DDOS stands for Distributed Denial-Of-Service. It’s a type of cybercrime where one or several parties try to interrupt traffic of a server or website. In order to be effective, they don’t just use one computer to attack, but often a whole network of them.
This isn’t just the attacker’s machines though – there are kinds of malware and viruses that can affect a normal users’ computer and turn it into part of the attack. Even IoT devices aren’t safe – if you have a smart device in your home, it could theoretically be used for such an attack.
How does it work?
The simplest way to explain DDOS attacks is to compare them to traffic jams. Normal traffic flow is interrupted because dozens (or hundreds, thousands, etc) of unexpected cars merge into the main road without letting other cars go.
The emerging jam prevents normal drivers from getting to their goal – in a DDOS event, that would be the server or website they are looking for.
There are different types of attack that target different elements of the normal client-server communication.
Application Layer Attacks try to exhaust the resources of the target by forcing it to repeatedly load files or database queries – this slows down the site and can, in extreme cases, cause issues with the server by overheating it or driving up power use. These attacks are difficult to defend against because they are difficult to spot – it’s not easy to say whether an spike in usage is because of an increase in genuine traffic or a malicious attack.
HTTP Flood Attacks are done by essentially refreshing a browser page over and over – except millions of times. This flood of requests to a server will often result in it being overwhelmed and not responding to (genuine) requests anymore. Defenses include having backup servers, and enough capacity to handle request overflows. For example, such an attack would almost definitely not work against Facebook because their infrastructure is so strong that it can handle attacks like it.
Protocol Attacks try to exhaust a server by consuming all of the capacity that things like web applications have – so by repeating requests to an element of a site or service. Doing so causes the web application to stop responding. Often, filters are used that block repeated requests from the same IP-addresses in order to keep out attacks and keep the service running for normal users.
SYN Flood Attacks are done, in essence, by repeatedly asking the server to fetch an element, and then not confirming receipt of it. This means the server holds on to the elements and waits for the receipt that never comes – until it eventually can’t hold any more and starts dropping them to pick up more.
Volumetric Attacks try to artificially create congestion by specifically occupying all the bandwidth that a server has. This is similar to HTTP Flood attacks except that instead of repeated requests, data is sent to the server, thus keeping it too busy to respond to normal traffic. Botnets are usually used to carry out these attacks – they also often use DNS amplification.
Tip: DNS amplification works like a megaphone – a smaller request or data packet is presented as being much bigger than it is. It could be the attacker requesting everything a server has to offer, and then asking it to repeat everything the attacker asked for – a relatively small and simple request ends up taking up a lot of resources.
How to defend against DDOS attacks?
The first step to dealing with these attacks is to make sure that they are really happening. Spotting them isn’t always easy, as traffic spikes can be normal behaviour due to time zones, news releases and more. In order to get their attacks to work, DDOS attackers try to hide their behaviour in normal traffic as much as possible.
Other routines to mitigate DDOS attacks are black holes, rate limiting and firewalls. Black holes are a pretty extreme measure – they don’t try to separate genuine traffic from an attack, but rather redirect every request away from the server and then drop it. This can be done in preparation of an expected attack, for example.
Rate limiting is a little less rough on the users – it sets an artificial limit for how many requests a server will accept. This limit is enough to let normal traffic pass through, but too many requests are automatically redirected and dropped – this way, the server can’t be overwhelmed. It’s also an effective way to stop brute force password cracking attempts – after, say, five attempts, the IP address trying is simply locked out.
Firewalls aren’t just useful for protection on your own computer, but also on the server side off web traffic. Web application firewalls in particular are set up between the Internet and a server – they protect against several different types of attacks. Good firewalls are also able to quickly set up custom responses to attacks as they happen.
Tip: If you are looking to protect your site or server from some sort of DDOS attack, you’ll want an arrangement of different solutions (most likely including a firewall). The best way to go about this would be to consult a cybersecurity consultant and have them come up with a custom plan suited to your needs. There is no one-size-fits-all solution!