One of the most common cyber security challenges for all businesses in the current environment is coping with distributed denial of service (DDoS) attacks. Since the Mirai attack gained major public attention in 2016 by knocking out services to many of the world's biggest websites, there has been increasing awareness of just how big a problem this can be.
Indeed, recent figures suggest the risk is only growing. DDoS attacks have increased by 84% since the start of Q4 2018. The typical business now has to fend off an average of eight attack attempts per day.
DDoS is becoming a growing threat
DDoS attacks work by spamming a server with huge numbers of requests that overload its capacity to meet them. The result of this is that legitimate traffic is unable to connect and the server is, for all intents and purposes, knocked offline. It's a fairly straightforward method of attack, and one that can be done without great technical knowledge - you can even buy DDoS as a service kits on the dark web that will do the work for you. But the impact can be devastating.
In the past, DDoS attacks may have been regarded as more of a nuisance than a serious threat to businesses, but this is no longer the case. This is in large part due to the huge proliferation of easily-hackable Internet of Things devices that make it easy to create a large botnet to flood targeted sites with traffic. As a result, attacks can be bigger and last longer than ever before, meaning even the largest businesses are at risk.
However, they still maintain their relative simplicity and can be very difficult to stop, which means businesses must have specific DDoS precautions in their security strategy.
3 types of DDoS attacks and how they work
While DDoS attacks follow a general pattern, there are a few key types of threat that businesses should be aware of. Although the general principles of how they operate will remain the same, some tactics are harder to spot and counter than others.
By knowing what to look out for, you stand the best chance of successfully defending your network from DDoS attacks. Here are three of the most common:
1. Volumetric attacks
The most familiar type of DDoS, these attacks aim to overwhelm a server by flooding it with false requests for data, so the entirety of its bandwidth is clogged up with these requests, meaning legitimate users can't get through.
Within this category there are two key subtypes of attacks. The first of these is User Datagram Protocol (UDP) floods, which refers to the simple transmission of data without checking its integrity. According to Verisign, this type of attack accounts for more than half of all DDoS incidents, as it’s easy to set up and execute quickly.
The second is Internet Control Message Protocol (ICMP) floods, which attack the targeted device with echo-request packets. Both of these have the effect of causing the target to become inaccessible to normal traffic, effectively taking it offline.
2. Application-layer attacks
The second most-common type of DDoS attack, application-layer attacks, are increasing in popularity and target the topmost layer of the OSI model, the closest layer to the end-user.
The effect of this is that attacks mimic human behavior, meaning they can be much harder to detect than other forms of DDoS threat. What's more, as these attacks can be launched from a single machine, they often go undetected by DDoS prevention systems that are primarily looking for volumetric attacks, as they can appear to simply be higher-than-normal forms of legitimate traffic.
Therefore, different methods of mitigation are required. For instance, CAPTCHA tests can be used to weed out bots by verifying if the traffic is truly legitimate, while the use of a web application firewall and IP reputation database can also be beneficial.
3. Protocol attacks
Finally, protocol attacks are targeted further down the stack and work by damaging connection tables in parts of the network that verify new connections.
The most common type of protocol attack is a SYN flood, which sends the target a large number of TCP 'Initial Connection Request' SYN packets with spoofed source IP addresses. Each of these requests is acknowledged by the targeted server, which then awaits the final 'handshake' confirmation from the requesting server - which it won’t get. Therefore, the resources of the target server are quickly tied up awaiting confirmations that’ll never arrive, preventing their use for legitimate requests.
How to mitigate DDoS attacks
DDoS attacks are a constant threat to businesses, and by not mitigating these attacks, you risk shutting down your whole website. Now that you understand how DDoS attacks work, it's vital to discuss how to reduce them. So what techniques or tools are available at your disposal?
1. Think about your architecture
A resilient network architecture can help mitigate many of the risks of a DDoS attack. For instance, ensuring your key servers are effectively geographically spread across different data centers can go a long way to mitigating the impact. These data centers should also be located on different networks and have diverse paths. Ensuring there are no bottlenecks that can act as a single point of failure, such as only using a single connection to the outside internet, is also essential.
2. Make sure you can monitor your network
Early detection is one of the first lines of defense against a DDoS attack. The sooner you can spot an incoming attack, the better your chances are of shutting it down before it has an impact. This requires close monitoring of your servers and familiarizing yourself with what your typical traffic profile looks like.
This helps to spot any unusual activity that can be an early indicator of an attack. If you aren't able to tell the difference between the early stages of a DDoS incident and a legitimate spike in traffic, you won't be able to block it until it's too late.
3. Deploy the right hardware
Using the right hardware is another way of defending against DDoS attacks, especially the more common types. Tools such as network firewalls, web application firewalls, and load balancers can defend against issues such as layer 4 attacks and application-layer attacks.
If businesses are facing SYN flood attacks, most modern hardware tools should also have settings that allow you to close TCP connections once they reach a certain threshold. While they may not be able to completely block DDoS traffic, they can help mitigate the worst of the impact and ensure that your business is able to keep operating through them.
4. Be prepared for traffic spikes
One of the most effective ways of combating a DDoS attack is to ensure there are enough resources available to absorb the impact of the additional traffic. Being able to scale up the amount of bandwidth you have for your server means that you may be able to simply outpace the DDoS traffic and keep resources open for legitimate traffic.
However, as there is a continuing arms race between hackers and security professionals, and the size and scale of DDoS attacks continue to increase, this can only do so much to defend against the biggest attacks. It can be very effective against smaller-scale incidents, but you may still be overwhelmed by a larger, more determined attack.
5. Don't go it alone
Ultimately, many businesses may find they need expert help when it comes to protecting their operations against the threats posed by DDoS. Your ISP is often the best place to start, as they should be able to offer mitigation services that can help blunt the impact of a DDoS attack. Indeed, research by Corero found 85% of IT pros want their service provider to take more responsibility when it comes to defeating DDoS attacks.
There are also specialist DDoS mitigation providers you can turn to in order to help handle attacks. These companies can assist with activities such as rerouting traffic via a mitigation center so malicious connection attempts can be filtered out, setting up new IP addresses for your systems and maintaining separate email servers so you can maintain key functionality throughout an attack. These can be invaluable for smaller businesses that may not have the resources to defend against DDoS on their own.