With greater volumes of information being stored and transferred online, keeping data protected and inaccessible to malicious users is a rising concern for business owners. In the evolving realm of technology where new, destructive hacking methods are being discovered daily, recognising and preempting threats can often be the key to protecting your business. Although there are many ways for hackers to disrupt online services and steal information, arguably the most devastating method is to orchestrate a DDoS attack.
What Is a DDoS Attack?
As a concept, the idea behind a DDoS, or Distributed Denial of Service attack is exceedingly simple, however the scope of each attack can vary. A successful DDoS consists of flooding a single web server or network with more traffic that it can process, resulting in slow load times or even a complete loss of service for genuine users. Often this traffic can be various things such as false connection requests or automated spam messages.
The main way for a hacker to carry out a DDoS attack is by using something called a ‘botnet’. A ‘botnet’ is a network of hacked computers or ‘bots’ that have been infected with malware and can be controlled remotely. Once a botnet has been established, it can be used to simultaneously flood a victim server with requests, putting it under significant strain, potentially resulting in a crash. Depending on the architecture of the servers and how the infrastructure is configured, DDoS attacks can take hours or even days to recover from.
Although all DDoS attacks share a similar concept, there are three primary methods used that target different points in a network. Knowing about these methods and their respective points-of-attack can help with ensuring that your own system remains protected.
- Volumetric Attacks: The most common type of attack, these DDoS attacks focus on targeting the network-layer of a system. A prime example of a volumetric attack is a DNS Amplification attack which uses DNS response protocols to flood a victim’s network with false responses. To mount an attack like this, a hacker uses a victims IP address to make several DNS requests. However, these requests have been modified so that the DNS response sent to the victim is significantly larger than the initial request. This results in the victim server being drowned in false DNS requests, consuming high volumes of bandwidth until the web server, and all associated services, becomes unresponsive.
- Protocol Attacks: A protocol attack takes advantage of known server protocols to bring a system down. A prime example of this method is a SYN flood or TCP connection attack which involves manipulating the SYN-ACK protocol sequence that servers and hosts use to communicate. Typically, when a user forms a connection to a server, a SYN (Synchronise) request is sent and the server responds with an SYN-ACK (Acknowledge) response. The user then returns an ACK response and a successful connection is established. This sequence is often referred to as a ‘3-way handshake’. With a SYN flood, a hacker uses spoof IP addresses to send multiple SYN requests to a victim server as normal. However, when the SYN-ACK response is returned, the malicious user intentionally denies sending the final ACK trigger. This causes the server to wait indefinitely until a response is received. If a high volume of these requests are sent and then subsequently denied, the server resources become overwhelmed, preventing it from processing genuine SYN requests from real users.
- Application Layer Attacks: A DDoS attack method such as a HTTP Flood, that involves sending overwhelming amounts of HTTP requests directly to a web application server. As the server tries to process millions of requests at once, it is quickly saturated and crashes, rendering it unable to deal with genuine user requests. These types of attack are harder to detect and can only be prevented by a WAF, a firewall the operates specifically at the application level to block illegitimate traffic.
Goals Of a DDoS Attack
Unlike more elegant methods of hacking such as SQL injecting or cross-site scripting, where the specific goal is to access unauthorised information, the blunt objective of a DDoS attack is to completely crash a particular site or service, rendering it inaccessible. Although the benefits of this from the hacker’s point of view may not be immediately apparent, there are many ways that this type of brute-force attack can be used maliciously.
When a website falls to a DDoS attack, during the down-time significant financial penalties can occur, from both the loss of business as well as the cost of getting the targeted sever back online. Additionally, customers are far less likely to trust their personal information to a site with a reputation of being vulnerable to attack, often opting to take their business elsewhere. Hacker’s are fully aware of these penalties incurred following a DDoS and will usually try to blackmail the business owner first, usually with monetary demands, before launching an attack. In essence, give in to the demands or your website gets taken down.
Another way in which a DDoS attack can used to a hacker’s advantage is in conjunction with a more calculated attack. In the event of a DDoS attack, it is essential that rapid action is taken by the system administration team to limit damage and reduce the potential downtime of the victim server. Taking advantage of this induced panic, the hacker can then mount a more subtle attack on the newly vulnerable system, using the initial DDoS attack as a diversion. The goal of this secondary breach could be to access sensitive data or install harmful software on the system for later use.
Preparation And Prevention
Like everything in the digital world, methods of DDoS attacks are constantly changing. Although they pose a significant threat to online businesses, with the correct protection and preparation, steps can be taken to negate an attack and detect the early signs of a breach before significant damage can be caused.
The first step should be to ensure all web servers dealing with user traffic are protected by a WAF. A WAF, or Web Application Firewall, works to filter all requests being sent from a user to a web server. This can mitigate a DDoS attack by identifying and blocking any HTTP requests that are sent by an illegitimate source, such as a ‘bot’ computer or a spoof IP. This functionality makes a WAF an essential security asset for any online service. Additionally, it is one of the few methods capable of detecting a DDoS attack aimed directly at the web application itself. Each attempted breach leaves a unique digital fingerprint, the WAF can blacklist any traffic from a suspicious source, making it a flexible security solution capable of adapting to emerging threats.
Using a global CDN (Content Delivery Network) to distribute your web content globally can significantly help mitigate the threat of DDoS attacks. A CDN works by using a network of strategically placed ‘edge-servers’ to transfer content to users on behalf of the origin server. Not only does this provide users with more rapidly delivered content, but it also significantly reduces the strain on the origin server. When used in correspondence with a WAF, these edge servers can work as an early detection system, identifying any illegitimate traffic before has a chance of reaching the origin server. Additionally, because the core methodology behind a DDoS attack is to saturate a singular server with vast amounts of traffic, distributing web content over multiple edge servers prevents any singular server from being overwhelmed by web traffic, legitimate or otherwise. This lends itself to offering a more stable service in general, as well as making it difficult for hackers to identify a single focal point to attack.
Need Urgent Protection Against a DDoS Attack?
HostGuard from HTTPShield provides complete DDoS protection. Prevent downtime with our market-leading DDoS mitigation.