After 20 years of prominence, distributed denial-of-service (DDoS) attacks may be causing more devastating effects than ever. The first DDoS attack occurred way back on July 22, 1999 when a network of 114 computers infected with a malicious script called Trin00 attacked a computer at the University of Minnesota, according to MIT Technology Review. The infected computers overwhelmed the university computer with bogus data packets, preventing it from handling legitimate requests.
The attack continued for two days and introduced a tactic that has been interrupting business services and websites ever since.
Denial-of-Service Attacks Block Legitimate Traffic
A denial-of-service (DoS) attack radiates from a single source and floods resources that serve genuine traffic. Preventing DoS at the network or infrastructure level typically depends on implementing firewall rules and an intrusion detection system (IDS). Once an attack is detected, the IDS blocks traffic from the suspicious source.
This approach is simple enough, and it’s often effective at shutting down cyberattackers. However, threat actors have upped their game with distributed denial-of-service attacks. The goal of these attacks is to shut down enterprise applications, extort money or claim bragging rights. With DDoS, the malicious traffic comes from multiple sources around the globe, all targeting one system or network. In these cases, firewalls and IDS solutions don’t know where to start to detect and block incidents.
What’s more, thanks to attackers’ creative use of both old tactics and new devices, the situation is getting worse. Hackers are continually developing variations on the DDoS theme, exploiting vulnerable people using tried-and-true tactics such as phishing, which still work despite training and warnings. They are also exploiting vulnerable devices — including the billions of devices connected to the internet of things (IoT) — to create botnets that route DDoS attacks. The Mirai botnet showed the way, and new variations are ever evolving.
The damages associated with DDoS attacks can be significant, with estimates ranging from an average of $50,000 in lost business revenue per attack all the way up to $2 million on average. Even worse for businesses may be the loss in consumer trust, the theft of intellectual property and the threat of malware infection. Cloud service providers face similar consequences, such as damage to reputation or long service outages that can lead to revenue loss and exposure of sensitive customer data.
DDoS Attacks Can Take Several Forms
The first step in mitigating the threat of DDoS attacks is to know which of the three major attack types you’re fighting.
Flooding is the goal here, as a DDoS attack aims to exhaust bandwidth using botnets. The mushrooming number of connected devices makes this easier, as it’s not unusual for botnets to include more than a million nodes. For example, the File Transfer Protocol (FTP) service can be flooded with huge volumes of Transmission Control Protocol traffic and be brought down.
Flooding can bring down a service, but so can exploiting bugs in the protocols for the network and transport layers. Even when a network receives only small amounts of traffic, protocol attacks can disrupt business.
Here the protocol is correct, so the traffic looks legitimate, which makes it hard for the IDS to detect. For instance, in an HTTP flood DDoS attack, an attacker may use a botnet to send a series of requests to infiltrate a web server or application. The attack is even better — from the attacker’s standpoint — if responding to each request maximizes the resources the server or application must allocate. For example, the request could ask for absurd pieces of difficult-to-access data.
Fight DDoS Attacks With a Combination of Security Tools and Techniques
Security operations centers (SOCs) today face a number of challenges as they look to fight threats, including DDoS threats. Malicious actors often go low and slow, creeping their way through systems and networks to unearth ever-more-valuable credentials. And given the barrage of events, alarms and systems analysts must address — and the lack of resources — even if you see data slipping away, you may not be able to stop it. This emphasizes the importance not only of detecting and identifying threats, but also eliminating and mitigating them.
Distributed denial-of-service attacks have historically been difficult to defend against. Perimeter defenses alone aren’t enough — though to mitigate DDoS attacks on the cloud, security teams should establish a secure perimeter and associated rules around allowing or dropping packets. Experts recommend focusing on prevention and mitigation tools and techniques, including advanced firewalls, content delivery networks (CDNs), source-rate limiting and traffic scrubbing.
- Next-generation firewalls add intrusion prevention and application awareness to traditional capabilities. These firewalls offer broader, more powerful protections against sophisticated attacks, including DDoS threats, by enforcing security policies at the application, network and session layers. SOCs can use these firewalls to gain the controls they need to customize security rules for network traffic.
- The proxy servers and associated data centers that define a CDN normally work to speed delivery of web content and rich media, but during a DDoS attack, a CDN automatically distributes traffic across tens of thousands of servers. This can keep a website up and running even in the face of volume-based and protocol DDoS attacks.
- Source-rate limiting blocks excess traffic based on the source Internet Protocol (IP) where an attack originates. This can be especially effective at limiting traffic in a volume-based attack at the application layer. You can limit the number of allowed requests depending on where in a web application they occur and tailor your response according to the violation — for example, by blocking a user for five minutes or sending them to a CAPTCHA page. Source rate limiting can effectively protect a website or application, but only if the IP address is not spoofed.
- Finally, a third party can provide DDoS traffic scrubbing services. In this case, a vendor analyzes incoming traffic on a target network to detect and eliminate threats as quickly as possible. In a DDoS attack, all traffic reroutes to globally distributed traffic scrubbing centers. There, malicious traffic is scrubbed, and clean traffic is redirected to the target network.
Develop a DDoS Incident Response Plan
As SOCs increase their use of artificial intelligence (AI), machine learning is also playing a role in detecting and halting DDoS attacks. But if threat actors figure out the algorithms used, they can strip away defenses. Because no security tool or technique is completely ironclad on its own, organizations should develop an incident response plan to ensure backup services kick in and damages remain minimal if their business is targeted.