The comprehensive guide to DDoS (Distributed Denial-of-Service) attack

Introduction

While DDoS attacks have existed for over two decades now, the increasing digitalisation of enterprises in recent years and the proliferation of the myriad connected devices that comprise the IoT have considerably expanded the potential attack surface for attackers. A recent report indicated that there has been a 200% increase in DDoS attacks in the first part of 2023 from 2022, with telecommunications companies proving a prime target for attackers. 

The basic aim of DDoS attacks is to disrupt the normal functioning of the target system, network or online service, rendering it unavailable to its intended users. These attacks involve multiple compromised devices, often spanning geographies, which collectively generate a flood of internet traffic that overwhelms the target. These devices are typically part of a botnet, a network of infected computers controlled by the attacker. IoT devices that lack robust security are more susceptible to compromise and inclusion in botnets. Since DDoS attacks not only affect the target but also the intermediary networks and systems through which the attack traffic flows, this can lead to collateral damage for all entities involved.

DDoS attacks can cause disruption of services that result in lost revenue, damage to brand reputation and customer dissatisfaction. The financial impact can be severe in terms of costs incurred by companies for mitigation, infrastructure upgrades and possible legal liabilities, and – sometimes – the need to pay a ransom for discontinuation of the attack.

Organisations must implement robust security measures, including DDoS mitigation strategies, to defend against these attacks and ensure the availability and reliability of their online services. But modern DDoS attacks, like other cyberattacks, are becoming increasingly sophisticated and are easily scaled to enormous proportions, making them difficult to detect and mitigate. Even as mitigation solutions are found, attackers devise innovative ways to evade these, posing a significant challenge for cybersecurity professionals. In this blog we will take a look at the various types of DDOS attacks, their implications and how organisations can protect against these.

For a crime to occur — and make no mistake, DDoS attacks are crimes three elements must be present: MEANS, OPPORTUNITY & MOTIVE

Top sources of HTTP DDoS attacks

Now, let's look at the top sources of HTTP DDoS attacks:

• Botnets: Networks of compromised devices (e.g., computers, smartphones) are commonly used to launch HTTP DDoS attacks. 
• Proxy servers: Attackers often use proxy servers to mask their IP addresses and distribute attack traffic. This allows them to amplify their impact while hiding their true origin.
• Distributed networks: Large-scale networks or cloud services can be hijacked to distribute attack traffic. These networks have substantial bandwidth and can amplify the attack's scale, making it harder to mitigate.
• Vulnerable applications: Web applications with security flaws or inadequate protections can be targeted. Attackers exploit these weaknesses to send high volumes of HTTP requests, overwhelming the server.

A brief history of DDoS attacks

The first known Distributed Denial of Service (DDoS) attack occurred in 1996 when Panix, an early internet service provider, was disrupted by a SYN flood, a technique still used in DDoS attacks today. Since then, DDoS attacks have become increasingly common. 

Moreover, the scale of these attacks has also grown. Initially, DDoS attacks could overwhelm systems with just one gigabit per second of traffic. Now, peak attacks exceed one terabit per second, driven by large botnets—networks of compromised devices used to launch massive attacks. 

The cost of DDoS attacks

Distributed Denial of Service (DDoS) attacks are increasingly becoming costly for businesses. In 2023, the average DDoS attack lasted 68 minutes and cost unprotected organisations around $6,000 per minute, totaling an average of $408,000 per attack. Additionally, the length of these attacks has dramatically increased, rising from an average of 24 minutes in the first quarter to 121 minutes in the fourth quarter of 2023.

Three actionable strategies for proactive and effective DDoS protection

As cyber threats continue to evolve, taking proper measures to tackle DDoS attacks is essential. Here are three actionable strategies to help you proactively protect your organisation:

1. Proactively prepare with a DDoS protection posture.

First and foremost,

• Secure critical assets: Ensure all key subnets and IP spaces have DDoS mitigation controls.
• Deploy always-on protection: Implement continuous DDoS protection to prevent emergencies and reduce the load on your team.
• Build a response team: Set up a crisis response team and keep incident plans updated.

2. Shield your DNS infrastructure.

Your Domain Name System (DNS) is a prime target for DDoS attacks. Protect it by:

• Using a hybrid platform: Implement a solution that safeguards your DNS zones both on-premises and in the cloud against various attacks, such as DNS floods.
• Managing policies efficiently: Use tools that let you easily manage DNS policies and IP allow lists while providing real-time analytics.
• Enhancing DNS performance: Choose a solution with a distributed network to ensure quick responses to user requests from the nearest location.

3. Don't rely on solutions that are "good enough."

Avoid complacency with your current security measures:

• Assess your protection: Refrain from assuming your existing DDoS and DNS defenses are adequate. Ensure your protection is up-to-date and robust.
• Beware of inadequate solutions: Be cautious with low-cost or "freemium" services that may seem attractive but often hide essential features behind additional costs.
• Stress-test your defences: Regularly test both your technology and processes to ensure they meet high-security standards.

Types of DDoS attacks

Application layer DDoS attacks

These attacks target specific software applications. Also called "layer 7 attacks," these attacks use server and network resources, making them more disruptive while using less bandwidth overall. The attacker sends requests that look like they are from legitimate users but are designed to exploit vulnerabilities within an application, making it unavailable to service the end-users' requests.

• ACK floods: An ACK flood is a DDoS attack in which the attacker sends a large number of ACK packets to a victim's system. An ACK is a Transmission Control Protocol (TCP) message confirming data receipt. ACK flood attacks exploit the fact that ACK packets can be spoofed, meaning the attacker's IP address can be masqueraded as the source IP address of the ACK packets. The victim's system sends ACK packets back to the attacker, consuming bandwidth and resources, ultimately making it unavailable to serve legitimate user requests.
• BGP hijacking: As the primary protocol for routing traffic across the Internet, the Border Gateway Protocol (BGP) is a critical component of global network infrastructure. However, BGP is also susceptible to hijacking attacks, in which an attacker impersonates a legitimate network and uses its prefix to redirect traffic. When other networks accept this spoofed information, traffic is sent to the attacker instead of where it was initially intended. This application-layer DDoS attack can have devastating consequences, as it prevents users from accessing essential services or leaks sensitive data.
• CharGEN flood: CharGEN is an ancient protocol that can be exploited to conduct DDoS amplification attacks. During a CharGEN amplification attack, small packets carrying the spoofed IP address of a victim's target server are sent out to Internet-connected devices with the CHARGEN protocol enabled. In response, the internet-facing devices send UDP packets to the target server, which gradually exhausts its resources due to its inability to interpret them.
• DHCP Discover reflection/amplification: Reflection/amplification attacks can occur on DVRs, surveillance cameras, and other embedded devices that use the DHCPDiscover protocol, based on the User Datagram Protocol (UDP) and JavaScript Object Notation (JSON). If these devices are misconfigured, they respond to every DHCPDiscover packet they receive, amplifying the original request by a factor of 25. A small number of DHCPDiscover packets sent to a large number of devices can cause those devices to consume link bandwidth and decrease the capacity of the targeted system to react to network traffic.
• DNS flood: DNS Flood DDoS attacks are usually launched using a botnet that sends many DNS requests to the target DNS server to overload it and causes it to fail. This attack targets Domain Name Server (DNS) servers, disrupting DNS resolution for a particular domain. DNS servers are responsible for resolving DNS queries, so a DNS Flood DDoS attack can cause significant disruptions for internet users.
• DNS amplification: DNS servers are responsible for converting human-readable domain names into IP addresses. Still, they can be tricked into sending large amounts of data in response to a small DNS query. Attackers can exploit this by sending a DNS request with a spoofed source address that points to the victim's IP address. The DNS server will then send a DNS response to the victim, amplifying the size of the original DNS query by up to 50 times. The result is a compelling Denial of Service (DDoS) attack, as the victim's DNS servers are overwhelmed with DNS responses.
• Fraggle attack: A Fraggle is a DDoS attack in which an attacker sends large amounts of UDP traffic to a router's broadcast network. The target server tries to respond, but an overwhelming number of packets continue to arrive. The increased activity causes the server to become less responsive over time. A Fraggle attack is similar to a Smurf attack, but instead of using Internet Control Message Protocol (ICMP) traffic, it uses UDP traffic.
• HTTP flood: HTTP Flood is a volumetric DDoS attack targeting servers and apps hosted on Hypertext Transfer Protocol (HTTP), the protocol used to communicate between browsers and web servers. HTTP Flood attacks work by sending many HTTP GET or POST requests to a target server or app. The target is overwhelmed with these spurious requests, preventing it from responding to legitimate requests. 
• ICMP flood: The Internet Control Message Protocol (ICMP) stack is much like UDP and lacks an end-to-end data exchange process. As a result, detecting an ICMP Flood attack can be more difficult. A large number of fake ICMP packets are sent out from different source IP addresses by the attacker. When the server is inundated with spoofed ICMP packets, its resources are depleted as it attempts to process these requests. This overload either restarts the server or significantly impacts its performance.
• ICMP fragmentation: IP fragmentation refers to dividing IP datagrams into smaller packets to send them over a network while adhering to the size constraints imposed by that network. These pieces reassemble to form the original datagram at the end. In an ICMP fragmentation attack, the attackers send fake IP fragments that can't be put back together again (defragmented). As a result, the fragments are kept in temporary storage, where they consume memory and, in some instances, deplete available memory resources on the target system.
• IP null: In IP Null DDoS attacks, the attacker sends many IP packets with the IPv4 header field set to zero. The victim's computer cannot determine which transport protocol (TCP/UDP) is being used, causing it to waste computing resources, and ultimately, it becomes incapable of processing legitimate traffic.
• Land DDoS attack: Local Area Network Denial (LAND) attack is a distributed denial of service (DDoS) attack targeting a network using TCP SYN packets in which the source and destination IP address and port are the same. Because of this, the target processes the packets in an endless loop, eventually crashing or becoming unresponsive.
• Low and slow attack: A low and slow attack is a DDoS attack that uses very slow HTTP or TCP traffic to stop a web service. Data is sent slowly but fast enough to ensure the server does not time out. This type of DDoS attack goes after the server and application resources and makes it difficult to tell it apart from the regular traffic.
• Memcached attack: This is an attack in which the attacker sends fake requests to the target's Memcached server, flooding the victim with internet traffic. Most of the time, the target's resources can not handle all of this traffic. New requests cannot be addressed, and legitimate users can not access the resource.
• Misused application attack: Instead of using fake IP addresses, this DDoS attack takes advantage of real client computers running programs that use many resources, like P2P tools. The traffic from these clients is redirected to the target server so the attackers can bring it down by overloading it with excessive processing load. Because the traffic comes from actual devices that the attackers have already hijacked, this DDoS attack is difficult to detect and mitigate.
• Multi-vector DDoS attack: Multi-vector DDoS attacks are more difficult to defend against than traditional ones because they come from multiple sources and target different parts of the victim's network. These attacks use numerous vectors or attack methods to target a single victim. The most common type of multi-vector DDoS attack is a combination of SYN floods, UDP floods, and ICMP floods.
• NTP amplification: NTP amplification attacks are distributed denial of service (DDoS) attacks that abuse the Network Time Protocol (NTP). NTP is a protocol used to synchronise clocks across computer networks. Attackers can exploit NTP servers to amplify the amount of UDP traffic directed at a victim's system, making it and its surrounding infrastructure inaccessible to regular traffic.
• Ping of Death: Hackers use Ping of Death to flood a computer system with "echo request" packets larger than the maximum size allowed, causing the target machine to freeze and resulting in a denial of service. Even though the Ping of Death attack is not as common as it used to be, businesses still need to be aware of it and take steps to protect themselves from it.
• Protocol attacks: Protocol attacks exploit vulnerabilities in network protocols, such as TCP, UDP, and DCCP. These attacks consume the computing power of the network resources by targeting layer 3 and 4 communication protocols with malicious connection requests. 
• Ransom attack: Ransom DDoS (DDoS) attacks have an extortion component, where payment is sought by threatening the target with a DDoS attack. The extortionists may launch a DDoS attack and then send a ransom note demanding money to stop the attack, or they may threaten a DDoS attack in the ransom note before launching the attack. Ransom DDoS attacks are relatively easy to execute, given the low technical skills required to carry them out. Yet, they pose a substantial risk to enterprises. 
• R U Dead Yet?: 'R U Dead Yet?' or RUDY is a DoS attack tool that uses low-and-slow DDoS attacks to tie up a web server. The attack focuses on making a small number of long-form field submissions instead of making a lot of quick requests.
• Single request HTTP flood: Attacks like Single Packet HTTP Flood were developed to work around defence systems that block numerous incoming packets. These attacks exploit the feature of HTTP that allows multiple client requests in the same HTTP session. By sending out a few packets at a slow rate, a server's resources can be slowly used up without anyone noticing.
• Slowloris DDoS attack: Slowloris is a type of DDoS attack that works by flooding a server with a large number of incomplete HTTP requests. The target server must now keep track of all the open connections, which use up its resources and prevents other people from using it. Slowloris attacks are notoriously hard to defend against because they only need a few computers.
• Smurf DDoS attack: A smurf attack or 'Smurfing' is a DDoS attack in which an attacker attempts to flood a target system with ICMP traffic. The name "Smurf" comes from this type of attack using the Smurf malware, which can generate large amounts of ICMP traffic. Smurfing is a relatively simple DDoS attack, but it can disrupt services and bring down websites.
• SYN flood: SYN flood attacks use SYN packets to a target system to attempt to overload it. The SYN packet is a Synchronise packet used to initiate a TCP connection. When the attacker sends multiple SYN packets, the target system becomes overloaded and cannot process legitimate requests.
• U.D.P. flood: U.D.P. flood is a DDoS attack in which the attacker sends UDP packets to a target's IP address. The target server will then attempt to process these UDP packets, ultimately overwhelming it. UDP floods are difficult to defend against because the UDP protocol does not require that the sender has a valid IP address. As a result, UDP floods can be difficult to trace back to the attacker.
• VoIP flood: VoIP flood DDoS is an attack that exploits VoIP systems to flood the network with spurious requests, resulting in a denial of service for legitimate users. VoIP Flood attacks are usually initiated by malware that has infected the VoIP system or by hackers who have gained access to the system. Once the attacker has control of the VoIP system, they can use it to generate a large number of call requests, overwhelm the network, and prevent legitimate users from being able to make or receive calls.
• Volumetric attack: These are the most common DDoS attacks, which rely on overwhelming the victim with traffic. The attacker will send large amounts of data to the target, using up bandwidth and causing the site to crash. Examples of volumetric attacks include UDP floods and ICMP floods.
• Zero-day attack: Zero-day DDoS attacks can be devastating. A Zero-day is an unpatched security vulnerability that hackers can exploit by launching a DDoS attack against a target before it can be patched. This attack can be tough to defend against because the target will not have time to prepare or anticipate the attack. Zero-day DDoS attacks often result in downtime for the target, financial loss, and a damaged reputation.

How to detect signs of a DDoS attack?

• Unusually high network traffic and unexplained sources: One of the most apparent signs of a DDoS attack is a sudden and significant increase in network traffic. This traffic surge can overwhelm your network infrastructure. Monitor your network traffic patterns and sources, e.g., unexpected countries of origin. Irregular spikes or unusual patterns in incoming traffic indicate a possible attack. Performing a deep packet inspection to analyze the type and origin of incoming traffic can help differentiate legitimate traffic from malicious traffic.
• Website slowness or inaccessibility: If your website or online services become slow or completely unavailable to users, this could be due to a DDoS attack. However, during seasonal holidays or festivals, a surge in traffic needs more critical analysis as it could be caused by bandwidth limitation rather than a DDoS attack. Provisioning for additional bandwidth or advanced CDN services can come in handy during such times and prevent confusion.
• Service disruptions with increased error rates: Check for service disruptions in critical systems such as email, database, or cloud services. If users experience difficulties accessing these services, this could be due to a DDoS attack. Check for a significant increase in error messages or HTTP error codes, such as 503 (Service Unavailable) or 504 (Gateway Timeout).  “Service Unavailable” errors during cart checkout can impact your revenue realization significantly.
• Unwanted bot traffic: DDoS attacks often employ botnets. Being vigilant for indicators of elevated bot traffic, such as a notable increase in automated, non-human visitors to your website can go a long way in protecting against botnet-based DDoS attacks. Scrutinize patterns of traffic originating from automated software/bots programmed to execute repetitive, often straightforward tasks online. These seemingly inconspicuous points can develop into potential weak links in your system's defense, potentially leading to lateral damage. For instance, if your login process lacks additional security measures (e.g., captcha challenges or image recognition), it can render your critical systems susceptible to security threats.
• Resource depletion: DDoS attacks can target specific server resources such as CPU or memory. Monitor resource utilization—if it's consistently high, this could signify an ongoing attack. Resource-hungry business processes such as ERP or Advanced Analytics /computing processes can take significant hits when CPU or memory are depleted.
• ISP alerts: Collaborate closely with your Internet Service Provider (ISP), who might be able to detect unusual traffic patterns and alert you to a potential DDoS attack. In the event of a severe DDoS attack, contact your ISP and share traffic data with them. They may be able to help mitigate the attack closer to its source. Engage with your ISP early on to get expert help.
• Monitoring tools and anomalous user behaviour: Use specialized DDoS detection and mitigation tools to automatically identify and respond to irregular traffic patterns from both external and internal user behavior. You can choose to use an in-house DDoS mitigation solution or a similar service via the cloud, or even use hybrid options, depending on your needs.
• Rate limiting and traffic filtering: Implement rate limiting and traffic filtering to block or restrict traffic from suspicious sources, which can help mitigate the impact of the attack. However, this approach can have the drawback of restricting legitimate traffic as well.

Is it possible to forecast a DDoS attack?

While it's certainly possible to detect early signs or prepare to protect your organization from potential attacks, predicting a DDoS attack with accuracy is extremely difficult. However, there are some best practices that you can follow to help identify potential risks.

• Historical data analysis: Analysis of attack patterns from previous attacks can help identify trends that suggest which industries or organizations are more likely to be targeted.
• Threat intelligence: Security teams often rely on threat intelligence sources to stay informed about emerging threats and possible vulnerabilities. If you do not have an organized threat intelligence mechanism in-house, it would be advisable to engage a partner for this.  Subscribe to our Threat Intel advisory now! Collaborating with other organizations or across your industry to share information about recent attacks and vulnerabilities is another proactive approach to security.
• Monitoring and anomaly detection: Employing network monitoring and anomaly detection systems can help identify unusual traffic patterns or spikes that might indicate an ongoing or imminent DDoS attack. Without an intelligent 24/7 managed detection solution that gets live feeds from the net-flow.
• Attack motivations and political factors: Understanding the motivations of potential attackers can sometimes provide insights—for instance, organizations involved in high-profile disputes, areas of political unrest, and countries at war are all cases where network traffic should be monitored more closely.

Remember that early detection and rapid response are critical to mitigating the impact of DDoS attacks. Implementing a proactive cybersecurity strategy that includes monitoring, DDoS protection solutions, and an incident response plan to effectively handle such attacks when they occur go a long way in ensuring the security of your organization.

DDoS & ransomware: Payup or else…

The motivation for perpetrating distributed denial-of-service (DDoS) attacks range from a student playing a prank just because they can, all the way to financial gain, hacktivism, corporate sabotage attempts, cyber warfare and political agendas. Threatening an attack is used to extort money from businesses while attacks have been used as a diversionary tactic to occupy security teams while the attacker executes more sophisticated attacks in the background, such as data exfiltration or malware infections.

The difference between DoS and DDoS

Denial of Service (DoS)	Difference Between	Distributed Denial of Service (DDoS)
Transmits lesser amounts of traffic	? Volume of Traffic ?	It may transmit much higher amounts of traffic
Often carried out from a singlemachine using a script or tool	? Manner of Execution ?	Employs a server to coordinate numerous hosts infected with malware (bots), resulting in a botnet
Tracking the true origin isrelatively easier	? Tracing of Source ?	Tracking the true origin is significantly more difficult
It is simple toidentify andterminate the connection	? Ease of Detection ?	Originates from several locations, hiring its true origins
DoS attack maybe deployed less quicker	? Speed of Attack ?	DDoS attack may be deployed much quicker

Conclusion

Given that any entity with an internet-facing service can become the target of a DDoS attack, severely impacting business continuity, potentially resulting in massive financial losses, and affecting a company’s reputation and client base, strengthening cyber defenses against them is of utmost importance. Organisations can adopt a series of measures to protect against and reduce the impact of DDoS attacks. 

These include investing in employee security awareness training, which is of even greater importance given today’s hybrid work scenario. A strong cybersecurity strategy with regular vulnerability assessments to check for potential weaknesses that attackers can exploit, ensuring device security to prevent unauthorised access, and continuous monitoring of networks are all of utmost importance. Network and resource segmentation and robust configuration of firewalls and routers are also crucial. 

And last, but not least, putting comprehensive business continuity, disaster recovery, and incident response plans in place, as well as investing in threat intelligence to stay prepared. Using the services of a reputed cyber security service provider goes a long way towards ensuring your business stays protected against DDoS attacks.