DDoS – or distributed denial-of-service attacks – first came to prominence in the late 1990s. Even now, they are one of the biggest threats to any organization doing business on the internet.
What is DDoS?
Distributed denial-of-service (DDoS) attacks are a way of attacking online infrastructure, including websites and online applications, by overwhelming the host servers.
This prevents legitimate users from accessing the services.
The term ‘distributed’ refers to the way these attacks invariably come from a large number of compromised computers or devices.
“They can be a relatively simple type of attack to trigger and for sites without enough protection very effective”, says Gemma Allen, senior cloud security architect at Barracuda Networks.
The aim is to interrupt normal operation of the application or site, so it appears offline to any visitors.
“A DDoS puts so much traffic in the queue that your browser thinks the site is offline, and gives up,” says Brian Honan, Dublin-based security expert at BH Consulting. “The legitimate traffic can’t get through.”
What are the aims of a DDoS attack?
The purpose might be blackmail, to disrupt a rival business, a protest (DDoS attacks are frequently associated with hacktivist groups) or as part of a nation-state backed campaign for political, or even quasi-military aims.
The 2007 attack on Estonia was a DDoS attack.
Security researchers also point to DDoS attacks being used as a diversion, allowing hackers to launch other exploits against their targets, for example to steal data. This is what is believed to have happened during the attack on TalkTalk in 2015.
And, as Tim Bandos, vice president of cybersecurity at Digital Guardian, warns, DDoS attacks are not limited to online applications or websites. Any internet-connected device is at risk.
That broadens the attack surface to critical national infrastructure, including power and transportation, and the internet of things (IoT) devices.
How does a DDoS attack work?
“In their simplest form, DDoS attacks work by flooding a service with more of something than it can handle,” says Barracuda’s Allen.
“Of course, in reality, it’s not this simple, and DDoS attacks have been created in many forms to take advantage of the weaknesses.”
Allen explains that an attacker will start out with a discovery phase, setting out to identify weakness in the target site or application. They might even use a different form of DDoS to cover up that activity.
Then the attacker choses the best tool to exploit the site. They might buy an exploit on the dark web, or create their own.
On their own, though, most denial-of-service malware will have a limited impact on a well-resourced server. A DDoS attack works by operating at scale.
As Joseph Stalin supposedly said of the Red Army during WW2, “quantity has a quality all [of] its own”. So with DDoS. The exploits themselves are simple, but launch enough of them and they will overwhelm even the best systems.
To do this attackers build, or buy, a large enough “Zombie network” or botnet to take out the target. Botnets traditionally consisted of consumer or business PCs, conscripted into the network through malware. More recently, internet of things devices have been co-opted into botnets.
It’s claimed, for example, that the Marai botnet can be rented for $7,500 per attack.
“If we look at the DynDNS attack of 2016, one of the largest DDoS attacks to date, the attack occurred in phases,” says Allen.
“It first appeared in a single region and then expanded to a concerted global effort from millions of computers that had been breached and turned into a botnet.”
Types of DDoS attacks
A DDoS attack ranges from the accidental – genuine users overwhelming the resources of popular sites, such as in a ‘Reddit hug of death’ – to sophisticated exploits of vulnerabilities.
Simple attacks include the ‘Ping of Death’ – sending more data to the host than the Ping protocol allows, or Syn Flood, which manipulates TCP connection handshakes.
More recent and sophisticated attacks, such as TCP SYN, might attack the network whilst a second exploit goes after the applications, attempting to disable them, or at least degrade their performance.
James Smith, head of penetration testing at Bridewell Consulting, points to three common forms of DDoS attacks:
- Volumetric attacks
- Protocol attacks
- Application (layer) attacks
“All of these render the targets inaccessible by depleting resources in one way or another,” he says.
One of the largest, and most damaging, forms of DDoS is now the UDP amplification attack. UDP is spoof-able. And, as Corey Nachreiner, chief technology officer at WatchGuard Technologies points out, very small UDP requests can generate large bandwidth attacks.
“UDP amplification gives threat actors asymmetric DDoS power. The most recently discovered UDP amplification attacks can magnify the traffic of one host by a factor of 10,000 or more. When combined with traditional botnets, this gives attackers enough DDoS power to affect ISPs.”
Currently, a memcached UDP amplification attack – which don’t need botnets – holds the DDoS record, with 1.7tbps of bandwidth.
What is the impact of a DDoS attack?
A DDoS attack affects victims in a number of ways:
- Damage to reputation
- Damage to customer trust
- Direct financial losses
- Impact on critical services
- Impact on third parties and ‘collateral damage’
- Data loss
- The direct and indirect cost of restoring systems
What is the cost of a DDoS attack?
According to Kaspersky Labs, the average cost of an enterprise DDoS attack can approach $2 million.
Another report, by Netscout, calculates that the combined annual costs of DDoS attacks to the UK economy is close to £1 billion ($1.3 billion).
Akamai, another vendor in the space, publishes an online DDoS cost calculator.
The exact cost of a DDoS attack will, though, depend on the organization, the product or service it supplies, and the effectiveness of its incident response and post-incident strategy. This could range from a few tens of thousands of dollars to millions.
In the case of a nation-state attack or an attack on critical national infrastructure, the cost could be far higher – leading to social unrest or even the loss of life.
So far, no deaths have been attributed directly to DDoS attacks, but the economic impact is all too real.
How long does a DDoS attack last?
Again, this depends on the attacker, the target and their defenses. An attack might succeed in just a few moments, if the victim’s servers have few defenses. But the consensus in the industry is that an attack will last up to 24 hours.
According to Cloudflare, the largest DDoS attack – so far – against GitHub lasted about 20 minutes, due to the effectiveness of the site’s defenses.
If an attack does not take down the target in 24 hours, it does not mean the victim’s sites or applications are safe. Attackers can simply move on to another botnet, and try again with more data, or by using a different range of exploits.
Are DDoS attacks illegal?
“In the UK the Computer Misuse Act 1990 ‘makes it illegal to intentionally impair the operation of a computer or prevent or hinder access to a program/data on a computer unless you are authorized to do so’. As a result, these types of attacks are criminal under UK law,” says Bridewell Consulting’s Smith.
But law enforcement can only act if they can find the attacker. “The biggest challenge can be finding the people to prosecute,” says Barracuda’s Allen.
“The attacks are distributed and the attacking devices are often unwitting parties. The true attackers are hard to trace and while they may claim an attack, it’s not like they give out their real names.”
Recent DDoS attacks
Not all DDoS attacks are in the public domain, but here are some that made the headlines:
- UK Labour Party, November 2019: Hacker group Lizard Squad claimed responsibility for an attack which attempted – but failed – to take down the political party’s website.
- Wikipedia, September 2019: The site was subject to a three-day long attack, which took it offline in EMEA and slowed it down in the US and Africa
- Telegram, June 2019: This attack is attributed mostly to China-based IP addresses
- UPNProxy, November 2018: the Eternal Blue and Eternal Red attacks involved 45,113 infected routers.
- GitHub, February 2018: Still cited as the largest-ever DDoS attack, at a massive 1.7tbps.
- Dyn, 2016: Attack against US DNS provider, best known because the attack used IoT devices running Mirai malware
How to prevent a DDoS attack from happening
Dozens of vendors offer web application firewalls (WAFs), often directly through hosting providers, with the cost starting at just a few dollars a month. Businesses can also implement hardware-based DDoS mitigation hardware, at their network edge.
At the enterprise scale, the large distributed network companies, such as Akamai and Cloudflare, offer high-end, distributed DDoS protection. So do vendors, such as Verisign, HPE, and Cisco.
The most basic defense against DDoS is a DIY approach, monitoring and then shutting down requests from suspect IP addresses.
Although this approach is largely free, Brian Honan warns it is unlikely to be effective, especially against sophisticated, large-scale attacks. He also recommends that organizations place their defenses as far away as they can from their servers.
“You might be able to deal with a DDoS in your datacenter, but all of your internet pipe will be used up. So it is questionable how effective that will be,” he said.
Planning is another key element of any DDoS mitigation strategy.
“Having a plan and procedure in place in case of a DDoS attacks is paramount and having monitoring capabilities in place to detect attacks is highly advised,” says Bridewell’s James Smith.
“Organizations also need to have a well implemented patching policy and ensure anything externally facing is up-to-date to help guarantee that any service software that may contain DDoS vulnerabilities is patched in a timely manner.”