So, let’s say that a site you regularly visit has suddenly and inexplicably become unavailable. It might just be the victim of a DDoS attack – a distributed denial-of-service.
This won’t always be the case, of course, seeing as these malicious attacks are usually targeted, but let’s take a closer look at DDoS attacks, and figure out what they are and why they happen.
What is a DDoS attack?
The architect of a Distributed Denial of Service (DDoS) attack will usually want to prevent access to a network, and they’ll do so by flooding the service with a lot of fake requests. And we mean a lot. As a result, the site won’t work like it’s supposed to – it won’t be able to fulfill your legitimate request when there are so many fake ones using up its resources!
DDoS attacks use compromised machines (computers and IoT devices) in order to create these fake requests, and will use several at once.
If you’d like a less technical analogy, a DDoS attack would be the equivalent of 100 puppies standing around a few food bowls. Some puppies want to eat, but the majority of them are just barking around the bowls, and preventing the hungry puppies from getting to the food. And... wait, what were we talking about?
How does a DDoS attack work?
The attack architect will first want to establish a botnet. As you might imagine, a botnet is simply a collection of bots, and these bots are the compromised machines mentioned earlier. These machines have usually been infected with malware, too, which allows them to be controlled remotely by the attacker.
Using multiple machines makes it easier to create more fake requests – and much harder for the targeted network to combat the DDoS attack. Multiple machines are harder to trace and shutdown, and shutting down one machine won’t do much to stop the attack.
Why do DDoS attacks happen?
A DDoS attack can render sites unresponsive or downright unavailable – an attacker might seek to extort a rival or exact revenge, targeting payment gateways or banking services. Some DDoS attacks are performed by cyber-activists, too.
Unintentional DDoS events can also happen. These aren’t attacks – there’s no architect with a botnet – but anytime a site sees a boom in popularity, the resulting surge of new traffic can overload the network’s resources with the same consequences as a DDoS attack. This happens usually if a celebrity posts a link, or if a smaller site is mentioned in a prominent news story.
Application layer DDoS attacks are relatively common, and take aim at specific functions of a website in order to disrupt them. The application layer attacks are less resource-intensive than network attacks, and are often used alongside them, usually to bait away the attention of IT and security teams. An application layer attack can be cleverly disguised to seem like regular traffic, all while actually wreaking havoc with a site’s navigation and search features.
Similarly, a SYN flood utilizes a botnet in an attempt to use up all the resources of a target server and render it unavailable. The attacker will try to initiate lots of (seemingly legitimate) connections to the server. These connection requests won’t be finalized, seeing as SYN floods don’t need the TCP three-way handshake to be completed, meaning that the server won’t have the necessary resources to respond to real user traffic as it waits for the fake connections to resolve.
The most important part of combating DDoS attacks is figuring out which traffic is legitimate, and which traffic is coming from an attacker and their botnet. However, this is easier said than done.
Complex DDoS attacks are incredibly hard to discern from regular traffic – and that’s what the attacker is counting on! They’ll want their DDoS attack to blend in, they’ll want to be indistinguishable from a normal user, as it makes them that much more difficult to identify.
One way to sift through traffic and pick out potential cyber-attackers is with physical front-end hardware. This hardware sifts through data packets and identifies potential threats, and comes in particularly handy when determining whether bulk traffic is a simple spike of interest… or something more malicious.