Denial of Service (DoS) and Distributed Denial of Service (DDoS), how many times have you heard of them…
You know when you’re stuck in a kilometer queue on the highway that doesn’t allow you to get to your destination? Here, if we want, a DDoS attack – Distributed Denial of Service we can imagine it like this: a huge and disproportionate traffic of requests through the Web that work just like an unexpected highway traffic jam, which blocks normal traffic.
Except that in the case of the cyber threat, the delay is quantified in a heavy economic damage: if we consider that the downtime of IT services costs companies from 300,000 to over a million dollars an hour, one can imagine how serious a DDoS – Distributed Denial of Service attack on a company.
Not a day goes by that there isn’t at least one, the peak was reached last December 31, 1,349 were registered.
Only in Italy is the phenomenon constantly growing: the latest CLUSIT report records a significant percentage increase in Distributed denial-of-service ( +47.8% ) in 2020. The volume of attacks, in fact, reached 7 Tbps, growing very strongly even compared to the worst month of 2019 where it stood at a maximum of 1.8 Tbps.
In 1996, the first Distributed Denial of Service attack hit Panix, the historic internet service provider: at the time it was taken offline for several days by a SYN flood (we’ll explain what it is later).
Someone will have heard of Mafiaboy: it was the nickname of a 15-year-old boy who in 2000 launched a Distributed Denial of Service attack by violating the computer networks of a certain number of universities and using their servers to carry out a cyber attack which blocked sites like CNN, eBay and Yahoo.
The most ominous responds to the name of Mirai, the name of the botnet that in 2016 had managed to expand to 600,000 compromised Internet of Things devices, such as IP cameras, home routers and video players. On September 19, it targeted one of Europe’s largest hosting providers, OVH, which hosts around 18 million applications for over a million customers. The attack generated a traffic load of up to 1.1 terabits per second and lasted for approximately seven days. But there were many who suffered the effects of the aggression .
But what is a Distributed Denial of Service (DDoS) attack ? What are the symptoms? How to defend yourself? Now let’s go and illustrate the characteristics, types and possible remedies, in a path that will see us talk about cybercrime and even zombies…
“ Distributed outage of service ”. This is the meaning of Distributed Denial of Service, a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with an Internet stream.
DDoS attacks are effective as they use multiple compromised computer systems as traffic sources. Exploited machines can include computers and other network resources such as IoT devices infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are called bots (or zombies), and a group of bots is called a botnet.
When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP address, causing the server or network to become overloaded, resulting in denial of service to normal traffic. Since each bot is a legitimate Internet device, it becomes very difficult to separate the attack traffic from the normal traffic.
It is good to distinguish between DoS – Denial of Service and DDoS – Distributed Denial of Service . Both are cyber threats, but the former is a system-on-system attack, while the latter involves multiple systems attacking a single one. Coming from a single location it is easier to detect the origin of the DoS and interrupt the connection and subsequent malicious attempt. Distributed Denial of Service comes from more places and can be distributed much faster than a DoS attack, and does much more damage.
As the Cybersecurity & Infrastructure Security Agency (CISA) points out in a dedicated guide, the fundamental concepts of IT security are availability, integrity and confidentiality. Both Denial of Service attacks and, above all, Distributed attacks undermine these three pillars.
How a DDoS attack is conducted
First of all, when it comes to DDoS attacks, it should be said that there are different types. The four most common are:
IP Fragmentation Attacks
It takes advantage of the fragmentation principle of the IP protocol. The attacker gets past a network by exploiting datagram fragmentation mechanisms.
To understand the type of threat we need to start from the IP fragmentation process, a communication procedure in which IP datagrams are broken up into small packets, transmitted through. Fragmentation is necessary for data transmission, as each network has a unique limit on the size of datagrams it can process. If a datagram is sent that is larger than the receiving server’s MTU, it must be fragmented to be completely transmitted.
Volumetric attacks
They aim to saturate the bandwidth of the attacked site by sending a large amount of traffic, or request packets, to a targeted network in an attempt to overwhelm its bandwidth capabilities. These attacks work to flood the target in hopes of slowing down or stopping its services. Typically, request sizes are on the order of 100 Gbps; however, recent attacks have exceeded 1Tbps.
Denial of Service attacks amplified
This type of threat exploits a technique that allows traffic to be “bounced” on improperly configured DNS or NTP servers. Thanks to this “bounce” and to the characteristics of the DNS and NTP services, the attacker obtains the double purpose of hiding his IP addresses (and therefore his identity and geographical location) and of multiplying the extent of the attack: for each megabit of bandwidth entered by the attacker, the victim receives from 30 to 50 megabits of unwanted traffic in the case of DNS amplification and 500 megabits in the case of NTP amplification. Traffic amplification is what allows the attacker to make the victim’s site (or service) unreachable, saturating the available bandwidth.
Protocol attacks
They target the network layer of target systems. Their goal is to overload the tablespaces (storage place where objects of a database related to physical data are kept) of the basic network services, the firewall or the device that forwards the requests to the target.
This type of attack consumes actual server resources, or those of intermediary communication equipment, such as firewalls and load balancers, and is measured in packets per second. It includes SYN floods, a form of attack in which the attacker quickly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-open connections, which can consume enough resources to make the system unresponsive to legitimate traffic.
Application attacks
they are the ones trying to crash the web server. It consists of seemingly legitimate and innocent requests, and includes forms of aggression that target vulnerabilities in Apache, Windows, or others.
How to identify attacks
Illustrated the main types of attack must be told how to identify them. Just like a “disease,” it’s good to read about the symptoms: the most obvious is a site or service that suddenly becomes slow or unavailable. But since a number of causes — such as a legitimate traffic spike — can create similar performance issues, further investigation is usually needed. Traffic analysis tools can help spot some of these telltale signs of a DDoS attack.
Another symptom is a suspicious amount of traffic coming from a single IP address or an unexplained increase in requests to a single page. There may also be anomalous traffic flows at unusual times of day or patterns that appear to be unnatural (such as peaking every 10 minutes). Then there are other more specific signs of a DDoS attack which can vary depending on the type of attack.
Different types target different components of a network connection. To understand how they work, you need to know what a network connection is like. It is made up of many different components or “layers,” each of which has a different purpose.
Hence it follows, for example, that DDoS attacks at layers 3 and 4 are usually volumetric on a network infrastructure. They rely on extremely large volumes of data to slow down web server performance, consume bandwidth, and ultimately degrade legitimate user access.
A layer 7 attack is designed to overload specific elements of an infrastructure application server. They are particularly complex, stealthy and difficult to detect because they resemble legitimate web traffic. Even the simplest ones, such as those that target login pages with user IDs and passwords, or repetitive random searches on dynamic websites, can critically overload CPUs and databases.
As mentioned, the effects of a DDoS attack can be devastating. This is due to the power they can express, but also to the inherent difficulties in being able to mitigate them quickly (if not by subscribing to a specific mitigation service).
CLUSIT itself reports that the DDoSaaS (DDoS as a service) market has grown and the cost of the service is around 5-10 dollars a month for a botnet capable of delivering a 5-10 minute attack at over 100Gbps.
The Italian Association for Information Security highlights in its report that with regard to the analysis of the distribution of the targets of DDoS attacks, the product sectors most affected by this type of attack have been identified. Although there are many, the ones most exposed to risk are finance/insurance and the world of services: they are the target in 54% of cases.
As for the duration of an attack, it has decreased on average, also thanks to a growing awareness on the part of victims and investments in tools capable of protecting them. Thus, in 93% of cases, the attack lasted less than 3 hours.
Protect yourself from denial of service attacks
Once the attacks have been defined, it remains to understand what concrete actions can be implemented to strengthen corporate security and protect oneself as much as possible from DDoS.
We can illustrate some useful actions, even if the premise is: pay attention to the symptoms. Prevention passes from attention to the anomalies illustrated above.
The first tip is: implement solid network monitoring practices. To mitigate DDoS threats, it’s good to know when you’re about to get hit. This means implementing technology that allows you to monitor your network visually and in real time. Know the amount of bandwidth your site uses on average so you can track when there are abnormalities.
DDoS attacks offer visual clues, and if you’re familiar with the normal behavior of your network, you’ll be more likely to spot them in real time.
Second : Ensure a basic level of security against DDoS threats. These include: the use of strong passwords, the requirement to reset passwords periodically (once every two months at least); avoid memorizing or writing passwords to the clipboard. This might sound trivial, but it’s alarming how many companies are compromised by neglecting basic safety hygiene.
Third : it is important to set thresholds and traffic limits such as rate limiting on your router and filters on packets from suspicious sources.
Fourth : Keep your security infrastructure up to date. Given the speed and evolution of technology and its pitfalls, it’s a critical step to keep your data center and your systems up-to-date and patch your web application firewalls and other network security programs .
Fifth : anticipate the moves. Have a response plan prepared in good time so that impact can be minimized. It should include a tool checklist, a ready team, with clearly defined roles and responsibilities to carry out once the attack is detected; clear rules on who to warn and involve in case of danger; a communications plan to quickly alert everyone in the event of an attack.
Sixth : Ensure sufficient server capacity. Since volumetric DDoS attacks work by overloading network bandwidth, one way to counter them is to make sure your server capacity can handle the heavy traffic spikes by adding bandwidth, so you can be ready to deal with the threat.
Seventh : Explore cloud-based DDoS protection solutions. The cloud provides more bandwidth and resources than private networks. Cloud data centers can absorb malicious traffic and disperse it to other areas, preventing them from achieving their intended goals.
Eighth : call a professional for any need. Improvisation can be very expensive.