Blog

You are currently viewing Explaining DDoS attack

Explaining DDoS attack

Nowadays, you can read about DDoS attacks on organizations in the news quite often. Until now I did not exactly know how DDoS attacks work in detail.

Time to get more insight into this and share it with others!

DDoS basics

DDoS is short for Distributed Denial of Service. It is an attempt to disrupt the network traffic of a targeted server, service, or network. The attempt is done by overwhelming the target or its surrounding infrastructure with a vast amount of internet traffic. You can see it as an unexpected traffic jam that suddenly appears on a highway: traffic can’t move then because the highway is blocked.

These attacks are done by compromising a series of computer systems as a source of attack traffic. This means that a series of unknown devices are used as a kind of army and most of the time the owner has no clue about this. The machines that are used for these kinds of attacks include computers and other sources that are connected to the network: also called “endpoints”. Especially Internet of Things (IoT) devices is very suitable to use in an attack. One of the main reasons for this is that most IoT devices come with factory settings that have a very simple password. An example is the login name “admin” with “1234” as the password. Attackers know this and these kinds of password combinations can be easily obtained from the internet. After that, attackers can get access to the device, install malicious software without a problem and add them to their army of bots. 

DDoS attacks: how is it done

As told before, DDoS attacks are done with the support of machines that are connected to the internet network. These devices are first infected with malicious software which allows the attacker to control them remotely. The devices that are added to the “army” of the attacker are called bots or zombies. A group of bots is called a botnet.

When an attacker has set up a botnet, an attack can be directed by sending instructions to each bot remotely. After that, the attacker selects the victim’s network and commands all bots to send requests to the IP address (the unique address that identifies a device on the internet or a local network) of the target. This can overwhelm the server or network which results in a denial of service for normal traffic because a digital traffic jam is created. This means you can’t reach the IP address then. 

It is very hard to separate the attack traffic from normal traffic because each bot that is used is a legitimate device that is connected to the internet.

Identifying a DDoS attack

If a site or service becomes extremely slow or unavailable it might be a target of a DDoS attack. This is one of the most recognizable symptoms. However, more investigation is required to exclude all possibilities. You might also have a sudden peak in legitimate traffic for instance, and that can also cause performance issues. A traffic analytics tool can help an investigator in the analysis.

How a network works

In order to completely understand DDoS attacks, you also need to understand the basics of a network connection because this is the tool that is utilized in the attack. Network connections on the Internet have many different components. These components are also called “layers”. You can compare this with building a house from the ground up. Each layer of the house has a different purpose. A set of 7 network layers can be distinguished:

  1. The physical layer: this is the foundation of the network. Here, raw bits stream over the medium.
  2. The datalink layer: defines the format of data on the network.
  3. The network layer: decides which physical path the data will take on the network.
  4. The transport layer: transmits data using transmission protocols, including TCP and UDP. You can check out this post for more information about transmission protocols.
  5. The session layer: maintains connections and is responsible for controlling ports and sessions.
  6. The presentation layer: this layer ensures that data is in a usable format and this is also where data encryption occurs.
  7. The application layer. This is a human-computer interaction layer where an application can access the network services

These network layers can all be targeted in a DDoS attack. An attacker can use one or more of these layers as a point of attack and can also cycle through different attack points to counter defense measures that are taken by the target. Sometimes this can end up in some sort of digital chess game between attacker and target. I would say that this is the highest and most sophisticated “game” of DDoS attacks between very professional attack teams and defense teams.

Types of DDoS attacks

There are different types of DDoS attacks that can target different components of a network. I will share the most common ones:

  • Protocol attacks. These attacks are also known as state-exhaustion attacks. They create a service disruption by overconsumption of server resources and/or the resources of network equipment (firewalls, etc.). Protocol attacks utilize weaknesses in the network layer and the transport layer of the network (see the previous paragraph). This is done by instructing bots to send spoofed (disguised communication by an unknown source) SYN packets to the target. SYN packets are generated when a client (in this case the bot) attempts to start a TCP connection to a server and the client and server exchange a series of messages. This is done by a three-way handshake: 1) The client request: sending an SYN (synchronized) message to the server. 2) The acknowledgment of the server by sending an SYN-ACK (synchronized acknowledgment) back to the client 3) The response of the client with an ACK, establishing the connection.  When the server sends back an acknowledgment to the client it will wait for the response of the client. Because the client has sent a spoofed packet, the server will never get a response and will keep waiting. The protocol remains incomplete. While waiting, the server resources are still occupied by the TCP connection so the resources can’t be applied to others. In the end, this leads to burning all resources which results in a failing network. Because the SYN packets are “spoofed”, it’s hard to determine the origin of the packets.
  • Application layer attacks. Also called layer 7 DDoS attacks. This is the network layer where the web pages are generated on the server and are delivered in response to the HTTP requests. A single HTTP request is easy to handle for a server but if the server is spammed with thousands of requests of different pages the server can get into trouble, resulting in the exhaustion of the available resources (computational power) of the target. The attack is done by an HTTP flood. When you go to a site and refresh the site, it is loaded again. Reloading a site takes resources from the network server of the client. If you move thousands of bots to a specific site and then order them to refresh the site all at the same time, it creates a large flood of requests which the server might not be able to handle. This results in a traffic jam: a denial of service
  • Volumetric attacks. This type of attack spans layers 3, 4 and 7. Over 65 percent of all DDoS attacks are done by volumetric attacks. The attack consumes all available bandwidth between the target and the internet: the victim’s network is bombarded with more traffic than it can handle. This massive traffic is created from a network of botnets that causes a denial of service. The most common form of a volumetric attack is the DNS amplification attack. Let’s use an analogy for this to explain. Imagine eight wide-load trucks traveling side by side along an eight-line freeway at a fixed speed. No normal cars (normal traffic) can pass and all are stuck behind these trucks. Instead of using a huge quantity of average-sized packets as other DDoS attacks do, a DNS amplification attack uses larger packets to achieve the same result. In this attack, the attacker takes advantage of the normal operation of the Domain Name Server (DNS) which is the “address book” of the Internet, using it as a weapon against the targeted website of the victim. The goal is to flood the victim’s website with fake DNS lookup requests that consume the network bandwidth to the point that the site fails. To achieve this, attackers craft DNS requests in a way that it substantially amplifies the size of the response. A genuine DNS response might have an amplification factor of 1.5 or less but a DNS amplification attack has DNS requests that generate a response of 10, 20 or even 50 times larger than that. This results in huge packets of traffic, exhausting all bandwidth of the targeted website. 

Preventing DDoS attacks

In the ideal world, all users of devices connected to the internet would protect their devices against attacks from the outside with max-protected, unique passwords that are generated and stored in a password manager. This way it would be very hard for attackers to recruit a full bot army to attack. Unfortunately, this is not realistic but there are other ways to successfully counter a DDoS attack. The most effective way to do this is to prevent an attack or disable an attack in its most early stages.

To do so, you need to understand the early signs of a DDoS attack. When your network slows down, when the quality of the intranet goes down, or when there are regular disconnections on your website, you should immediately activate a DDoS response plan.

This is a plan that is based on a security assessment. Most companies do not have the in-house knowledge/resources to do an assessment themselves and set up a plan after this assessment is done. Outsourcing is a very good alternative when a company doesn’t have in-house knowledge. I advise doing so because most companies depend on a strong network and only realize it after the damage has been done (when they have been a victim of a DDoS attack). When the assessment is finalized, the DDoS response plan can be set up. In case you don’t have the resources available this can be done by a third party as well (for instance the party that did the assessment if you outsourced it as well). 

This plan is absolutely required because when a DDoS attack hits you, time is critical: you don’t have the luxury to figure it all out on the go. A DDoS response plan can be expensive but in most cases, companies don’t have a very complex infrastructure. Because of this, the costs can be very limited and the benefits you have when an attack hits will absolutely outweigh the costs. Additionally, what a lot of people forget is that these kinds of attacks can cause a lot of stress to employees. When a company has a plan and knows how to handle the situation, including clear communication to the employees, it prevents unnecessary stress with their employees. Don’t underestimate the psychological damage that cyberattacks can have on a person. People want to work in a safe environment where they know that they are taken care of in times of calamity.

Final Thoughts

I hope that this post provides more insight into the basics of a DDoS attack: how it works and how you can arm yourself to defend against an attack. Prevention is better than a cure so always make a plan in order to be able to immediately deal with a DDoS attack once it occurs.

My experience on this subject is limited so feel free to give me additional advice/insights by contacting me (also in case you have any questions) and if you want to keep in the loop if I upload a new post, don’t forget to subscribe to receive a notification by email.

Tags: , , , , , , , , , , , , ,

Gijs Groenland

I live in San Diego, USA together with my wife, son, and daughter. I work as Chief Financial and Information Officer (CFIO) at a mid-sized company.

Leave a Reply