What is a DDoS attack?
A distributed denial-of-service attack (DDoS attack) sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all.
While a DDoS attack is one of the least sophisticated categories of cyberattack, it also has the potential to be one of the most disruptive and most powerful by taking websites and digital services offline for significant periods of time that can range from seconds to even weeks at a time.
How does a DDoS attack work?
DDoS attacks are carried out using a network of internet-connected machines; PCs, laptops, servers, Internet of Things devices, all controlled by the attacker. These could be anywhere and it’s unlikely the owners of the devices realize what they are being used for as they are likely to have been hijacked by hackers.
Common ways in which cyber criminals take control of machines include malware attacks and gaining access by using the default username and password the product is issued with, if the device has a password at all.
Once the attackers have breached the device, it becomes part of a botnet, a group of machines under their control. Botnets can be used for all manner of malicious activities, including distributing phishing emails, malware, or ransomware, or in the case of a DDoS attack, as the source of a flood of internet traffic.
The size of a botnet can range from a small number of zombie devices to millions of them. Either way the botnet’s controllers can turn the web traffic generated towards a target and conduct a DDoS attack.
Servers, networks, and online services are designed to cope with a certain amount of internet traffic but, if they’re flooded with additional traffic in a DDoS attack, they become overwhelmed. The high amounts of traffic being sent by the DDoS attack clogs up or takes down the systems’ capabilities, while also preventing legitimate users from accessing services (which is the ‘denial of service’ element).
A DDoS attack is launched with the intention of taking services offline in this way, although it’s also possible for online services to be overwhelmed by regular traffic by non-malicious users. For example, if hundreds of thousands of people are trying to access a website to buy concert tickets as soon as they go on sale. However, this is usually only short, temporary, and accidental, while DDoS attacks can be sustained for extended periods of time.
What is an IP stresser and how does it relate to DDoS attacks?
An IP stresser is a service that can be used by organisations to test the robustness of their networks and servers. The goal of this test is to find out if the existing bandwidth and network capacity are enough to handle additional traffic. An IT department using a stresser to test their own network is a perfectly legitimate application of an IP stresser.
However, using an IP stresser against a network that you don’t operate is illegal in many parts of the world because the end result could be a DDoS attack. However, there are cyber-criminal groups and individuals that will actively use an IP stresser as part of a DDoS attack.
How do I know if I’m under DDoS attack?
Any business or organisation that has a web-facing element needs to think about the regular web traffic it receives and provision for it accordingly; large amounts of legitimate traffic can overwhelm servers, leading to slow or no service, something that could potentially drive customers and consumers away. Organisations also need to be able to differentiate between legitimate web traffic and DDoS attack traffic.
Capacity planning is, therefore, a key element of running a website, with thought put into determining what’s an expected, regular amount of traffic and what unusually high or unanticipated volumes of legitimate traffic could look like, so as to avoid causing disruption to users either by taking out the site due to high demands, or mistakenly blocking access due to a DDoS false alarm.
So how can organisations differentiate between a legitimate increase in demand and a DDoS attack?
In general, an outage caused my legitimate traffic will only last for a very short period of time and often there might be an obvious reason for the outage, such as an online retailer experiencing high demand for a new item, or a new video game’s online servers getting very high traffic from gamers eager to play.
In the case of a DDoS attack, there are some tell-tale signs that it’s a malicious and targeted campaign. Often DDoS attacks are designed to cause disruption over a sustained period of time, which could mean sudden spikes in malicious traffic at intervals causing regular outages.
The other key sign that your organisation has likely been hit with a DDoS attack is that services suddenly slow down or go offline for days at a time, which would indicate the services are being targeted by attackers who just want to cause as much disruption as possible. Some of these attackers might be doing it just to cause chaos; some may be paid to attack a particular site or service. Others might be trying to run some kind of extortion racket, promising to drop the attack in exchange for a pay-off.
Using our Ethical Hacking Services will allow you us to penetrate your computer system or network for the purpose of access, finding security vulnerabilities, verifying user activity levels and documentation of said activities. As a result, this allows bva to true-up security holes, make systems more reliable, and secure commercial and personal data. So, you can stay protected against not just DDoS attacks but all other cyber threats as well.
What do I do if I’m under DDoS attack?
Once it’s become clear that you’re being targeted by DDoS attack, you should piece together a timeline of when the problems started and how long they’ve been going on for, as well as identifying which assets like applications, services and servers are impacted, how that’s negatively impacting users, customers and the business as a whole.
It’s also important that organisations notify their web-hosting provider, it’s likely that they will have also seen the DDoS attack, but contacting them directly may help curtail the impacts of a DDoS campaign, especially if it’s possible for the provider to switch your IP address. Switching the IP to a new address will mean that the DDoS attack won’t have the impact it did because the attack will be pointing in the wrong direction.
If your security provider provides a DDoS mitigation service, it should help reduce the impact of the attack, but especially large attacks can still cause disruption despite the presence of preventative measures. The unfortunate thing about DDoS attacks is that while they’re very simple to conduct, they’re also very effective, so it’s still possible that even with measures in place that services could be taken offline for some time.
It’s also important to notify users of the service about what is happening, because otherwise they could be left confused and frustrated by a lack of information. Businesses should consider putting up a temporary site explaining that there are problems and provide users with information they should follow if they need the service. Social-media platforms can also be used to promote this message.
How do I protect against DDoS attacks?
What makes DDoS attacks effective is the ability to direct a large amount of traffic at a particular target. If all of an organisations’ online resources are in one location, the attackers only need to go after one particular target to cause disruption with large amounts of traffic. If possible, it’s useful to spread systems out, so it’s more difficult, although not impossible for attackers to direct resources towards everything at once.
Monitoring web traffic and having an accurate idea about what regular traffic looks like, and what is abnormal traffic, can also play a vital role in helping to protect against or spotting DDoS attacks. Some security personnel recommend setting up alerts that notify you if the number of requests is above a certain threshold. While this might not necessarily indicate malicious activity, it does at least provide a potential early warning that something might be on the way.
It’s also useful to plan for scale and spikes in web traffic, which is something that using a cloud-based hosting provider can aid with.
Firewalls and routers can play an important role in mitigating the potential damage of a DDoS attack. If configured correctly, they can deflect bogus traffic by analyzing it as potentially dangerous and blocking it before it arrives. However, it’s also import to note that in order for this to be effective, firewall and security software needs to be patched with the latest updates to remain as effective as possible.
Using an IP stresser service can be an effective way of testing your own bandwidth capability. There are also specialist DDoS mitigation service providers that can help organisations deal with a sudden large upsurge in web traffic, helping to prevent damage by attacks.
What is a DDoS mitigation service?
DDoS attack mitigation services protect the network from DDoS attacks by re-routing malicious traffic away from the network of the victim. High profile DDoS mitigation service providers include Cloudflare, Akamai, Radware and many others.
The first job of a mitigation service is to be able to detect a DDoS attack and distinguish what’s actually a malicious event from what’s just a regular, if unusually high, volume of traffic.
Common means of DDoS mitigation services doing this include judging the reputation of the IP the majority of traffic is coming from. If it’s from somewhere unusual or known to be malicious, it could indicate an attack. While another way is looking out for common patterns associated with malicious traffic, often based on what’s been learned from previous incidents.
Once an attack has been identified as legitimate, a DDoS protection service will move to respond by absorbing and deflecting the malicious traffic as much as possible. This is helped along by routing the traffic into manageable chunks that will ease the mitigation process and help prevent denial-of-service.
How do I choose a DDoS mitigation service?
Choosing a DDoS mitigation service isn’t as simple as just selecting the first solution that appears. Organizations will need to choose a service based on their needs and circumstances. For example, a small business probably isn’t going to have any reason to fork out for the DDoS mitigation capabilities required by a global conglomerate.
However, if the organisation looking for a DDoS mitigation service is a large business, then they’re probably correct to look at large overflow capacities to help mitigate attacks. Looking at a network that has two or three times more capacity than the largest attacks known to date should be more than enough to keep operations online, even during a large DDoS attack.
While DDoS attacks can cause disruption from anywhere in the world, the geography and location of a DDoS mitigation service provider can be a factor. When deciding on a service provider, organisations should, therefore, consider the DDoS protection network in their region of the world to be the most effective.
Despite all the ways to potentially prevent a DDoS attack, sometimes attackers will still be successful anyway because if attackers really want to take down a service and have enough resources, they’ll do their best to be successful at it. However, if an organization is aware of the warning signs of a DDoS attack, it’s possible to be prepared for when it happens.