This article is aimed at non-expert computer users (without a background in network or systems administration).
DDoS stands for “Distributed Denial of Service” and, naturally enough, is a type of Denial of Service (DoS) attack. The basic aim of a DoS attack is to render a cloud server, PC or network resource inaccessible or unusable–denying service to anyone trying to access it. It is a malicious attack designed to cause maximum inconvenience.
Are DDoS Attacks a New Thing?
No, DDoS attacks are not a new phenomenon, but they have been making the headlines more in recent years as their scope has increased in size and as they have included higher profile targets. One recent example is the attack on the Playstation Network and Xbox Live. A hacking group known as ‘Lizard Squad’ used a DDoS attack to shut down the online gaming services on Christmas Day 2014, upsetting many gamers and causing financial and reputation damage to Microsoft and Sony.
How Do DDoS Attacks Work?
In a Denial of Service attack, the attacker uses a computer to send an overwhelming amount of data to a target. This target receives so much traffic that it slows down and cannot respond to legitimate traffic, or, in the case of a Permanent Denial of Service (PDoS) attack, its hardware is damaged beyond repair. In this simple style of DoS attack, one computer directly targets another. It is a fairly simple attack to execute and requires minimal computer skills–an attacker can simply acquire and run a piece of software to conduct a DoS.
The ‘distributed’ in DDoS refers to the multiple computers used in this type of attack. The attacker either launches a synchronized attack with collaborators or, more commonly, uses a botnet to execute a DDoS. A botnet (a shortened form of “robot network”) is a network of computers infected with malware that allows the attacker to remotely control them without the owner’s knowledge. Using a botnet, an attacker dramatically increases the effect of their attack.
Another method attackers use to increase the effect of a DDoS is the “amplification attack”. Rather than directly bombarding a target with data, an attacker sends requests for data to multiple servers. The attacker spoofs the source IP address of each request so that it looks as though it comes from the target of the attack instead of from the attacker. As a result, all of the responses go to the IP address of the victim, flooding them with traffic. It’s essentially like signing your friend up to a load of unwanted junk newsletters.
Attackers have found various ways to create these amplification attacks. The IP address spoofing is possible, in part, because they use the UDP protocol-–a protocol that doesn’t validate source IP addresses or connections. The amplification comes into play in the way attackers have found ways to cause the responding servers to return certain responses that are significantly larger than the requests. For example, DNS (Domain Name Service) servers can deliver a response 50-150 times larger than the response. Similarly, Character Generation Protocol (CharGEN) supported by various servers will respond to a character generation request with a response that is 200-1000 times larger. Similarly, the Network Time Protocol (NTP) used to sync clocks across machines, can return a response that can be up to 556.9 times larger than the request.
Why Do People Use DDoS Attacks?
The motivations behind DDoS attacks vary. In the case of Lizard Squad , it appeared to be a publicity stunt to promote their freelance hacking services. Sometimes attackers target websites with a demonstration and send their owners extortion letters demanding payment to prevent future attacks. One of the Internet’s more renowned and iconic hacking groups, Anonymous, has used these sorts of attacks as a tool for activism. In their ongoing fight against organizations such as Scientology and the Westboro Baptist Church, people acting under the Anonymous banner have used DDoS attacks to take down their respective websites.
What Defenses Are There?
DDoS attacks are difficult to fight, and mitigation is often the best a target can hope for. A big part of dealing with DDoS attacks is simply being prepared. Here are some techniques that can be used to mitigate the effects of a DDoS attack:
Some organizations invest in more bandwidth for their servers. The more bandwidth the target has, the harder it is to DDoS. In principle, it’s the same idea as adding more lanes to a road–the wider the road, the more cars are needed to cause a traffic jam.
ISPs (Internet Service Providers) may also offer services to help mitigate the effects of DDoS attacks. Since they generally have access to more powerful networking resources, ISPs may have DDoS mitigation plans in place that can help keep your servers safe.
There are now many companies who provide help to those who might be targetted by DDoS attacks. During an attack, the target’s traffic is redirected to the mitigation company’s network, where they then “scrub” the data, identifying malicious traffic to drop and allowing through legitimate traffic which is then rerouted back to the target. Companies such as CloudFlare, Black Lotus, F5, Prolexic, and Incapsula offer such services in this growing sector.
Part of the Problem?
Most of us will likely not be the target of a DDoS. So even if you might feel too small a target, your home computer, your multimedia server, your little home router, the cloud hosting server that hosts your website may, however, be a part of a vast botnet being used to DDoS, without your even realizing.
For home systems, keeping up with security patches and changing default device passwords to something much more secure can help protect you exploitation.
For web-facing servers (such as web servers or DNS name servers), you can take a little time to close security vulnerabilities, such as those that can be exploited in amplification attacks. You can also monitor network traffic for any unusual traffic patterns with something like Zabbix or with a more elaborate Intrusion Detection System (IDS) like Suricata or Security Onion.