Imagine your server gets hit by a catastrophic attack. Your website goes down, the data is lost, and you face a massive revenue loss. A nightmare, isn't it? There are tons of malicious attacks that can hit your system or server. One such attack is a DDoS attack.
It is so powerful and destructive that in a single weekend, some of the largest tech giants were badly hit by a DDoS attack. Reddit, Twitter, and PayPal are some of the names from that list. Well, carrying such a massive power to destroy the sites, DDoS protection surely becomes a necessity.
Let us tell you what a DDoS attack is and how you can protect yourself from it!
What is a DDoS attack?
A DDoS is an abbreviation for Distributed Denial Of Services. It is a cyber attack that completely disrupts the normal functioning of a network service or connection. Multiple systems destroy the bandwidth or data of the targeted system.
It simply bombards the server with a huge volume of traffic that the server can't contain. Unfortunately, the strength and power of a DDoS attack are escalating day by day.
Technically, there are several layers in the OSI, Open Systems Interconnection model where the DDoS attacks. The layers are the Network layer, the Presentation layer, the Transportation layer, and the Application layer. Now that you have a decent grip over the meaning of DDoS let us tell you about several categories of DDoS attacks!
Categories of DDoS attacks
Volumetric attacks completely rupture the network's bandwidth. An endless number of requests are sent on each open port of the system. The bot overwhelms the network with immense data; hence the network keeps on checking the malicious data requests. Afterwards, there is no place for any authentic incoming traffic left.
The top layer of the OSI model is the application layer. It implies that it is the nearest to user interaction in a system. These kinds of attacks majorly focus on web traffic. They are also considered the most serious attack.
Therefore, to catch Application Layer attacks is a hard nut to crack as they target a smaller number of machines or a single machine. The server gets ambiguous and considers the attack as a large volume of legitimate traffic.
The possible targets of these attacks are HTTP, SMTP, HTTPS, DNS.
Protocol attacks simply target the network connections and tear down the processing capability of a network. It hits the network infrastructure resources, including servers, load balancers, or even firewalls. That is why you must remember that only firewalls are not enough to fight against a DDoS attack.
These attacks most commonly target the 6th and 7th layer of the OSI. Moreover, it sends malicious pings or incomplete packages to attack the system, which in turn causes the overloading of the memory buffers. This leads to a system crash. After understanding the categories of these attacks, here is a list of some common types of DDoS attacks.
Common types of DDoS attacks
- SYN Flood
- HTTP Flood
- UDP Flood
- Smurf attack
- Fraggle attack
- Ping of death
- Application Level attacks
- Advanced persistent DoS
- NTP amplification
- Zero-Day DDoS attacks
SYN flood targets the TCP connection sequence known as a Three-way handshake. In this process, the host machine gets an SYN message, a synchronized message, to initiate a handshake. That means establishing a connection.
After that, the server sends an acknowledgement to the first host in order to reflect that the message is received. Then the connection is terminated. Now, in the SYN flood, malicious messages are bombarded so that the connection does not terminate. This, in turn, shuts down the entire service.
HTTP flood is usually maligned GET or POST requests to destroy web applications or systems. These attacks are volumetric attacks. They may contain a botnet called the zombie army. It is basically a set of some Internet-connected systems which are maligned with malware known as Trojan horse and under the control of hackers.
These kinds of attacks target Layer 7 of the OSI. It does not use reflection techniques or spoofing. Also, the attack needs a much lesser bandwidth to complete its task of destroying a system.
Hence, detecting the HTTP flood attacks is a tough nut to crack.
The User Datagram Protocol is a kind of DDoS attack that sends a huge number of UDP packets to the server to be maligned. It disables the system and disrupts its functioning.
In case you have firewall protection, the chances are that it will go in vain because of the excessive UDP flooding the firewall exhausts and fails in the end to address any legitimate traffic that you may encounter.
Smurf attack directly attacks the Internet Protocol and the Internet Control Message Protocol by a program named smurf. These attacks make several requests with the hoax IPs of the target system or with more than one system. After that, these system networks amplify the initial attack traffic against the target.
Talking about the ICMP packets, they hold a vital place in the network. In order to perform a test on several networked hardware devices, the ping application is used. This application uses the ICMP packets to conclude that task. A ping tells the operationality of a device and subsequently tracks the time that the message requires from the source to the target and back.
Additionally, the ICMP protocol is devoid of the handshake protocol; therefore, all the incoming requests can’t be verified for legitimacy.
For your clarity, take this scenario into consideration.
A person calls the manager and tells him he is the CEO. He asks him to deliver each and every detail of the office to his secretary. He gives a number of the targeted victim, and subsequently, that person receives endless calls. Therefore, it becomes tough for the victim to handle such a vast number of calls. The same is the process of this attack.
The Fraggle attack is almost the same as the smurf attack. The UDP broadcast address is bombarded with fake IP addresses so that these packets can be delivered to the targeted system. In the attack, the router generates junk traffic leading to network overload.
This attack is considered to be rare. But you must stay prepared.
Ping Of Death
Ping of death basically sends malign pings to several networks. The aim is to send malicious packets in large amounts of size exceeding that of the target system. That further leads to freeze or crash the system.
You must know that the ICMP flood attacks are more frequent nowadays.
An ICMP ping is usually used to test or check a network connection. Some of the packets are small in size, whereas IP4 packets are extremely large. Furthermore, there are some TCP/IP systems that can not tackle packets larger than the maximum value; they are simply vulnerable when it comes to large packages.
When a malign packet is released towards the target, the packet divides into multiple segments. Each segment is lesser in size than the max limit. As soon as the target system tries to bring back the segments together, the size exceeds the maximum limit. The system crashes or freezes.
Application-level attacks do not target an entire system but some specific applications with known weaknesses or vulnerabilities. As a result, the application can not interact with the customers anymore.
The most frequent application to be hit by the attack is a web server. But again, any application can be under attack. This DDoS attack needs an intelligent implementation, often with the help of Internet Of Things devices, and it can not be spoofed.
Additionally, in 2013, the application layer attacks constituted 20% of the DDoS attacks. Even today, these attacks are not showing any sign of a slowdown.
Another DDoS attack disrupts the functioning of the target system by opening multiple HTTP connections to a targeted web server and keeping the connections open. This attack generally uses low bandwidth. The objective is to utilize the resources of the server with requests that are slower but bring regular traffic. These attacks are also known as low and slow attacks.
The target server has threads to tackle some concurrent connections. Each of these threads tries to survive by waiting for the slower request to finish. That never happens. Likewise, there comes a time when the maximum possible connections are made, and no further connection will be entertained. This results in denial of service.
Hence, Slowloris has the ability to rupture a system with very little bandwidth consumption.
Advanced Persistent DoS
Well, APDoS is considered a very serious attack. It's a sophisticated attack that usually has the tendency to last for several days. The hackers cause a lot of damage in such attacks. Moreover, there is a wide variety of attacking styles like HTTP flooding, SYN flooding etc. They often target vendors that deal with billions of requests each second.
One of the major reasons for its prolonged sustenance in the system is the ability of the hackers to opt for many tactics, change the methods and hop away from the security systems.
NTP amplification is a reflection based volumetric DDoS. The hacker or the attacker simply targets the Network Time Protocol server functionality. This, in turn, escalates the UDP traffic for the targeted server.
Here is a simple brief of an NTP amplification:
- A botnet is used to send UDP packets with fake IPs to NTP servers. But these fake IPs directly hit the real IP address of the target.
- Each UDP packet requests the NTP server.
- The target's IP address gets a response, and the entire system faces immense traffic that eventually results in DoS.
Zero-Day DDoS attacks
A zero-day attack is also known as a zero-minute attack. This attack uses a vulnerability that the victim is unaware of. Hence, the name is cited from the number of days that the victim was aware of the problem.
When a Zero-day attack is fixed, the solution is termed as a software patch. There are several markets that belong to these attacks, legal or even illegal.
To conclude these attacks, the attackers access the server running the software with a 0-day vulnerability. After this step, the server becomes a sweet spot to carry out such attacks.
For your clarity, consider this example; suppose you left your house unlocked, you are unaware of it. But, the thief finds out this vulnerability and attacks the house, steals your belongings kept in storage that you might not open on a regular basis for long. The theft goes unnoticed until one day you open the storage box and find out about it. But, now the thief is long gone, and you potentially can't do anything about it.
Moving forward, now that you have a decent grasp of the concept of different kinds of DDoS attacks, let us show you the methods that can help you to prevent such attacks. Have a look.
How to prevent such DDoS attacks?
If you are the one who runs your own servers, then you must be acquainted with the process of identifying the attack.
As early as you can detect a DDoS attack, you can start the process of eradicating it. Because it is beneficial to take the step as soon as you detect it for your own good, there will be much less destruction or loss as compared to a situation when the attack remains untraced for a long period of time.
So, to achieve this, you must be familiar with the kind of inbound traffic your server is receiving. This way, you have a better understanding of what normal traffic looks like and What is the frequency of the traffic! Once you are ready with this profile, you can detect the changes that start to occur when an attack takes place.
As you now know, mostly the DDoS attacks result in higher numbers of traffic. Therefore, you can be cautious if you see a spike in traffic and get yourself prepared.
Additionally, you can also hold an employee of your company responsible to deal with such DDoS attacks.
The sudden surge in the number of traffic completely ruptures your bandwidth and exhausts it.
Now, you can opt to have more bandwidth than your requirements for such unprecedented times. The catch here is that it may not stop any DDoS attack, but it can give you an additional time period to prepare and act on the situation before the systems are completely exhausted. Make these changes in the network parameters:
If you own your web server, then there are a few steps that can help you to reduce the intensity of the attack at its very onset. Take a look:
- You can add filters so that the router knows when to drop the packets from a probable attacker
- Do not accept malformed packages
- Rate limit the router so that the webserver doesn't get flooded with the traffic
- You can set lower drop thresholds for SYN, UDP, and ICMP flood
As a matter of fact, the DDOS attacks are extremely large and powerful. These steps might borrow you some additional time but not guarantee full proof protection.
Contact your hosting provider or ISP
If you own a web server, call the ISP, or otherwise call a Hosting Provider. In case you have a hosting provider, dealing with the situation can be easier for you. The reason is that the providers have a fully-fledged team to tackle such situations or attacks. They might already know that you are under attack and have started working on it.
Also, they have much larger bandwidths or a much higher capacity of routers to deal with these attacks. They try to keep the excessive traffic from the DDoS attack away from your corporate LAN. This is a precautionary measure that is usually taken so that at least that particular part of your system does not get hit, like, emails during such an attack.
DDoS mitigation expert
For better protection, you can contact a DDoS mitigation company to monitor your servers. Such companies or enterprises have a huge infrastructure specially dedicated to keeping you online during an attack. For instance, data scrubbing and other technologies.
These services are, of course, not cost-free. So, in the end, it's totally your call whether you want to pay them to resume your services or let the attack wither down by itself.
Make your infrastructure redundant
You can distribute the server across various data centres. They should constitute a good load balancing system. The data centres can be situated in different places or even in different countries.
In this scenario, make sure that all the data centres are in a connection with different networks. Moreover, if the servers are placed in different parts of the country or world, it gets tough for the hacker or the attacker to hit more parts of the server.
This results in saving the other parts of the servers. Even there is a possibility that the other parts might be able to handle that distributed traffic.
Check your network hardware
There are certain checks that you can consider with your network hardware.
- Configure the router or a firewall so that the ICMP packets can be dropped
- Block the DNS responses by blocking UDP port 53
- Protect the DNS servers
These services primarily deal with handling DDoS attacks. There is a possibility that the system is shut by a direct attack on the DNS servers. As a result, it becomes necessary for you to keep redundancy in your servers.
You can also opt for a cloud-based DNS provider. They offer much higher bandwidths. Along with that, several points-of-presence in the data centres is provided. That way, your data stays redundant and will not face much havoc by an attack.
Protect your server with network firewalls. Also, implement the load balancers. Nowadays, many hardware vendors present you with software protection in case of DDoS attacks. They generally monitor the disrupted connections and remove them after the number reaches a designated threshold value. Several software modules are also provided to protect the systems from attacks.
DDoS protection appliances
There are multiple vendors that provide you with specific protection appliances especially made to monitor the firewalls and stop any DDoS attack. They carry out several techniques like obstructing abnormal traffic and many more.
Though there is a limitation to such applications regarding the traffic throughput, As the attacks are much higher in magnitude.
This article provided you with a detailed analysis of the DDoS attacks, the kinds of DDoS attacks and their preventive measures. We hope that the concept is clear to you and the ambiguities are solved.