network layer DDoS attacks send large numbers of packets to targeted network infrastructures and tools for management tools. These attacks on the protocol include SYN floods and Smurf DDoS and their size is measured in packets per second.
- Application layer attack or also known as layer 7 DDoS attack (in reference to the 7th layer of the OSI model), is to exhaust the resources of the target. The attacks target the layer where the server creates web pages and delivers them in response to HTTP requests. On the client side, a single HTP request is cheap to execute. But it can be expensive for the target server to respond to. As the server often must load multiple file sand run queries on database to create a web page. Layer 7 attacks are hard to defend, as the traffic can be hard to flag as malicious.
Thus, every attacks’ goal is to make online resources slow or completely unresponsive.
DDoS attack symptoms
DDoS attacks can look like many of the non-malicious issues that can cause problem with the availability – like a down server or network, too many legitimate requests from legitimate users, or even a cable break. It also needs a study of traffic to decide what exactly is happening.
What is the process of alleviating a DDoS attack?
The main concern in alleviating a DDoS attack is to differentiate between attack and regular traffic. The hard part is telling apart the real customer and the attack traffic. DDoS traffic comes in many forms. Traffic can differ in nature from un-spoofed single source attacks to complex multi-vector attacks that can adapt.
The more complicated the attack, the more likely it would be to be difficult to distinguish traffic from regular traffic-the attacker ‘s aim is to blend in as much as possible , making alleviation as inefficient as possible. So, let’s talk about a few of alleviating DDoS attacks:
Black Hole Routing
One solution is to create a blackhole route and funnel traffic for network admins to go to. When blackhole filtering is introduced without specific restriction criteria, both legitimate and malicious network traffic is send to a null route or blackhole and remove from the network. The property’s Internet service provider (ISP) may send all the site’s traffic into a blackhole as a defense if the internet property is experiencing a DDoS attack.
Rate Limiting
One of way of alleviating DDoS attacks is by limiting the number of request a server can accept over a specific time window.
Rate limiting is useful in slowing web scrapers from stealing content and for minimizing brute force login attempts, but it still will be insufficient to handle a complex DDoS attack effectively.
Web Application Firewall (WAF)
A Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By placing a WAF between the Internet and a origin server, the WAF can act as a reverse proxy, protecting the targeted server from certain types of malicious traffic.
Layer 7 attacks can be impeded by filtering according to a series of rules used to identify DDoS devices. A key value of successful WAF is its ability to implement custom rules rapidly in response to an attack.
Final Thoughts
Mitigating a multi-vector DDoS attack requires a range of strategies to counter various trajectories. Mitigation attempts involving the dropping or limiting of traffic can throw good traffic out with the bad, and the attack can also modify and adapt to circumvent countermeasure. A layered solution will be giving the greatest benefit to overcome a complex attempt at disruption.