Distributed denial-of-service (DDoS) attacks make the target server, service, or network deny access to anyone trying to use them. It’s like a traffic jam, where the main road is congested with cars sent by a hacker, while the legitimate traffic coming from the side road can no longer get in.
DDoS attacks are quite powerful, as they use multiple computers or other devices. A hacker creates a network by infecting devices, turning them into bots, and remotely directing them to a specific IP address all at once. This can cause a service to crash.
DDoS attacks can last over 24 hours and are difficult to trace. Your computer might be a part of a botnet army, secretly responding to malicious commands, and you won’t even know — it’s hard to notice, as the only signs could be marginally decreased performance or an overheating device. The traffic bombarding the target is coming from legitimate (albeit infected) devices. This makes it even harder to distinguish between genuine and malicious traffic.
DDoS attacks can target a specific component of the network connection or a mixture of them. Every connection made over the internet goes through OSI model layers. Most DDoS attacks happen in the following three layers:
A denial of service attack (DoS) floods a server with traffic and makes a service or website unavailable. DoS is a system-on-system attack that uses a single system to attack a specific service. On the contrary, DDoS uses multiple computers and systems to compromise its target.
While both attacks serve the same purpose, DDoS is more powerful and dangerous.
The sooner you identify a DDoS attack, the higher the chances of stopping it. Here are the main clues a DDoS attack is happening:
TCP connection attacks, otherwise known as SYN flood attacks, happen when a three-way TCP handshake between the host and the server is never completed. In this attack, the handshake is initiated, but the hacker leaves the server hanging and the ports open. This means the server cannot take any other requests. The hacker keeps flooding it with more handshakes, eventually making it crash.
Volumetric attacks are the most common type of DDoS attack. It simply consumes all available bandwidth between the target and the internet. This is mostly done by using botnets and directing them to a specific target.
One example of the volumetric attack could be the hacker spoofing the victim's IP and making multiple requests to an open DNS server. The attack is structured so that when DNS server responds, it sends more data to the victim than they can handle.
Traffic sent over the internet is divided into data packets. They travel and are reassembled in different ways depending on whether the TCP or UDP transport protocol is being used. A fragmentation attack sends fake data packets that distort the flow of data and therefore overwhelm the server.
The “too many packets” exploit is an example of a fragmentation attack. It floods the network with an excessive number of incomplete, fragmented packets.
Application layer or layer 7 attacks target, as the name suggests, applications – the layer where the server generates web pages and responds to HTTP requests. Such an attack would seem to the server like someone hitting refresh on the same page multiple times. It will look like legitimate traffic until the server is overflooded and it’s too late. These attacks are also less expensive and more difficult to detect than network layer attacks.
A DDoS amplification attack is one where the cybercriminal specifically targets security vulnerabilities in Domain Name System (DNS) servers. They convert small requests into huge ones (thus the term “amplification”), stifling the victim’s bandwidth and effectively halting the unfortunate target server’s processes. There are two types of amplification attack: DNS Reflection and CharGEN Reflection.
A DNS server’s job is to look for the IP address of whichever domain name you typed into your search bar. It’s the internet’s address book. A DNS reflection attack is when a hacker copies the victim’s IP address and sends requests to the DNS server, asking for large replies. The replies have been known to be amplified up to 70 times their normal size, overwhelming the victim instantly.
CharGEN is, by internet standards, an ancient protocol created in 1983 for the purposes of debugging or testing. Unfortunately, many internet-connected printers or copy machines still actively use this protocol, allowing hackers to exploit CharGEN’s many age-induced loopholes. The hacker will send many tiny packets of data under the guise of a victim’s IP address to whatever is running on CharGEN. The device then floods the victim’s system with UDP (User Datagram Protocol) reponses, overwhelming the target server and causing it to reboot or cut out altogether.
As technology marches on, and security systems become increasingly sophisticated each year, so do the tools used to hack through them. If we compare the strength of an attack from the 1990s to the modern standard of DDoS, the difference is staggering.
The average requests in a DDoS attack from the 90s barely went over 150 per second. If we compare these to the biggest recorded successful DDoS attack of recent times, namely, the 2018 GitHub attack, we can see that 1.35 terabits of traffic per second was thrown at the site. The attack crippled the site temporarily and only lasted 8 minutes.
Want to read more like this?
Get the latest news and tips from NordVPN
The monetary damage a DDoS attack can inflict on a business in just 24 hours is enough justification to take active measures to never let it happen again. According to a 2018 report by Corero Network Security, the disruption caused by a DDoS attack through lost revenue, disruption of employee productivity and the actual security cost of repelling the assault, can cost upwards of $50,000 per attack. But how much does it cost to employ a cybercriminal and their army of bots?
As with most online criminal activities, you’ll have to delve into the dark web for a price list of their services. The cost of this service varies depending on the desired length of the DDoS attack, with basic rates starting at 300 seconds and stretching upwards to 10,800 seconds (3 hours). Obviously, the shorter the attack, the cheaper it will be.
Curiously, many of the criminals providing these services offer a pseudo-subscription service. For example, at the cost of 60 euros per month, you have access to 1 attack lasting 3 hours.
The largest DDoS attack took place in 2017 and targeted Google services. Attackers flooded 180,000 web servers that sent their responses back to Google. The cyberattack reached a size of 2.54 TBps. The attack was allegedly a nation-state effort that came from China.
A massive DDoS attack hit Amazon Web Services in 2020. It targeted an unidentified customer and is regarded as one of the most vicious DDoS attacks. By using third-party servers, attackers managed to amplify the amount of data sent to a single IP address up to 70 times. The attack reached the size of 2.3 TBps.
Cloudflare reported and mitigated a 15.3 million request-per-second DDoS attack targeted at a customer operating a crypto launch pad. The attack used a botnet of an estimated 6,000 unique devices from 112 countries. Attackers used a secure and encrypted HTTPS connection to initiate this attack.
DDoSing is considered illegal in many countries. For example, in the US, DDoS can be considered a federal crime and can lead to penalties and imprisonment. In most European countries, DDoSing can lead to arrest, while in the UK, you may be sentenced to up to 10 years of imprisonment.
DDoS attacks are pretty difficult to trace because most of them are distributed over hundreds and thousands of other devices. Also, those who initiate such attacks usually make an effort not to be found.
It’s possible to identify DDoS attacks when they happen by using certain cybersecurity tools to analyze the traffic. However, it’s usually too late to stop them. At best, you can analyze the data and make the appropriate cybersecurity changes for the future.
Here are a few measures for preventing DDoS attacks:
DDoSing is mostly used to blackmail developers and publishers or to harm the reputation or sales of a certain person or platform. However, individual users can also be affected. This usually happens to online gamers. Your opponent might try to DDoS you to disrupt your gameplay, which isn’t a security risk per se, but can be really frustrating – especially if you play competitively.
There’s no way for you to prevent an attack against the game server. However, in P2P gaming, when you connect directly to other players, your opponent could look up your IP address and use it to DoS you. You can prevent this by using a VPN for gaming to mask your original IP. If bad actors don’t know your real IP — they simply can’t DoS you.