DDoS (Distributed Denial of Service) attacks can be described as one of the most prevalent and dangerous cybersecurity threats impacting businesses today. According to a report published by Arbor Networks ATLAS, there have been at least 610,000 cases of DDoS attacks affecting markets around the world from July 2017 to December 2017 (6 month period).
The cost of every one the above-mentioned DDoS attacks can be devastating. A risk assessment report published by Kaspersky Labs estimates that the average cost of a DDoS attack on small businesses is $106,000 and over $1.6 million for a large enterprise.
Considering the prevalence and potential damages cited above, it is clear that DDoS attacks are increasingly becoming a threat. This article provides an overview of how attacks work, and steps businesses can take to mitigate the risk.
How DDoS Attacks Work
As you might already know, DDoS is a type of network intrusion attack that makes use of an extensive network of Internet-capable devices infected with malware (botnets) to cause a denial of service – essentially bringing down a website, application or computer system.
The perpetrators of a DDoS attack can disrupt or even disable a business’ website and other Internet-based applications. It accomplishes this by flooding their server with traffic originating from hundreds or even millions of compromised sources. As a result, companies are unable to process legitimate requests from users until the strain on the server is fixed. This can result in not only lost revenue, but also a loss of customer goodwill and business reputation.
So what can businesses do mitigate the damages of a DDoS attack?
Now, unfortunately, there is no “one size fits all” solution when you are dealing with DDoS attacks. They come in various types with each one exploiting different vulnerabilities and require a different approach to mitigate successfully.
Volumetric DDoS Attacks
A volume-based DDoS attack is the most common type of DDoS attack, accounting for 65% of attacks in 2017 according to AWS.
As the name implies, volumetric attacks work by driving a massive amount of data requests to the targeted server. The perpetrators do not have to create that traffic themselves; in many cases they instead manipulate an army of botnets into sending communication requests to NTP or DNS server using a spoofed IP address (the IP address of the victim’s server). As a result, the targeted server gets bombarded with data that it did not request in the first place in an attempt to cripple or crash the network. This MO makes volumetric DDoS attacks very common and relatively simple to execute.
To maximise the damage, perpetrators use a reflective medium such as a DNS open resolver to magnify the size of the data packets by as much as 70 times. Depending on the number of reflective mediums that the attacker has access to, the amount of data request generated can be several hundred gigabytes per second. This is more than enough to disable the server of most SMBs (small to medium-sized businesses) without any form of DDoS mitigation.
An enterprise-grade data centre can help you mitigate volumetric DDoS attacks by filtering out DDoS traffic using a network of data scrubbing centres to ensure that only legitimate communication requests reach your server. This provides business continuity even in the midst of a volumetric DDoS attack.
State Exhaustion DDoS Attack
Also known as a protocol-based DDoS attack, a State Exhaustion DDoS Attack works differently in that it targets a network’s vulnerabilities in the OSI layer (Open Systems Interconnection) — a concept that standardises the communication process of computing and telecommunications systems.
One such vulnerability commonly used in State Exhaustion DDoS Attacks is the SYN-ACK flood which exploits a protocol for establishing a TCP connection between the web server and its users.
Under normal circumstances, users access a website by sending a sync request (SYN) to its’ server. The server returns an SYN-ACK response to the user completing the cycle (ACK). This cycle (SYN, SYN-ACK, ACK) lays the foundation for transmitting and receiving data over the Internet via TCP (Transmission Control Protocol)
Perpetrators of a State Exhaustion DDoS Attack weaponise this 3-way handshake. The first step is to flood the server with hundreds of SYN request but never returning an SYN-ACK response. This forces the server to maintain the connection and wait for an acknowledgement. Since there is a limit to the number of half-open connections a server can support, a State Exhaustion DDoS Attack stops the targeted server from opening new connections resulting in a Denial of Service (DOS) to legitimate users.
Application Layer DDoS Attack
A more complex and formidable type of DDoS attack. Application Layer DDoS Attacks are the hardest to detect and defend against. Unlike other forms of DDoS attacks, an application-based does not require an army of botnets. The attack can come from a single machine creating a minimal amount of traffic but just as effective. For this reason, an Application Layer DDoS attack can be difficult to detect and mitigate.
Notable examples of an Application Layer DDoS Attack
One of the most notable cases of an Application Layer DDoS attack is one that targeted NS1 (a cloud-based DNS service provider) on May 16, 2016. The attack exploited a vulnerability in their Anycast DNS infrastructure. Many significant players in the global market such as Imgur, DropBox, Max CDN, Salesforce and Yelp were affected.
CEO Kris Beevers acknowledged the attack in a note detailing the company’s response to the threat. The attack was notable because it affected both NS1’s DNS infrastructure and the hosting provider.
The graph below shows the scale and extent of the damage caused by the Application Layer DDoS Attack on NS1 as cited from ThousandEyes — a network intelligence platform:
The only way to mitigate an Application Layer DDoS Attack is to launch a concerted effort. This includes monitoring traffic behaviour and barring access from bad bots. You can also employ ways to obstruct suspicious activity with captchas, cookie challenges and similar measures that validate user authenticity.
Steps for mitigating attacks
As this article has discussed, DDoS attacks are highly complex and beyond the scope of most small business IT departments or in-house servers. Absorbing DDoS attacks requires a large amount of bandwidth, specialist technology for detecting malicious traffic in real time, and high-performance networking equipment to filter attack traffic.
For this reason, choosing a hosting provider that offers DDoS mitigation as an included service is often the best choice. Specialist service providers are able to leverage economies of scale to reduce the cost of mitigation for individual customers.
Here at Intergrid, we have invested heavily in specialist DDoS mitigation solutions and include protection in all of our products. Contact us today to find out more about how we can protect your business.