What is a DDoS attack?
DDoS is an abbreviation of Distributed Denial-of-Service, which is a type of cybercrime in which the hacker overwhelms a server with an excessive number of requests to prevent legitimate users from accessing the website or any online services.
How does a DDoS attack work?
Most often, DDoS attacks are built around DDoS botnets. A botnet is a group of hundreds or thousands of machines that a hacker has taken control of. These machines are called bots. The attacker forces these bots to send an enormous amount of internet traffic to a victimâs resource.
Example: Letâs imagine thereâs a huge call center dedicated to providing technical support. Someone dials the number and asks for assistance. However, they are told that all available agents are currently occupied. The reason is that a spammer has sent thousands of calls from different phones controlled by their bots. The call centerâs lines are overloaded, and the legitimate callers are unable to get assistance. DDoS attacks work in the same way, but on the internet: they completely block the end users from reaching the website or online service because of the fraudstersâ traffic.
What are the types of DDoS attacks?
There are three common types of DDoS attacks.
1. Volumetric attacks (L3). Volumetric DDoS attacks flood internal networks with malicious traffic. These DDoS assaults exhaust bandwidth within or between the target network/service and the internet.
Example: Volumetric attacks happen when a server gets so much traffic that it canât take any more. One type of volumetric attack is the DNS amplification attack. The attackers make DNS requests in a way that increases the size of the response. They ask for mail servers, subdomains, and other DNS records, as well as the websiteâs IP addresses. A small DNS request of 10 bytes can lead to a response of 10-20 bytes.
In addition, instead of returning the DNS response to the attacker, it redirects it to the victimâs machine. This is because the attacker spoofs (fakes) the source IP address in DNS requests. This approach hides the attackerâs identity. The result is DNS resolvers âreturningâ replies to a victim who never requested them in the first place.
2. Connection protocol attacks (L4). Protocol attacks occur when attackers send connection requests from multiple IP addresses to target server weaknesses. This process only requires a few computers. Each connection request requires a response, and the server quickly becomes overloaded.
Example: Protocol attacks try to use up a serverâs resources or those of its networking systems, such as firewalls, routing engines, or load balancers. An example of this type of attack is the SYN flood attack.
Before two computers can start talking to each other safely, they have to do a TCP handshake. A TCP handshake allows two parties to share some basic information. An SYN packet is usually the first step of the TCP handshake, telling the server that the client wants to start a new channel. In an SYN flood attack, the attacker sends fake SYN packets to the server. The server responds to each packet (through SYN-ACKs), requesting that the client complete the handshake. The server waits for the client(s) to respond. After too many responses, it crashes.
3. Application layer (L5-L7). Application layer attacks target software delivering a service that includes a web server or cloud-based application. As a result, it drains a websiteâs resources and bandwidth.
Example: Letâs say an end user accesses www.example.com in their browser to request the web page. The server fetches page-related information, packages it, and sends it to the browser. The application layer is where this information is gathered and put together. The attack happens when a hacker repeatedly uses multiple bots or machines to ask the server for the same resource until the server canât handle it anymore.
An example of this is HTTP floods, which are widespread application layer attacks. Malicious actors submit HTTP requests with different IP addresses, making requests to the server to, for download text files, applications, or images. The server canât detect an attack because the IP address and other identifiers vary with each request.
Key differences | Application layer attacks | Volumetric-based attacks | Connection protocol attacks |
Overwhelms the layer of the network that generates web pages and responds to application requests. | Overwhelms the network equipment, bandwidth, or server with a high volume of traffic. | Targets the resources of a network-based service, like website firewalls or server operating systems. |
DoS vs. DDoS attacks
It is important to distinguish DDoS from DOS (Denial-of-Service). Even though the only difference is a single letter, there is significant confusion about how the two work. Knowing the basic differences can help you avoid these types of attacks.
Denial-of-service (DoS) attacks are a type of cyber attack in which a malicious actor interrupts a computer or other deviceâs usual functioning. A DoS attack is described as using a single computer to launch the attack.
Example: There are two ways of executing DoS attacks, which are flooding and crashing. Flood attacks occur when the server receives too much data to a buffer, slowing and stopping it. Crashing attacks exploit vulnerabilities that cause the victimsâ systems to crash. By doing this, data is sent to the victim that takes advantage of bugs and later on hits or harshly destabilizes the system so that it no longer be accessed.
Distributed Denial-of-Service (DDoS) attacks occur when multiple systems work together to send a coordinated DoS attack to a single target. The main difference is that instead of being attacked from one place, the target is attacked from many places at once. The spread of hosts making up a DDoS gives the attacker several advantages:
- They can use a larger number of machines to launch quite an upsetting attack.
- Because the attacking systems are spread out randomly (often worldwide), itâs hard to figure out where the attack is coming from.
- Itâs hard to find the real attackers because they hide behind many (mostly compromised) systems.
- As the number of IoT devices increases in the world, the number of attacks will too. The attacker can take over these devices to make them part of botnets.
What are the key differences between the two?
Key difference | DoS | DDoS |
Types of attacks |
|
|
Attack blocking | It is simpler to defend against the attacks. | It is harder to block due to the number of machines utilized. |
Source of attack | An attack is initiated from a single host machine and associated IP address. | The attack is initiated via a wide variety of sources, including hacked laptops, IP cameras, and Internet of Things devices |
How to protect from a DDoS attack
To protect a site from DDoS attacks, you can use a DDoS protection solution. This is a third-party service that detects and blocks malware traffic sent by attackers. Your servers and applications will be safe despite all efforts of detractors.
How does DDoS protection work?
DDoS protection works by meticulously sorting website traffic so that attackersâ requests canât pass through, but legitimate requests can, without causing the page to load much more slowly. DDoS protection providers will also report attempted DDoS attacks to website owners. This way, the website owner can track when the attack happened, how big it was, and other important details.
How does DDoS protection identify attackersâ requests?
As an example, weâll tell you about our DDoS protection solution and its technologies. Here they are:
- Resource analysis. Resource load is analyzed in real time for any statistical abnormalities.
- Technical analysis. Each new query undergoes a basic technical analysis of the client who sent it (for example, the median size of network packets is analyzed).
- Behavioral factor recognition. If a client has sent more than one query within the monitored period of time, then the clientâs behavior on the website (for example, the time between queries and subqueries) is analyzed for abnormalities.
- Query check. The query is checked against suspicious signatures currently relevant to the resource. Both coincidence and âproximityâ can be checked.
- Query validity conclusion. As a result, the information is combined into a factor vector that is used to calculate query validity.
Is it possible to protect a server located outside of the providerâs data center?
DDoS protection doesnât require your servers to be in the providerâs data center. For instance, we protect servers in a clientâs data center using a GRE tunnel, a special technology that allows us to connect our scrubber centers to a clientâs servers remotely.
Short summary
DDoS attacks are a threat that take down websites and applications by overloading them on L3, L4, or L7 with an excessive amount of internet traffic. They result in resource unavailability, loss of users, and damage to brand reputation.
To stay protected, you can use a DDoS protection solution, a service that identifies attackersâ traffic, blocks it, and notifies you about the attack attempt. At the same time, legitimate usersâ traffic still reaches the resource; they can use the protected site or application sites normally. To protect the resource, you donât need the servers to be in the providerâs data centerâthe protection can be organized remotely. To do this, providers use GRE tunneling.