This is the first installment in a two-part series about DDoS attacks and mitigation on cloud.

In the digital age, the security of applications and networks are of paramount importance. Networks are under increasing threat from a growing number of cybercriminals — both individual actors and organized groups — around the world. The demand for qualified security professionals is escalating by the day as organizations become more aware of the consequences of these threats.

Attacks can take various forms and target many different parts of your environment, such as the network, transport and application layers. Application-layer vulnerabilities can arise due to insecure coding or use of faulty components. Actors can exploit these vulnerabilities to deface applications, steal, modify or delete customer data, or bring down applications and systems altogether.

One way to disrupt services is to flood networks and applications with overwhelming volumes of traffic. We’ll focus on two of the most common methods cybercriminals use to inflict this type of damage: denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.

DoS Attacks: Malicious Traffic Originating From a Single Source

Attacks that bring down systems and cause downtime are called DoS attacks. DoS attacks can occur over various layers of the Open Systems Interconnection (OSI) model. Campaigns that aim to flood the network or consume resources to deny genuine traffic are best handled at the network or infrastructure level using firewall rules and an intrusion detection system (IDS).

Application-level (Layer 7) DoS attacks are hard to detect because they appear as normal traffic with complete Transmission Control Protocol (TCP) connections and follow protocol rules. These attacks can target applications that directly bypass the firewall. Most common forms of Layer 7 DoS attacks are related to HTTP traffic, such as targeting the web server and application. Others forms might target services such as the Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP) and Secure Shell (SSH).

DoS attacks usually originate from one source. System administrators put in place myriad methods and filters to detect such incidents. When a DoS is detected, an IDS can stop the attack by blocking traffic from the questionable source.

DDoS Attacks: An Onslaught of Traffic From Multiple, Disparate Sources

Cybercriminals have discovered that they can circumvent DoS defenses by employing a technique known as distributed denial-of-service. In this type of attack, malicious traffic originates from multiple sources scattered across the globe and converges upon one system or network. As a result, IDS solutions and firewalls have difficulty detecting and blocking DDoS incidents.

Attackers can use their own systems or exploit other vulnerable devices to route the attack. Increasingly, DDoS-wielding cybercriminals use botnets made up of devices they commandeer from unsuspecting victims using social engineering tactics, such as phishing, or by exploiting vulnerabilities within those systems. The DDoS threat vector has grown in size and sophistication over the past few years.

DDoS Variants

Cybercriminals use DDoS attacks to flood networks, systems or applications with more traffic than the target can handle, causing it to crash or go out of service. Let’s take a closer look at some DDoS variants and determine how organizations can assess the risk and mitigate the threat.

Volume-Based Attacks

A volume-based DDoS attack aims to exhaust network bandwidth, which is limited for companies of all sizes, by leveraging botnets. Due to the increasing proliferation of connected devices, botnets with more than 1 million nodes are very common and accessible. Such a botnet can easily choke the network of a midsized company, thereby blocking all legitimate traffic.

Protocol Attacks

This type of DDoS attack is designed to exploit weaknesses in the Layer 3 and 4 protocols. Unlike volume-based attacks, which aim to saturate the target’s internet connection, protocol attacks cause disruption with relatively small amounts of network traffic.

Take TCP, a well-known Layer 4 protocol. For a connection to be established, the system must complete a three-way handshake. Attackers can exploit this process by sending only SYN packets and no ACK packets, keeping the connections open. This is known as a SYN flood attack, which exhausts the number of connections available to legitimate traffic.

Application-Layer Attack

An application-layer DDoS attack is designed to disrupt service by exploiting vulnerabilities within applications. The malicious traffic is in protocol, meaning that it is legitimate with regard to the protocol. This makes it difficult for detection tools to identify malicious traffic.

Risk Assessment and Potential Consequences for CSPs

DDoS attacks can cause significant risks to both cloud service providers (CSPs) and their clients. Cybercriminals might launch DDoS campaigns to bring down enterprise applications or simply for personal satisfaction. Malicious actors have even used this method to extort money from victims.

These attacks can last anywhere from a few hours to a few weeks. For CSPs, DDoS incidents can lead to negative publicity, and it might take years to repair the reputational damage. Long service outages can result in revenue loss for both the cloud provider and its clients. Finally, DDoS attacks against banking and financial institutions can expose sensitive customer data, including credit card information.

In the second installment of this series, we’ll look at examples of simulated DDoS attacks, and discuss mitigation strategies and techniques cloud security teams can employ to protect their networks from this threat.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…