This is the first installment in a two-part series about DDoS attacks and mitigation on cloud.

In the digital age, the security of applications and networks are of paramount importance. Networks are under increasing threat from a growing number of cybercriminals — both individual actors and organized groups — around the world. The demand for qualified security professionals is escalating by the day as organizations become more aware of the consequences of these threats.

Attacks can take various forms and target many different parts of your environment, such as the network, transport and application layers. Application-layer vulnerabilities can arise due to insecure coding or use of faulty components. Actors can exploit these vulnerabilities to deface applications, steal, modify or delete customer data, or bring down applications and systems altogether.

One way to disrupt services is to flood networks and applications with overwhelming volumes of traffic. We’ll focus on two of the most common methods cybercriminals use to inflict this type of damage: denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.

DoS Attacks: Malicious Traffic Originating From a Single Source

Attacks that bring down systems and cause downtime are called DoS attacks. DoS attacks can occur over various layers of the Open Systems Interconnection (OSI) model. Campaigns that aim to flood the network or consume resources to deny genuine traffic are best handled at the network or infrastructure level using firewall rules and an intrusion detection system (IDS).

Application-level (Layer 7) DoS attacks are hard to detect because they appear as normal traffic with complete Transmission Control Protocol (TCP) connections and follow protocol rules. These attacks can target applications that directly bypass the firewall. Most common forms of Layer 7 DoS attacks are related to HTTP traffic, such as targeting the web server and application. Others forms might target services such as the Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP) and Secure Shell (SSH).

DoS attacks usually originate from one source. System administrators put in place myriad methods and filters to detect such incidents. When a DoS is detected, an IDS can stop the attack by blocking traffic from the questionable source.

DDoS Attacks: An Onslaught of Traffic From Multiple, Disparate Sources

Cybercriminals have discovered that they can circumvent DoS defenses by employing a technique known as distributed denial-of-service. In this type of attack, malicious traffic originates from multiple sources scattered across the globe and converges upon one system or network. As a result, IDS solutions and firewalls have difficulty detecting and blocking DDoS incidents.

Attackers can use their own systems or exploit other vulnerable devices to route the attack. Increasingly, DDoS-wielding cybercriminals use botnets made up of devices they commandeer from unsuspecting victims using social engineering tactics, such as phishing, or by exploiting vulnerabilities within those systems. The DDoS threat vector has grown in size and sophistication over the past few years.

DDoS Variants

Cybercriminals use DDoS attacks to flood networks, systems or applications with more traffic than the target can handle, causing it to crash or go out of service. Let’s take a closer look at some DDoS variants and determine how organizations can assess the risk and mitigate the threat.

Volume-Based Attacks

A volume-based DDoS attack aims to exhaust network bandwidth, which is limited for companies of all sizes, by leveraging botnets. Due to the increasing proliferation of connected devices, botnets with more than 1 million nodes are very common and accessible. Such a botnet can easily choke the network of a midsized company, thereby blocking all legitimate traffic.

Protocol Attacks

This type of DDoS attack is designed to exploit weaknesses in the Layer 3 and 4 protocols. Unlike volume-based attacks, which aim to saturate the target’s internet connection, protocol attacks cause disruption with relatively small amounts of network traffic.

Take TCP, a well-known Layer 4 protocol. For a connection to be established, the system must complete a three-way handshake. Attackers can exploit this process by sending only SYN packets and no ACK packets, keeping the connections open. This is known as a SYN flood attack, which exhausts the number of connections available to legitimate traffic.

Application-Layer Attack

An application-layer DDoS attack is designed to disrupt service by exploiting vulnerabilities within applications. The malicious traffic is in protocol, meaning that it is legitimate with regard to the protocol. This makes it difficult for detection tools to identify malicious traffic.

Risk Assessment and Potential Consequences for CSPs

DDoS attacks can cause significant risks to both cloud service providers (CSPs) and their clients. Cybercriminals might launch DDoS campaigns to bring down enterprise applications or simply for personal satisfaction. Malicious actors have even used this method to extort money from victims.

These attacks can last anywhere from a few hours to a few weeks. For CSPs, DDoS incidents can lead to negative publicity, and it might take years to repair the reputational damage. Long service outages can result in revenue loss for both the cloud provider and its clients. Finally, DDoS attacks against banking and financial institutions can expose sensitive customer data, including credit card information.

In the second installment of this series, we’ll look at examples of simulated DDoS attacks, and discuss mitigation strategies and techniques cloud security teams can employ to protect their networks from this threat.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today