Understanding DDoS attacks and how to defend against them

Distributed denial of service (DDoS) attacks are a major threat facing organizations today. In fact, a couple of months ago, several Kenyan websites belonging to government agencies, media outlets, hospitals, universities, and major banks fell victim to these attacks.

In a DDoS attack, multiple compromised devices are used to target a website or online service, overwhelming it with more requests than the server can handle. This flood of malicious traffic results in the website or service becoming extremely slow or even completely unavailable.

From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.

Given the recent DDoS incidents in Kenya and the fact that these attacks are on the rise worldwide, it’s critically important for organizations to thoroughly understand these threats and how to effectively mitigate them.

Major Types of DDoS Attacks

There are several major types of DDoS attacks:

Volume-Based Attacks

In volume-based DDoS attacks, the goal is to overload the target’s bandwidth by sending huge amounts of traffic in a short amount of time. This causes network congestion and slows down or crashes the target site.

Some common volume-based attack types include:

• UDP floods: The attacker sends random User Datagram Protocol (UDP) packets to random ports on the target system. This consumes available bandwidth and overwhelms the target.
• ICMP floods: The attacker floods the target with random Internet Control Message Protocol (ICMP) packets, such as pings. This overwhelms network resources.
• SYN floods: The attacker sends a flood of TCP SYN requests to the target but never completes the TCP handshake. This leaves many half-open connections, which can overwhelm the target.

Protocol Attacks

Protocol attacks target specific network communication protocols in an attempt to disrupt connections between systems. Some examples include:

• Smurf attacks: Spoofed ICMP packets are sent to broadcast addresses, generating massive responses that flood the target.
• Fraggle attacks: Like a smurf attack, but using UDP packets instead of ICMP.
• TCP SYN flood: Already mentioned above, this exploits the TCP three-way handshake process.

Application Layer Attacks

Application layer attacks target web applications and servers by exploiting vulnerabilities or flaws in applications. This type of attack requires less traffic than volume-based attacks to be effective. Examples include:

• HTTP flooding: Large numbers of HTTP requests are sent to target websites and applications. These can be legitimate requests or bot-generated.
• Slowloris: The attacker opens multiple connections to the target web server and keeps them open as long as possible. This eventually overwhelms the server with open idle connections.
• DNS amplification: The attacker spoofs requests to DNS servers to generate monstrous DNS responses targeting the victim.

Main Sources of DDoS Attacks

There are several major sources that DDoS attacks originate from:

• Botnets: Networks of compromised computers infected with malware allowing them to be remotely controlled. Botnets can generate incredible volumes of traffic and are a major source of DDoS attacks.
• Server farms or web servers: – Groups of high-bandwidth servers and web servers can be used to generate DDoS floods if they are compromised by attackers.
• IoT devices: Unsecured Internet of Things (IoT) devices like security cameras and home routers are often compromised to participate in DDoS attacks. Their numbers add up.
• Cloud services: – Cloud server instances can be leveraged to produce powerful DDoS attacks if accounts are compromised by attackers.
• Mobile devices: – Mobile phones and tablets are proliferating rapidly. If compromised in large numbers, they can be weaponized into botnets capable of potent DDoS attacks.

Identifying a DDoS Attack

The most obvious red flag of a DDoS attack is a website or service suddenly becoming slow or completely unavailable. However, since legitimate spikes in traffic can sometimes mimic this, further investigation is required to confirm that you are under attack.

Also Read: What do the various Wi-Fi numbers actually mean?

Carefully analyzing traffic and system logs using analytics tools can reveal key indicators of an attack, such as:

• A flood of requests coming from a single IP address or small range of IPs
• Traffic originating from an abnormally large number of users sharing the same characteristics like location, device type, browser version, etc.
• A spike in requests focused on a specific page or endpoint
• Unnatural traffic patterns such as sudden surges at odd hours or oddly consistent spikes every few minutes
• Signs of protocol or application exploits, such as high rates of incomplete connections or unusual SMTP errors
• Unauthorized access attempts and other suspicious security events around the time of performance issues

The more specific symptoms you can identify, the easier it will be to differentiate a DDoS event from normal fluctuations in traffic. Expert analysis of logs using threat intelligence can also help accurately identify attack signatures. Staying vigilant for the warning signs allows for rapid response when under DDoS fire.

DDoS Mitigation Tips

There are a number of best practices organizations can follow to mitigate the impact of DDoS attacks:

• Maintain ample bandwidth and use load balancing across servers. This increases capacity to absorb traffic floods.
• Enable firewalls and intrusion detection systems to identify and block malicious traffic.
• Use blacklist and reputation filters to block traffic from known malicious sources.
• Limit SYN, ICMP, and UDP traffic not required for operations to reduce vectors of attack.
• Enable server caching and content delivery networks (CDNs) to improve performance against floods.
• Implement DDoS mitigation services that identify and filter out attack traffic before it hits your network.
• Develop traffic throttling, rate limiting, and quality of service (QoS) policies to manage bandwidth usage.
• Separate public-facing systems from backend resources to limit exposure of key assets if front ends are flooded.
• Monitor traffic in real time to quickly identify abnormal spikes that may indicate DDoS attacks.
• Ensure you have an emergency response plan for DDoS attacks to enable rapid mitigation.

Conclusion

DDoS threats are serious challenges facing organizations operating online today. A variety of DDoS attack types exist, targeting bandwidth, protocols, and applications. Defending against DDoS requires planning, vigilance, and a multilayer security approach.

However, with proactive steps, organizations can reduce risks and maintain business continuity even in the face of DDoS attacks. Leveraging security expertise and managed DDoS protection services is key for robust mitigation capabilities.