What is a DDoS Attack?

Last Updated: May 31, 2021

There are more chances than not that you’ve heard of a website being brought down by hackers or that a popular website has crashed. The majority of such downtime on popular and high-traffic websites are caused by Distributed Denial of Service (DDoS) attacks.

There are limits to the bandwidth of traffic that a network device can handle. The said limit is dependent on factors like the processing power of the device, the data boundary of the connection node (switch or router), and the maximum connection speed and bandwidth permitted by the Internet Service Provider (ISP).

How does all this culminate in causing down time on a website? How do these attacks occur? This article will be an exposé on DDoS attacks and how to avoid or prevent them.

A Breakdown of a Typical DDoS Attack

Hackers initiate DDoS attacks by first recruiting an army of vulnerable computers, popularly referred to as a Botnet. Botnets are a series of interconnected computers and devices that have been compromised by malware. Botnets are then used by hackers to simultaneously send resource requests that use up the victim’s connection bandwidth, thus preventing legitimate remote users of services on the device from gaining access to them.

The data packets used in executing DDoS attacks are the same or similar to those used for everyday communication over the internet, except that they are coordinated in an overwhelmingly large chunk per time. Online servers that handle video streaming traffic can permit an upper limit of 20 Gigabyte per second bandwidths. In comparison, DDoS attacks could load a single server or network device with up to 1 Terabyte per second of data. Such a volume of traffic will successfully render a service as large as Google unresponsive.

Who are the Potential Targets of DDoS Attacks?

DDoS attacks are super comfortable due to the vulnerability of several devices with an internet connection and the availability of botnets on the dark web for the use of rookie hackers. Many internet users, and surprisingly some organizations, deploy internet-enabled technologies without changing the default manufacturer login details that came with said device. Hackers scour the internet searching for such devices, gain access to them, and install malware that enables them to control such devices remotely, without the actual owners knowing about their device being a member of a botnet.

The botnets that consist of the network of vulnerable devices are not the primary victims here but are used to carry out a coordinated attack against a single website or online service – these have been the prime victims of DDoS attacks.

DDoS attacks against websites and online service platforms may be in the form of false packets, incoming messages, or requests to initiate a connection. They are mostly executed as a vengeful attack either to tarnish the reputation of competitors and subsequently cause a drop in market share, an attack against political opponents, or at times as a demoralization ploy against human rights movements and entities.

Amazon Web Services (AWS) experienced one of the recent DDoS attacks in February 2020. An unnamed major customer of AWS was the attack’s target, affecting their online services for three days. A traffic bandwidth peaking at 2.3 Terabytes per second made AWS vast bandwidth allowance seem like child’s play.

The most popular botnet so far – Mirai, was the center of a chain of DDoS attacks in 2016. In September 2016, the internet played host to Mirai botnet in the most massive DDoS attack of the time, with traffic peaking at a bandwidth of 620 Gbps hitting the blog of a cybersecurity analyst. After a fragment of the Mirai code was made public at a DEFCON gathering later that month, a much larger scale of attack hit a significant provider of Domain Name Service – Dyn.

Dyn was the DNS provider for websites like Netflix, GitHub, PayPal, Reddit, Airbnb, and HBO at the time of the Mirai attack. The 1.5 Gigabit per second DDoS attack on Dyn’s network of websites rendered their services unresponsive while the attack lasted. There were several other Mirai attacks later in 2016, some including hijacked IoT devices like CCTV cameras, coffee making machines, and even baby cam monitors.

Types of DDoS Attacks

There are different types of DDoS attacks. Let’s review some of them below:

Zero-Day DDoS: Zero-Day DDoS is the term used by hackers on their clandestine websites hosted on the dark web. The term refers to a series of source codes and armies of recruited botnets that are up for sale; however, that poses vulnerability levels for which security patches are yet to be released.

Ping of Death: This involves attackers sending multiples of doctored ping packets to a network node. The devices that handle local devices (switches and router) have limits of packet length allowed through them per second. Forthwith, long packets are often fragmented, to be reassembled by the recipient host. The average data length of an IP packet is about 1700 bytes; however, hackers are looking to perpetrate a Ping of Death forward pings with data sizes of up to 71,423 bytes when reassembled at the receiving end. This type of DDoS attack effectively exhausts the server’s memory and makes it impossible to respond to legitimate queries while the spell lasts.

UDP Flood Attack; This is a type of DDoS attack that involves flooding the victim with consistent streams of User Datagram Protocol (UDP) class of data. In this type of attack, a remote host has random ports getting flooded repeatedly with connection requests. Similar to UDP flooding is the ICMP (ping) flood, which sends fast and random ping packets without waiting for feedback for connection. The packet flood exhausts the resources and bandwidth of the host and, at times, makes it impossible to establish a handshake when legitimate connection queries are made.

SYN Flood Attack: This type of attack exploits a vulnerability in TCP connections – The three-way handshake. Three-way handshakes involve a remote computer sending a connection request to a server; the server responds by acknowledging the request. The remote computer also has to reply to the acknowledgment by sending a connection-initiating packet. What hackers do to execute a DDoS attack through this channel is to send several SYN connection requests to a single host using a botnet. Servers respond to each node with an ACK message, but the hackers prevent the botnets from responding. A lack of response to the ACK message leaves the attacked server hanging, and more handshake requests are sent until all the victims’ resources are exhausted.

HTTP Flood Attacks: These involve exploiting legitimate requests intended for the GET and POST activities of packets going to and from a website or server. The attack usually deceives the remote server into allocating maximum resources to the phony requests.

Preventive Measures Against DDoS Attacks

As was highlighted earlier, DDoS attacks are executed in two stages, recruiting the nodes that make up the botnet and flooding the victim’s network with outrageous traffic. Everyday users of home internet networks can guard against participating in a botnet attack by eliminating every source of vulnerability on personal devices by following the steps below:

1. Change passwords on new devices:

Network hardware like routers, switches, Wi-Fi hubs, and IoT devices come with default passwords. Changing default passwords are reasonable, as that step takes your device and all others connected to its network a step away from compromise. A glance at the users’ instruction manual or manufacturer’s website should reveal easy steps to change the device password.

2. Use updated and reliable security resources:

Updating the firmware of front-end devices, firewalls, and the operating system will be the first screen of protection against malware’s infiltration onto network devices.

For organizations that find their network infrastructure is under a DDoS attack, the following course of action should ensure the downtime and resultant loss is minimal.

3. Utilize gateway technology that identifies sudden spikes in traffic

A DDoS attack can be easily contained if noticed early enough; this will allow enough time to contact the company’s ISP, who would then implement their best DDoS dispelling technique. An ISP could stop or minimize the impact of a DDoS attack by dispersing the traffic to servers with available bandwidths or routing the traffic to a Sink Hole or Black Hole. Black Holes are, however, more effective as all the traffic, both legitimate and illegitimate, going to an attacked IP address are sent to a ‘null interface’ hole. Sinkholes, on the contrary, try to filter the data packets.

4. Backend re-configuration of network resources

It is possible to limit the bandwidth volume permitted by hardware like switches and routers, which equally applies to firewalls. With the traffic limitation, the enormous bandwidth of traffic peculiar to DDoS attacks is screened off, while packets with regular features are allowed into the local network.

5. Keep IoT devices secured

Vulnerability in a coffee making machine was said to have been exploited to hack the network infrastructure of a casino. The counsel given earlier about IoT devices is worthy of emphasis – change default passwords as soon as your IoT devices go out of the box, and endeavor to update the device firmware regularly.

Conclusion

DDoS attacks may seem daunting and quite complicated, but not anymore. With your new-found or updated knowledge about DDoS attacks via this article, knowing the capability of an ISP in protecting your website against one should be included in the list of boxes to check when deciding the ISP to subscribe to.