It’s frustrating when you can’t access a website. Tickets go on sale for the must-go-to festival or Black Friday brings a deal that is too good to miss. The volume of traffic, from legitimate would-be customers trying to buy what is on offer, overwhelms the site. A good website hosting provider will help with this, but what happens when the high level of traffic is created not by legitimate customers, but by ‘bad actors’? What happens when the traffic is generated not by one rogue computer, but by a coordinated, distributed network attack? Welcome to the increasingly common event that is a Distributed Denial of Service, or DDoS, attack.
What Is a DDoS Attack?
DDoS is short for distributed denial of service. A DDoS attack occurs when a bad actor uses resources from multiple, remote locations, to attack the online operations of a business or organisation. Often, the multiple devices that are used for the attack (known as a Botnet) have been infected with malware and are participating without the knowledge of their operator.
Unlike other kinds of cyber assaults, a DDoS attack does not attempt to breach a company’s IT security. Instead, a DDoS attack aims to overwhelm network devices and servers and make a website unavailable to legitimate users. However, DDoS is sometimes used to hide other malicious activities, compromising security appliances, and allowing an organisation’s security perimeter to be breached.
What is the difference between a DDoS and DoS attacks?
The difference between normal and distributed denial of service assaults is largely scale. A DoS attack uses a single device and internet connection to flood a target with fake requests. The aim is to overwhelm key resources, such as memory and CPU, causing legitimate access requests to go unanswered.
Conversely, Distributed Denial of Service attacks are launched from multiple devices that are distributed across the Internet. These devices include PCs, routers, servers, tablets, and mobiles, infected with malware, and controlled from a remote location. The distributed nature of the attack makes it harder to detect and to deal with.
Who are the targets of DDoS attacks?
Any business, organisation, or indeed country can be the target of a DDoS attack. In 2020, Australian Prime Minister Scott Morrison had some alarming news for his citizens, “We are under cyber-attack.” The same year saw the US cloud giant, Amazon, suffering a 2.3Tbps DDoS attack. As an idea of scale, that’s about half of all the traffic that BT sees on an entire day across its UK network.
Motivations for carrying out a DDoS attack vary widely, from disgruntled individuals and hacktivists wanting to take down a company’s servers, to financially motivated extortion attempts to undermine a business’s online presence. State-sponsored DDoS attacks are increasingly being used to disrupt critical financial, health, and infrastructure services in enemy countries.
Types of DDoS attacks
Whilst the aim of all DDoS attacks is similar, the denial of service to legitimate users, there are multiple strategies used to achieve this end result. They differ on what part of the OSI network model they focus on.
[Create similar OSI model graphic]
Application attacks send a very high volume of simple HTTP requests to the application, in effect the web pages themselves. This is conceptually easy to do, and a simple HTTP request can generate significant work on the target server, consuming memory, and CPU cycles.
Protocol attacks target weaknesses in the network and transportation layers (3 and 4 in the model), overloading equipment such as firewalls and load balancers.
Volumetric attacks attempt to consume all available bandwidth with the target server. The attack focuses on sending requests to the target system that require large volumes of data to be sent and received.
How to identify a DDoS attack
In many cases, the first clue that a DDoS attack is taking place may be a website or service suddenly becoming very slow or even unavailable. Whilst this may be a sign of a cyber-attack, it could also be as a result of a spike in legitimate traffic, for example as the result of a marketing campaign or news story relating to the organisation. For this reason, it is necessary to analyse the traffic to the site, looking for signs of a non-legitimate increase in volume. Signs of a DDoS attack include:
- Large volumes of traffic from a single IP address, or narrow IP range.
- Traffic which contains common profiles, for example similar device type, geographic location, web browser type and version etc.
- Multiple requests targeting the same specific page or service.
- Repeating pulses of high volumes, for example surges every fifteen minutes or at the start of each hour.
How to protect yourself against a DDoS attack
The first stage of DDoS protection is to work out which services are the most critical to an organisation. This will vary by each business, however ranking services in importance will help ensure that protection is efficiently focused. Single points of failure should also be identified, and if linked to a critical area, then it may be necessary to create a secondary or tertiary service to help spread both the load and risk. Finally, planning how you will identify a DDoS attack needs to be considered. The proactive monitoring of suspicious traffic is preferable to waiting until customers or clients have complained on social media that a site is down!
Once critical services, single points of failure, and detection have been considered, an appropriate level of DDoS protection can be implemented. Enhancing network and firewall security is a first step, and for many organisations this may be a proportionate level of protection. Where additional security is required, either on-demand or always-on, the Border Gateway Protocol (BGP) can be used to help divert all traffic via a dedicated ‘scrubbing centre’, which has the ability to detect and filter out malicious packets, only forwarding valid traffic to the original server.
Whilst no solution is perfect, planning and preparation will help prevent poor performance when it comes to a DDoS attack.
Next steps to protect your business
Maybe not surprisingly, but we can help your business against cyber-attacks of all types. Our network and infrastructure services include monitoring, virtualisation projects, audits, capacity planning, consultancy, solution design, performance improvements as well as disaster recovery and business continuity.
Whether you have on-premises IT, hybrid, or cloud Infrastructure, managing key services and statistics is a difficult job whilst also running a business. Our highly skilled engineers and cutting-edge monitoring and remediation software has been fine-tuned to keep your Infrastructure safe, performing as it should.
If you would like to find out more about how we can help, please get in touch.