Simply put, a DDoS attack is when a hacker overwhelms a network with so much traffic that no legitimate users can get in. Picture someone sending 100 busloads of people to occupy a movie theater lobby at once. At some point the maximum capacity of that building is going to be reached and anyone who shows up trying to get in is going to be unable. The theater will lose money because no one in the building is actually buying tickets. They also might lose business in the future when people get annoyed at not being able to see the movie they had wanted to see and take their business elsewhere.
DDoS attacks have become increasingly prevalent over the last few years. 2021 saw record numbers and sizes of attacks. There is not a single clear number given in research, but by integrating data from Kaspersky Labs, Darkreading, and NetScout, we were able to calculate that there were approximately 13.2 million DDoS attacks in 2021. This exceeded predictions by over a million. This number represents a 31% increase from the approximately 10.1 million DDoS attacks in 2020.
Headlines were made as companies mitigated record high volume attacks. Amazon and Microsoft were hit with a 2.3 Tbps (terabit per second) and a 3.47 Tbps attack respectively. While high volume attacks are the ones we read most about in the news there are multiple ways a hacker can utilize a DDoS attack. In this article, we will breakdown what a DDoS attack is as well as the different types of DDoS attacks used by hackers across the globe.
What is a DDoS attack?
A DoS attack stands for “Denial of Service attack”. The goal of a DoS attack is to overwhelm a target network, system, or website. Once these systems are overwhelmed, natural traffic is unable to enter. DoS attacks were primarily used back in the early days of the internet. Nowadays cybersecurity and network capabilities are advanced enough where a single DoS is unlikely to do any damage. This is where DDoS attacks come in.
A DDoS attack stands for “Distributed Denial of Service attack”. This means that multiple systems are performing a DoS attack at once on a single target. While a DoS attack is generally launched using a script of DoS tools, DDoS attacks are most often launched through a hacked botnet. In the past, a botnet would mostly be composed of infected computers that would operate without the owners being aware.
Sourced from f5 labs
IoT devices have since exacerbated this issue. These devices are everywhere and usually aren’t manufactured with any security protections. A law passed in 2020 stated IoT devices needed to have cybersecurity regulations if owned or operated beyond the federal government, but this law applies only to a fraction of the nearly 36 billion IoT devices installed in 2021. This means it is possible that your smart refrigerator, coffee maker, or thermostat could end up being a bot used in a DDoS attack.
In addition to traditional botnets, for-hire DDoS services are becoming more available. These services offer devices to be used in a DDoS attack at relatively small costs. Microsoft found these services can be purchased for as little as $300 per month.
For a hacker, there are many advantages to using a DDoS attack over a DoS attack. A DDoS attack can generate a greater volume of traffic. It is harder to detect the origin of a DDoS attack because it is coming from many locations. Oftentimes it can come from multiple countries. This makes a DDoS attack more difficult to stop than a single DoS attack. Stopping an attack that is being launched from bots in ten different countries will be more difficult than pinpointing and stopping a single threat.
Motivations for DDoS attacks
1. Ransom – It’s no surprise that financial gain is one of the leading motivators behind these attacks. A NISC survey found 44% of all the organizations they surveyed were targeted by a ransom-related DDoS attack. Interestingly, this was a higher percentage of organizations than those who reported suffering from a traditional ransomware attack. DDoS attacks provide a good option for hackers looking to extort a company because they are fairly simple to do, can be hard to track, and have a decent success rate. 36% of those companies who got hit by a ransom-related DDoS attack paid up.
2. Competition – Research by Kaspersky Lab and B2B International showed that over 40% of businesses who suffered a DDoS attack believed their competitors were behind it. While this is a bit conspiratorial, it is not far-fetched. One of the worst effects of a DDoS attack for the victim is loss of business. If customers consistently cannot access the service they are paying for they will take their business elsewhere. Competitors who are not afraid to get their hands dirty by launching DDoS attacks might just find an increase in clients.
3. Disgruntled employees – As discussed in our article on malicious insiders, disgruntled employees looking to actively sabotage their old employers are disturbingly common. Due to the cheap cost and minimal amount of tools needed to perform a DDoS attack a more tech-savvy employee might decide to launch one of these attacks to get some revenge.
4. Hacktivism – Hackers who disagree with a certain ideology or opinion may attempt to DDoS attack sources voicing that opinion. These attacks can be politically, socially, or religiously motivated. Anonymous has perpetrated numerous DDoS hacktivist attacks. One of the most famous examples from back in the early 2010’s was “Operation Tunisia” where Anonymous recruited Tunisian hackers to take down government websites during the Arab Spring. In 2020 Anonymous re-emerged. They launched a DDoS attack which took down the Minneapolis police department’s website to protest police brutality following George Floyd’s death.
Sourced from Norton
5. Cyberwarfare – All is fair in love and war and cyberattacks are no exception. State sponsored DDoS attacks can be used to target an enemy’s media, healthcare, financial, and other vital infrastructure. These DDoS attacks have the potential to be the most disastrous as they have national funding and are meant to damage an enemy country as much as possible.
6. A smokescreen for a separate attack – DDoS attacks naturally distract a security team. A website or server going down will not go unnoticed and a team will likely put most of their attention and resources into fixing this problem. While the team is preoccupied, another attack can take place. In addition, DDoS attacks eat up not only team resources, but security resources. They can bring down firewalls making it easier for other attacks to infiltrate a network. A highly publicized case of this comes from mobile phone retailer Dixons Carphone. The warehouse division was hit with a DDoS attack. While defenses were down the personal information of 2.4 million customers was stolen.
Categories of attacks:
DDoS can be broken down into three general categories. These are volumetric attacks, protocol attacks, and application attacks. Each of these affects different areas and network layers of a target in different ways. Many DDoS attacks utilize multiple methods. For example, many hackers combine volumetric and protocol attacks by flooding a vulnerable protocol with high volume requests.
1. Volumetric DDoS attacks
Volumetric attacks target a network’s bandwidth by overwhelming the internal network capacity with high volumes of traffic (or request packets). As bandwidth resources are consumed no legitimate traffic can enter. In layman’s terms a volumetric attack causes a traffic jam.
These attacks are the “headline making” attacks. The volume of the attacks (measured in bits per second) grow each year and continue to break records for sizes. While this means they can be a source of boasting rights for companies who defend against these attacks, if successful they can cause devastating financial blows to companies. They are also by far the most common type of DDoS attack. This is due in part to the relative ease of generating high volume requests from multiple locations.
Reflective Vs. Non-reflective Volumetric attacks
Reflective and amplified attacks are frequently used by hackers as they take up the most bandwidth. For a reflective attack, hackers spoof a target’s IP address. They send a request for information using protocols such as the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP). These requests come from the spoofed IP address and go to a service on the internet such as the Domain Name System (DNS), the Network Time Protocol (NTP), or the Simple Network Management Protocol (SNMP). Servers receiving the request then respond and send answers back to the IP address using the same protocol. As the same protocol is used for both transmissions it is called a reflection attack.
To create large volume requests, amplification is used. A hacker can send a trigger packet to act as a large request from these services. The hacker can send many requests to these services in order to generate an amplification of volume and bandwidth necessary to carry out these requests.
Non-reflective attacks simply rely on a large botnet to send traffic directly to the target. It is impossible to ever know how many bots comprise a botnet, but estimates for various attacks range from in the thousands to over a million. Botnets can be self-propagating as infected bots can recruit and infect other hardware devices connected to the surrounding network. If a botnet is large enough, it does not require amplification.
Examples of Volumetric DDoS attacks:
UDP Flood DDoS attack-
For this attack, ports on a targeted host are overwhelmed with IP packets containing UDP (User datagram protocol) packets. A hacker will use a spoofed IP address or a botnet to transmit the UDP packets to a target. There is a typical two step response to receiving a UDP packet. The first step is to check if programs are running which are listening for requests at the port. Next, if no programs are receiving packets the server responds with an ICMP (Internet control message protocol) packet to let the sender know the destination could not be reached. When UDP packets are received and answered enough times eventually the target’s ports will become overwhelmed. The more UDP packets sent (by utilizing a larger botnet or amplification) the quicker the target’s resources will become exhausted.
ICMP Flood (Ping) attack-
To perform this attack a hacker will overwhelm their target with ICMP echo-requests (also known as pings). Outside of a malicious context ICMP echo-requests and subsequent echo-reply messages are used to diagnose the health and connectivity of a device and to test the connection between the sender and the device.
A specific computer or router can be targeted for these attacks. Both UDP and ICMP flood attacks use the same basic principle to overwhelm an aspect of their target’s network with as much volume as possible. A system can only receive and reply to a certain amount of ICMP echo-requests before it gets overwhelmed.
2. Protocol DDoS attacks
Protocol attacks (also known as state-exhaustion attacks) rely on weakness in internet communications protocols. They eat up processing capacity of network infrastructure resources. This means they target resources like servers, firewalls, and load balancers. To do this they target and send malicious connection requests to Layer 3 (network layer) and Layer 4 (transport layer) protocol communications. These kinds of DDoS attacks are dangerous because of the difficulties and logistics of changing large scale protocols. Even if a vulnerability in the protocol is known it would take a lot of time and resources to make changes.
Examples of Protocol DDoS attacks:
SYN Flood attack-
Sourced from Purplesec
Flood attacks are volumetric in nature. A SYN flood attack exploits a layer 3 and 4 protocol, and is therefore an example of both a volumetric and protocol attack. A SYN flood exploits the three-way handshake process of a TCP (transport control protocol) connection. The normal process of a TCP connection involves: a client initiating a connection by sending a SYN (synchronize) packet to the server, the server responding to this packet with a SYN/ACK (synchronize-acknowledge) packet, and then the client returning the ACK (acknowledge) packet. Once this process is complete, the TCP connection is able to send and receive data. The exploit comes from a hacker continually sending SYN packets to the server, but never sending the ACK packet back to the server to complete the TCP handshake. For the DDoS attack to be successful, the SYN attack needs to be larger than the available backlog in the target’s operating system.
3. Application DDoS Attacks
Application attacks target the actual application. Most frequently they target web servers. These attacks exploit weaknesses in the application layer (layer 7) by opening connections and initiating process and transaction (usually HTTPS ) requests. By doing this application DDoS attacks are able to consume disk space and available memory.
These attacks are efficient. They require less total bandwidth to achieve similarly disruptive attacks to the other two methods described earlier. These attacks are also particularly hard to distinguish from genuine traffic, and therefore are harder to detect. Application attacks are measured in requests per second.
Example of an Application DDoS attack:
Slowloris attack-
Sourced from Cloudflare
A Slowloris attack is a “low and slow” attack. This means it relies on a low volume stream of slow traffic designed to eat up a target’s resources. These attacks are hard to differentiate from normal traffic and require little bandwidth. Instead of using a botnet, a low and slow attack can be launched with a tool known as Slowloris.
The Slowloris attack works by keeping a web server’s connections open for as long as possible. It uses HTTP GET requests to occupy all available HTTP connections on the web server. These surveys wait for an entire HTTP header to be received before releasing the open connection. Normally, a server will time out if a request takes too long. With Slowloris, partial request headers are sent to the target to keep the request open. The Slowloris attack is successful once all available server threads are occupied.
Be Prepared
DDoS attacks come in many forms. Defending from each of these attacks requires different security measures be put in place. Knowing what to look for, how trends are evolving, and how to protect yourself is growing ever more complex and important. Be sure to look for our other articles on DDoS attacks, which will go in depth to break down current trends of, system vulnerabilities to, and defenses against DDoS attacks.
Sources:
https://www.f5.com/labs/articles/education/what-is-a-distributed-denial-of-service-attack-
https://www.infosecurity-magazine.com/news/attackers-turning-ddos-ransom/
https://www.computerweekly.com/news/450414239/Businesses-blame-rivals-for-DDoS-attacks
https://www.bbc.com/news/technology-52879000
https://us.norton.com/internetsecurity-emerging-threats-hacktivism.html
https://www.wsj.com/articles/ddos-attacks-can-be-a-smokescreen-for-other-crimes-1518781776
https://www.f5.com/labs/articles/threat-intelligence/ddos-attack-trends-for-2020
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-botnet/
https://purplesec.us/prevent-syn-flood-attack/
https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/
https://www.itproportal.com/news/a-record-number-of-ddos-attacks-took-place-in-2020/
https://www.darkreading.com/attacks-breaches/ddos-attacks-up-31-in-q1-2021-report
https://www.kaspersky.com/about/press-releases/2022_ddos-attacks-hit-a-record-high-in-q4-2021
Leave a Reply