Distributed Denial of Service (DDoS) attacks have become a recurring problem for enterprises today. These cyber attacks have relentlessly continued to evolve and amplify in scale and complexity. Multiple studies and high-profile breaches in recent times show that the frequency of DDoS attacks are rising every year or even quarter.
In the second quarter of 2022, DDoS attacks increased steadily, from 731 attacks per day on the average in April to 845 in May and to 1195 in June, according to reports by the threat intelligence firm Kaspersky. This increase in the frequency and impact of DDoS attacks means that all enterprises should take extra precautions to ramp up their defenses.
What is a DDoS Attack?
A DDoS attack is a form of cyber attack that works by flooding a specific network or server to overwhelm it and eventually taking it offline. When the server is targeted with a huge volume of requests that are beyond its capacity, it becomes incapable of responding to legitimate requests, thereby resulting in the ‘denial of service’.
DDoS attacks can take a few different forms. One way to classify them is on the basis of the OSI model. The OSI (Open Systems Interconnection) model is a conceptual framework that describes how network communication should occur between different computer systems. The model was developed by the International Organization for Standardization (ISO) in the 1980s and consists of seven layers, each with a specific function.
Application Layer DDoS attacks
Application layers are responsible for providing services to end users, such as email, web browsing, file transfer, and other network applications. This is the layer where message and packet creation begins, and also where database access resides. End-user protocols such as FTP, SMTP, Telnet and RAS also work in this layer.
DDoS attacks can target the application layer (layer 7) of the OSI model, with the goal of overwhelming the web server or application. Application layer DDoS attacks include HTTP (Hypertext Transfer Protocol) GET, HTTP POST and website forms-based attacks. These attacks can cause the layer to eventually reach the limits of its resource capabilities.
For example, an HTTP Slow Attack (also known as a Slowloris Attack) targets web servers by exploiting a vulnerability in the HTTP protocol. The attack works by sending a large number of incomplete HTTP requests to the target server, and then keeping those requests open for as long as possible, without ever completing them.
Meanwhile, a HTTP Flood targets web servers by flooding them with a high volume of HTTP requests, with the goal of overwhelming the server and making it unavailable to legitimate users. The high volume of traffic can consume the server’s resources, such as CPU, memory, and network bandwidth, causing the server to slow down or crash.
Network Layer DDoS attacks
In the OSI model, the network layer is the one that handles the routing and forwarding of data packets between different networks, and which provides logical addressing and traffic control.
DDoS attacks can also target this network layer (layer 3) of the OSI model, with the goal of consuming the target’s network bandwidth. Network layer DDoS attacks include attacks like ICMP (Internet Control Message Protocol) floods, ARP floods, and IP (Internet Protocol) fragmentation attacks.
An ICMP Flood targets the ICMP protocol, which is used for diagnostic and error reporting purposes in IP networks. In this type of attack, the attacker sends a large number of ICMP packets to the target system or network, overwhelming the system’s resources.
An ARP (Address Resolution Protocol) Flood targets the ARP protocol, which is used to map IP addresses to physical addresses on a local network. In an ARP Flood attack, the attacker sends a large number of ARP requests to flood the network and make it unavailable.
IP Fragmentation Attack targets the IP protocol, which is used for routing packets across networks. In this attack,the attacker sends packets to the target system or network that are intentionally fragmented in a way that causes the target system or network to use excessive resources to reassemble them.
The end result of these attacks is the imposition of extra load on the firewall and compromise of available network bandwidth.
Volume-based traffic
In volume-based DDoS attacks, the method relies on the sheer amount of traffic sent beyond the network bandwidth. User Datagram Protocol or UDP floods and Internet Control Message Protocol (ICMP) floods are two common forms of volumetric attacks. In UDP flood attacks, attackers use the UDP format to skip integrity checks and generate amplification and reflection attacks.
For example, the DNS amplification attack is one type of volumetric DDoS attack where the attacker makes a request to an open DNS server with IP spoofing address (of the victim) and overwhelms the target server with a traffic amplification attack. ICMP floods have attackers send false error requests to network nodes to make it unable to respond to real requests. The goal of the attacker here is to just send as many requests as possible in a short time from as many compromised devices.
Another categorization of DDoS attacks involves their intended outcomes. Some are intended to be for flooding and others for crashing.
Flooding DDoS attacks
These are attacks that use an overwhelming flood of data to target a server with the intention of taking it down. For example, an ICMP flood or ping flood sends data packets to overwhelm a network of computers to take them down together. The SYN flood described above under networking layer attack is also one that operates on a similar basis.
Crashing DDoS attack
In this type of DDoS attack, the attacker sends bugs to a compromised system in order to take advantage of weak spots in the system’s infrastructure. This exposes the flaws which can be exploited in the absence of patches on routers and firewalls and leads to a system crash.
Transport Layer DDoS attacks
The transport layer ensures reliable, error-free delivery of data between end systems, such as computers or servers. It also provides mechanisms for error detection, flow control, and congestion avoidance and manages the transmission of messages from layers 1 through 3.
These attacks target the transport layer (layer 4) of the OSI model, with the goal of overloading the target’s servers or network devices. Transport layer DDoS attacks include SYN (synchronization) floods, TCP (Transmission Control Protocol) floods, and UDP (User Datagram Protocol) floods. Transport layer attacks can result in the limiting of reach bandwidth or connections of hosts or networking equipment.
A SYN Flood targets the TCP (Transmission Control Protocol) protocol, which is used for establishing connections between devices on a network. In a SYN Flood attack, the attacker sends a large number of TCP SYN requests to the target system, but does not complete the connection, leaving the connection half-open, and overwhelming the system’s resources.
Similarly, a TCP Flood targets the TCP protocol by sending a large number of TCP packets to the target system or network, to consume the system’s resources and render it unavailable. And the UDP Flood targets the UDP protocol, which is used for low-latency, loss-tolerant communications.
What Is the Most Common Type of DDoS Attack?
While all three types of DDoS attacks are prevalent in the cyber landscape, perhaps the most common type is the network layer DDoS attack. Specifically, the UDP flood, in which the attacker sends a large number of UDP packets to the target system or network. Since UDP is a connectionless protocol, the packets are not acknowledged, and the attacker can send them at a very high rate. This can result in the target system or network being flooded with more traffic than it can handle, causing it to become unavailable to legitimate users.
The Damage Caused by DDoS Attacks
DDoS attacks can be very damaging, depending on the nature and scale of the attack, as well as the target system’s or network’s ability to handle the attack. They can be equally dangerous when targeted at an enterprise or a government body.
For example, hackers launched a DDoS attack on the websites of the German military and the Ministry of Defense recently, rendering them temporarily unavailable.
According to Kaspersky, the US receives the most DDoS attacks, with their share of the total rising slightly to 45.95% in the second quarter of 2022. Singapore’s share of unique targets (3.22%) also grew in this period, more than doubling from Q1 2022. There were also DDoS attacks launched on institutions in Romania, the United States, Estonia, Poland, and the Czech Republic, according to the Romanian Intelligence Service (SRI).
DDoS Mitigation
The key to DDoS mitigation is to be vigilant and start the process of detection early. For example, look for unusual DDoS-specific symptoms such as huge volumes of traffic coming from unusual clients such as those with same or similar attributes, be it device type, IP address or location. Additionally, it is also important to adopt robust network traffic monitoring and analysis. These can help alert you in the event of an intrusion or anomalous traffic load and protect you against DDoS attacks.
Beyond that, tools like CDNetworks’ Flood Shield, can help you go one step further. Flood Shield is a cloud-based DDoS protection service that provides DDoS protection in real-time. It also deploys firewalls between your origin sites and the public network, while techniques like rate limiting, port limiting and threat intelligence give you extra measures against all types of DDoS attacks.
