The Distributed Denial of Service (DDoS) attacks has become one of the most dangerous cybersecurity threats for all businesses. The DDoS attack is no longer a threat exclusive for huge enterprises and services like Playstation Network or Amazon Web Service, but now medium-sized and even small companies are increasingly popular as DDoS targets.
The DDoS attacks are especially dangerous since once they are started, it’s very difficult to stop them, so effective prevention is much preferred. On the other hand, the DDoS attack can cause significant damage not only in financial losses but often long-term and even permanent damage to the business’s reputation.
For these reasons, knowing how to stop and prevent DDoS attacks is now very important for any businesses who have a website
What Is DDoS Attack?
Understanding DoS Attack
To understand DDoS attacks, we have to first discuss DoS, or Denial of Service, where DDoS can be thought of as an advanced, modified form of a DoS attack.
Denial of Service is a type of cyber attack in which the attacker aims to slow down a computer, system, or network or even rendering it unavailable to its intended users.
The DoS attack is performed by interrupting the system’s normal functionality, and the most basic method is to overwhelm a targeted system with requests above its processing limit, so the system can’t process normal traffic. This will result in denial-of-service to additional users.
The attack is called a DoS attack if it only utilizes a single computer to launch the attack. If it uses more than one computer, then it is a DDoS attack where the attack is ‘distributed’ between different devices, hence the name.
The DDoS Attack
A DDoS attack amplifies the effect of a DoS attack by using multiple compromised computers (which can be in the thousands) as the source of the attack traffic. These compromised computers are called ‘botnets’, and nowadays they can consist not only of laptops and PCs but also IoT devices and wearables (i.e. your Fitbits and Apple Watches).
A DDoS attack first requires the perpetrator to gain control of the online devices, typically by infecting them with malware and turning them into a zombie machine (the botnet). Once a botnet has been established, the hacker can then remote control the device, so when a URL or IP address is targeted, each botnet will respond by sending requests to the target, resulting in an overwhelming amount of requests happening at the same time.
A DDoS attack can be very difficult to mitigate since the attack is coming from real computers that are impossible to distinguish from legitimate users, and this is why it’s very dangerous.
Different Types of DDoS Attacks
There are different forms of DDoS attacks targeting different components of the network connection.
An easier way to explain this is to divide the DDoS attack types based on the OSI model, which describes the different components of an internet connection when we are accessing a website. There are 7 layers of the OSI model:
- Layer 1 (Physical layer): the lowest layer, responsible for the actual physical connection between devices.
- Layer 2 (Datalink layer): responsible for linking data between physical nodes, the main function is to define the format of data.
- Layer 3 (Network layer): transmission of data between two different networks, responsible for deciding which physical path on the network the data will take.
- Layer 4 (Transport layer): transmits data with TCP, UDP, and other transmission protocols. Distributes services from the network layer to the application layer.
- Layer 5 (Session layer): responsible for establishing a connection and maintaining it. Controls the sessions and ports.
- Layer 6 (Presentation layer): responsible for data encryption and ensuring the data is presented in a usable format
- Layer 7 (Application layer): the highest layer involving human-computer interaction, the web application can access the network services
Layers 1 and 2 are mostly local, so DDoS attacks in layers 1 and 2 are virtually non-existent since the distribution of the attack would be very limited. Layers 5 and 6 mainly handle the validation of data coming from layers 3 and 4. So, there are three main categories of DDoS attacks: protocol attacks (targeting layer 3 and 4), volumetric attacks (targeting layer 3 and 4), and layer 7 (L7) attacks.
L7 (Application Layer) Attacks
Currently the most sophisticated and advanced form of DDoS attack. Layer 7 is where the web pages are actually generated on the server, and the attack exploits it by attempting to overwhelm the web server by requesting a flood of traffic (mainly HTTP traffic).
An example of layer 7 DDoS attacks is sending thousands of requests for a certain page per second until the server is overwhelmed. Another common practice (that is much harder to defend against) is calling an API over and over again.
Data transmitted and received over a network is divided into packets, and layer 3’s main objective is to address these packets to the right destinations via protocols. Layer 4, on the other hand, would open the necessary connections as commanded by layer 3, ensure reliable data delivery, and indicate which service on the target device should use the sent data.
In layer 3, the most important protocol is IP (Internet Protocol), while layer 4 involves transport protocols including TCP and UDP.
Protocol attacks would utilize vulnerabilities in these layer 3 and layer 4 to render the network inaccessible by users. There are various ways attackers can attack these vulnerabilities in protocols.
SYN Flood attack, for example, exploits the vulnerabilities in the TCP handshake by sending a large number of TCP SYN packets using spoofed IP addresses. The network will then respond to each of these connection requests and waits for the next step in the TCP handshake (which never occurs), exhausting the network’s resources.
Another common protocol attack is the ICMP Ping of Death, where the attacker sends a ping request that is larger than the maximum size allowed by the protocol. So, when the network tries to reassemble the packet, the packet size exceeds the maximum size and crashes the network.
As the name suggests, in a volumetric attack the objective is to saturate the bandwidth of the target website/network. Large amounts of data are sent to a target to create massive traffic, overwhelming the network.
Ping flood DDOS attacks, for example, is when the attacker sends thousands or even millions of pings to the server using botnets. Smurf DDoS is another type of volumetric attack where the attacker sends out ping requests to thousands of websites while spoofing the IP address in the request to the responses go to the target network instead of the attacker. Modern devices are typically not vulnerable to this smurf ICMP-based attack.
Best Practices for Preventing DDoS Attacks
As we can see, DDoS attacks are possible due to the vulnerabilities in our network whether in the network, protocol, or application layer.
So, preventing DDoS attacks is about minimizing these vulnerabilities by implementing the following best practices:
- Monitor your traffic regularly and aim for early detection
Identifying the early warning signs is very important in preventing DDoS attacks. There are various tools we can use (a lot of them free) to monitor traffic so we can detect traffic spikes, which is important in detecting volumetric attacks.
A dramatic increase in traffic is a major sign of a volumetric DDoS attack, so make sure to regularly check your traffic logs and/or have alerts set up when the number of requests or visitors has exceeded a specified threshold depending on your bandwidth.
You should also consider:
- The time of the traffic spike. It is, for example, unrealistic to see a spike at 3 AM.
- The location of the traffic sources. For example, if you are not serving the Chinese market, having a sudden surge of traffic coming from China is suspicious.
- The time of the year. Depending on your business, there might be legitimate spikes, for example, during the holiday seasons.
However, as we’ve discussed, the volumetric attack isn’t the only type of DDoS attack that might be a threat to you. In a layer 7 attack, for example, the traffic can be as low as 1 request per second but is targeting a vulnerable endpoint in your web application. An AI-powered, behavioral-based bot protection solution like DataDome, is necessary for monitoring your traffic for potential layer 7 DDoS attacks.
- Increase your network bandwidth
Since DDoS attacks, especially volumetric attacks, operate at the basis of exhausting your resources, provisioning extra bandwidth can be effective to handle the unexpected traffic spikes. This won’t necessarily stop the DDoS attack altogether but may buy you some very valuable time to set up and execute your mitigation plan.
This solution might be expensive since this spare bandwidth might go unused when there’s no incoming attack, but there are hosting services offering burstable billing/burstable bandwidth plans that might provide you with some versatility. They might also offer enhanced protection against DDoS attacks with these plans, so make sure to check with your hosting provider whether they offer such options.
- Redundancy in network infrastructure
Maintaining redundancy is a very important aspect of preventing damages caused by DDoS attacks. DDoS attacks are becoming much larger and more sophisticated than ever, but the objective remains the same: disrupting your service.
The idea behind redundancy is that whenever a system is disrupted due to DDoS attacks, we can simply fall back on redundant systems so we can continue delivering service without interruption. Redundancy also allows us to cut off and reroute traffic when needed.
If possible, don’t rely on a single hosting/ISP service, and look for ISP redundancy. There are hosting services that offer the ability to switch between different providers in the event of a DDoS attack, allowing us to reroute traffic to prevent downtime.
Also, don’t rely solely on your ISP in defending your site against DDoS. In the case of severe attacks that might put all of the ISP’s customers at risk, the ISP will decide on blackholing your traffic and your site will be down indefinitely. Having a dedicated DDoS mitigation solution, as discussed above, remains the best solution.
- Prepare your organizational response
It’s very important to prepare your operational readiness for a DDoS attack and ensure you can respond ASAP in the event of a DDoS attack. Educate your team regularly with your DDoS response plan, and train them with simulated attacks to validate your organization’s overall DDoS defense.
When a DDoS attack already happens, you won’t have time to plan your response, so having a clear mitigation plan ahead is necessary. You must prepare your team with policies and procedures on:
- Communications: your staff needs to know exactly what to do and whom to call in the event of a DDoS attack while aiming to disrupt daily operations as little as possible. It’s best to plan a way to relay information in the form of internal short message blasts.
- Identification of key personnel: it’s important to prevent panic in the event of the attack, which can delay the required mitigation response. It’s important to identify key personnel that should be notified of the attack as soon as possible. Educate your team so everyone understands their role in the DDoS mitigation process.
- Information-related policies: a simple approach like keeping all phone numbers and names of key personnel in a single place can be extremely important in managing valuable time. Set up policies on how personnel should share and access the required information in the event of a DDoS attack.
- Maintain relationships with your key vendors
Successful DDoS mitigation would require the help of your vendors: bot management solution provider, hosting provider, ISP, and so on. Don’t wait until a DDoS attack has happened to start a relationship with their customer service reps. You can build relationships as a preventive measure and incorporate them into your DDoS mitigation plan. This might seem simple, but can be very effective in ensuring a calm, rehearsed response during the event of an attack.
While there’s no one-size-fits-all answer to preventing a DDoS attack, a good DDoS mitigation service like DataDome that can protect your site from layer 7 attacks remains the most reliable solution.
However, preparing your network infrastructure and the human element of your organization is also very important: when a DDoS attack is in place, you won’t have time to plan a response and think about what you should do. Instead, a calm, rehearsed approach is always preferred.