DDoS cyber-attack is often referred to as Distributed Denial of Service. This type of attack takes advantage of specific capacity limits that apply to all network resources, such as the infrastructure that powers a company’s website.
Typical targets for DDoS cyber-attacks are:
- Internet shopping sites
- Online casino
How DDoS cyber-attack works
Network resources, such as Web servers have a limited number of requests that they can process simultaneously. In addition to the server capacity limit, the channel connecting the server to the internet also has limited bandwidth/capacity. Whenever the number of requests exceeds the capacity limits of a component of the infrastructure, the service level is likely to suffer in one of the following ways:
- The response to requests.
- Some – or all – user requests can be completely ignored.
How to recognize a DDoS cyber attack
The most obvious symptom of a DDoS cyber-attack is a site or service that suddenly becomes slow or unavailable. However, since several causes such as If, for example, an increase in legitimate traffic could lead to similar performance issues, further investigation is usually required. Traffic analysis tools can help you spot some of these tell-tale signs of a DDoS attack:
- Suspicious amounts of traffic from a single IP address or range of IP addresses.
- A stream of traffic from users sharing a single behavior profile, e.g. B. Device type, location, or web browser version.
- Inexplicable increase in requests to a single page or endpoint.
There are other more specific signs of a DDoS attack that can vary based on the type of attack.
What are the most common types of DDoS attacks?
Different types of DDoS attacks target different components of a network connection. A network connection on the Internet consists of many different components or “layers”. As with building a house from scratch, each level in the model serves a different purpose.
While almost all DDoS attacks overwhelm a target device or network with data traffic, attacks can be divided into three categories. An attacker can use one or more different attack vectors or cyclic attack vectors in response to countermeasures by the target.
The purpose of the attack:
The goal of these attacks sometimes referred to as a Layer 7 DDoS attack (refers to Layer 7 in the OSI model), is to exhaust the target’s resources to create a denial of service.
The attacks target the layer where web pages are generated on the server and served in response to HTTP requests. A single HTTP request is inexpensive to execute on the client-side, but the response from the target server can be expensive as the server often loads multiple files and performs database queries to create a web page.
Layer 7 attacks are difficult to combat because it can be difficult to distinguish malicious traffic from legitimate traffic.
Example of an attack on the application layer:
This attack is similar to repeatedly pressing a web browser update on many different computers at the same time – a large number of HTTP requests flood the server, resulting in a denial of service.
The purpose of the attack:
Protocol attacks, also known as state extraction attacks, cause service interruptions by excessively consuming server resources and/or the resources of network devices such as firewalls and load balancers.
Protocol attacks use vulnerabilities in layers 3 and 4 of the protocol stack to make the target unreachable.
Example of a protocol attack:
A SYN flood is like a worker in a pantry receiving inquiries from the front of the store. The worker receives a request, picks up the package and waits for confirmation before taking the package out. The worker then receives many more package inquiries without confirmation, until he can no longer carry packages, is overwhelmed and the inquiries remain unanswered.
This attack uses the TCP handshake – the communication sequence with which two computers initiate a network connection – by sending a large number of TCP-SYN “Initial Connection Request” packets with forged source IP addresses to a destination.
The target computer responds to every connection request and then waits for the final negotiation step, which never occurs, consuming the target’s resources.
The purpose of the attack:
This category of attack attempts to create congestion by consuming all of the available bandwidth between the target and the wider Internet. Large amounts of data are sent to a destination using some form of amplification or other means to generate massive traffic, such as by email. B. Requests from a botnet.
A DNS boost is like calling a restaurant and saying, “I’ll take all of them, please call me back and repeat my entire order”. Doing that with the callback number actually belonging to the victim. With very little effort, a long response is generated and sent to the victim. This is mostly how it is being done. Making a request to an open DNS server with a fake IP address (the IP address of the victim), the destination IP address then receives a response from the server.
DDoS attacks have become more effective in the last year due to the increasing reliance on online services. The disruption of the services that people rely on in their professional and personal lives can have a significant impact.
In most cases, however, it is possible to ward off DDoS attacks by implementing current industry best practices to maintain service availability despite an incident. These practices include setting specific network access policies and periodically testing DDoS countermeasures to confirm that they can protect the network from attack.