- What is a DDoS attack?
- How does a DDoS attack work?
- DoS vs. DDoS — What is the difference?
- How to identify a DDoS attack
- Types of DDoS attacks
- Types of DDoS amplification
- DDoS attack numbers
- Motivations of DDosing
- The largest DDoS attacks
- Is DDoSing illegal?
- Can you trace DDoS attacks?
- DDoS attack prevention
- Does a VPN help prevent DDoS?
What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is a type of cybercrime in which a hacker floods a server, service, or network with fake requests to prevent users from accessing the website and using the service. It’s like a traffic jam, where the main road is congested with cars sent by a hacker, while the legitimate traffic coming from the side road can no longer get in.
A DDoS attack disrupts the normal functioning of the target server or website. It exhausts its target’s computing resources and makes the website or service slow, unresponsive, or completely unavailable to legitimate users. But how exactly do DDoS attacks work?
How does a DDoS attack work?
DDoS attacks are powerful because they use multiple computers or other devices. A hacker creates a network by infecting devices, turning them into bots (also called zombies), and remotely directing them to a specific IP address all at once. This can cause a service to crash.
DDoS attacks can last over 24 hours and are difficult to trace. Your computer might be used as a pawn and made part of a botnet army (also called a zombie network), secretly responding to malicious commands, and you won’t even know it — the only signs could be marginally decreased performance or an overheating device. The traffic bombarding the target is coming from legitimate (albeit infected) devices. This makes it even harder to distinguish between genuine and malicious traffic. In comparison, a PDoS attack causes direct harm to the hardware, thus being much easier to notice.
DDoS attacks can target a specific component of the network connection or a mixture of them. Every connection made over the internet goes through OSI model layers. Most DDoS attacks happen in the following three layers:
- Network layer (Layer 3). Attacks on this layer include Smurf Attacks, ICMP/Ping Floods, and IP/ICMP Fragmentation.
- Transport layer (Layer 4). These attacks include SYN Floods, UDP Floods, and TCP Connection Exhaustion.
- Application layer (Layer 7). Mainly HTTP-encrypted attacks.
DoS vs. DDoS — What is the difference?
A denial-of-service attack (DoS) floods a server with traffic and makes a service or website unavailable. DoS is a system-on-system attack that uses a single system to attack a specific service. On the contrary, DDoS uses multiple computers and systems to compromise its target.
While both DoS and DDoS attacks serve the same purpose, DDoS is more powerful and dangerous.
How to identify a DDoS attack
The sooner you identify a DDoS attack, the higher the chances you have of stopping it. Here are the main clues a DDoS attack is happening:
- Slow or unavailable service. It’s usually the first sign of a DDoS attack. What seems like a 502 bad gateway error could be a DDoS attack in action. However, many other issues can cause slow performance too, so we can’t rely just on this factor when identifying a DDoS attack.
- A large amount of traffic coming from a single IP address. You can check the traffic by using traffic analytics tools.
- Unnatural traffic spikes at random hours of the day.
- A sudden and unexplained surge of requests at a certain page or endpoint.
Types of DDoS attacks
There are several types of DDoS attacks, varying in terms of complexity, duration, and sophistication.
TCP Connection attacks
TCP connection attacks, otherwise known as SYN flood attacks, happen when a three-way TCP handshake between the host and the server is never completed. In this attack, the handshake is initiated, but the hacker leaves the server hanging and the ports open. This means the server cannot take any other requests. The hacker keeps flooding it with more handshakes, eventually making it crash.
Volumetric attacks are the most common type of DDoS attack. It simply consumes all available bandwidth between the target and the internet. This is usually done by using botnets and directing them to a specific target.
One example of the volumetric attack is the hacker spoofing the victim’s IP and making multiple requests to an open DNS server. The attack is structured so that when the DNS server responds, it sends more data to the victim than they can handle.
Traffic sent over the internet is divided into data packets. They travel and are reassembled in different ways depending on whether the TCP or UDP transport protocol is being used. A fragmentation attack sends fake data packets that distort the flow of data and therefore overwhelm the server.
The “too many packets” exploit is an example of a fragmentation attack. It floods the network with an excessive number of incomplete, fragmented packets.
Application layer attacks
Application layer or layer 7 attacks target, as the name suggests, applications – the layer where the server generates web pages and responds to HTTP requests. Such an attack would seem to the server like someone hitting refresh on the same page multiple times. It will look like legitimate traffic until the server is overflooded and it’s too late. These attacks are also less expensive and more difficult to detect than network layer attacks.
Types of DDoS amplification
A DDoS amplification attack is one where the cybercriminal specifically targets security vulnerabilities in Domain Name System (DNS) servers. They convert small requests into huge ones (thus the term “amplification”), stifling the victim’s bandwidth and effectively halting the unfortunate target server’s processes. There are two types of amplification attack: DNS Reflection and CharGEN Reflection.
A DNS server’s job is to look for the IP address of whichever domain name you typed into your search bar. It’s the internet’s address book. A DNS reflection attack is when a hacker copies the victim’s IP address and sends requests to the DNS server, asking for large replies. The replies have been known to be amplified up to 70 times their normal size, overwhelming the victim instantly.
CharGEN is, by internet standards, an ancient protocol created in 1983 for the purposes of debugging or testing. Unfortunately, many internet-connected printers or copy machines still use this protocol, allowing hackers to exploit CharGEN’s many age-induced loopholes. The hacker will send many tiny packets of data under the guise of a victim’s IP address to whatever is running on CharGEN. The device then floods the victim’s system with UDP (User Datagram Protocol) responses, overwhelming the target server and causing it to reboot or cut out altogether.
DDoS attack numbers
As technology marches on and security systems become increasingly sophisticated each year, so do the tools used to hack through them. If we compare the strength of an attack from the 1990s to the modern standard of DDoS, the difference is staggering.
The average requests in a DDoS attack from the ’90s barely exceeded 150 per second. If we compare these to the biggest recorded successful DDoS attack of recent times, namely, the 2018 GitHub attack, we can see that 1.35 terabits of traffic per second was thrown at the site. The attack crippled the site temporarily and only lasted 8 minutes.
Motivations of DDosing
People carry out dosing attacks for multiple reasons, including the main ones listed below:
- Hacktivism. Hacktivists use DDoS attacks to take down various websites and services they disagree with. For example, they can target websites of governments, public figures, criminal or terrorist organizations, corporations, and other entities. Often hacktivists use DDoS to spread messages and raise awareness.
- Extortion. Cybercriminals also use DDoS attacks for extortion. They may demand money for stopping or not carrying out an attack.
- Vandalism. Hackers can initiate DDoS attacks purely for entertainment or to frustrate and annoy others. So-called script kiddies can easily trigger such attacks by using premade tools.
- Rivalry is another reason for DDosing. A rival company or individual can cripple their competitor’s website or service and cause temporary loss of profit or exposure or simply anger customers.
- Cyberwarfare. DDoS is a weapon used in cyberwarfare. Nation-state threat actors employ large-scale DDoS attacks to disrupt critical infrastructures in adversary countries. Governments can also use such attacks to silence opposition forces. State-backed DDoS attacks are usually well-orchestrated and more difficult to mitigate.
The largest DDoS attacks
In recent years, there have been countless DDoS attacks on businesses, varying in their severity and damages. Here are the three most malicious ones:
The 2017 Google attack
The largest DDoS attack took place in 2017 and targeted Google services. Attackers flooded 180,000 web servers that sent their responses back to Google. The cyberattack reached a size of 2.54 TBps. Keeping in mind that a typical DDoS attack is measured in GBps (Gigabits per second), an attack with traffic volume in TBps (Terabits per second) is a thousand times larger and capable of overwhelming even the most robust online services. The attack was allegedly a nation-state effort that came from China.
The 2020 AWS DDoS attack
A massive DDoS attack hit Amazon Web Services in 2020. It targeted an unidentified customer and is regarded as one of the most vicious DDoS attacks in history. By using third-party servers, attackers managed to amplify the amount of data sent to a single IP address up to 70 times. The attack reached the size of 2.3 TBps.
The 2022 Cloudflare attack
Cloudflare reported and mitigated a 15.3 million request-per-second DDoS attack targeted at a customer operating a crypto launch pad. The attack used a botnet of an estimated 6,000 unique devices from 112 countries. Attackers used a secure and encrypted HTTPS connection to initiate this attack.
Is DDoSing illegal?
DDoSing is considered illegal in many countries. For example, in the US, DDoS can be considered a federal crime and can lead to penalties and imprisonment. In most European countries, DDoSing can lead to arrest, while in the UK, you may be sentenced to up to 10 years of imprisonment for initiating such an attack.
Can you trace DDoS attacks?
DDoS attacks are difficult to trace because most of them are distributed over hundreds and thousands of other devices. Also, those who initiate such attacks usually make an effort not to be found.
It’s possible to identify DDoS attacks when they happen by using certain cybersecurity tools to analyze the traffic. However, it’s usually too late to stop them. At best, you can analyze the data and make the appropriate cybersecurity changes for the future.
DDoS attack prevention
Here are a few measures for preventing DDoS attacks:
- Use third-party DDoS prevention tools. Various third-party services can help you to mitigate DDoS risks. Just make sure to use safe and reliable ones. However, keep in mind that none of them can guarantee you total safety.
- As an organization, you can develop a DDoS protection strategy with your internet service provider; in other words, partner with your ISP for clean bandwidth. ISPs can usually detect malicious packets before they reach your device and reduce risk.
- Monitor your traffic with traffic-monitoring tools and check for odd patterns.
- Perform regular security checks. Evaluate your networks’ safety regularly and consider using specialized DDoS attack tools to stress the systems and find vulnerabilities.
Does a VPN help prevent DDoS?
DDoSing is typically used by hackers to blackmail developers and publishers or to harm the reputation or sales of a certain person or platform. However, individual users, such as online gamers, can also be affected. Your opponent might try to DDoS you to disrupt your gameplay, which isn’t a security risk per se but can be frustrating – especially if you play competitively.
DoS and DDoS attacks target servers, so you can’t prevent an attack against a server by using a VPN. However, in P2P gaming, when you connect directly to other players, your opponent could look up your IP address and use it to DoS or DDoS you. Luckily, you can prevent them from doing so by using a VPN for gaming to mask your original IP. If bad actors don’t know your real IP — they simply can’t DoS/DDoS you. Also, the DDoS attack itself targets the VPN server, which has anti-DDoS safety precautions in place.