Why is DDoS attack a major cyber threat?
8th November 2018
Distributed denial-of-service (DDoS) cyber attacks remain a significant threat to any organisation that uses a web site or web application to deliver its services. The Arbor Networks 2018 Worldwide Infrastructure Security Report confirms that a total of 7.5 million DDoS attacks were executed in 2017. Using survey data from internet service providers, they estimate that 57% of global enterprises and 45% of data centre operators experienced internet bandwidth saturation due to a DDoS compromise.
Modern DDoS attacks are designed to disrupt and terminate the normal activity of web servers. Companies of all sizes suffer downtime that leads to financial loss from reduced sales and increased operational costs. E-commerce businesses are particularly vulnerable and can suffer significant loss of reputation and customer confidence. In some cases, a company’s recovery time can last months and end up costing tens of thousands of pounds.
What is a DDoS attack?
A distributed denial-of-service (DDoS) cyber attack targets and disrupts web servers by sending them an overwhelming number of requests from a very large number of external computers or IP enabled devices. The flood of incoming network traffic will come from many sources and makes the attack impossible to stop by blocking a single source. Criminal hackers using DDoS attack often target sites or services hosted on high-profile web servers of banks, e-commerce and credit card payment gateways.
The largest so far?
GitHub, the code management service provider, suffered the largest reported DDoS attack in February 2018. Peak incoming traffic was measured at a rate of 1.3 terabytes per second (Tbps) with data packets being sent at a rate of 126.9 million per second.
Coming a close second was the attack on Dyn, a major DNS provider, in October of 2016. The barrage peaked at 1.2 terabits per second and created devastating disruption for AirBnB, Netflix, PayPal, Visa, Amazon, The New York Times and Reddit.
How does DDoS work?
The most common DDoS attack aims to gain control of a network of online devices (computers, mobile phones, IoT) by infecting them with malware and turning them into bots. A bot or web robot runs software applications which are simple, automated and repetitive in their action. The attacker has full remote control over the group of bots, which is called a botnet.
The hacker sends the target IP address of the web server to the bots. Each bot then sends multiple requests to the target server causing it to overload and stop working. Because each bot is a legitimate internet device, separating the attack traffic from normal traffic can be very time consuming. The Dyn attack used malware called Mirai which created a botnet out of compromised Internet of Things (IoT) devices such as cameras, smart TVs, radios, printers and baby monitors.
The GitHub DDoS attack did not use botnets but employed the use of unprotected memcached servers. Memcached is a caching system designed to optimise websites that rely on external databases. It is estimated there are currently 100,000 memcached servers currently sitting exposed online with no authentication protection.
Types of DDoS attacks
The DDoS Mitigation specialist, Cloudflare, has an excellent summary of different types of DDoS attack. They categorise the attacks based on their effect on the various components of an internet network connection as described in the conceptional OSI ‘7 Layer’ Framework.
Application layer attack
Focused on the OSI Layer 7, these attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is cheap to execute on the client side but can be resource intensive for the target server as it often must load multiple files and run database queries in order to create a web page.
Also known as state-exhaustion exploits, these attacks cause a service disruption by consuming all the available state table capacity of web application servers or intermediate resources like firewalls and load balancers. Protocol attacks utilise weaknesses in Layer 3 and 4 of the protocol stack to render the target inaccessible. A good example is the SYN Flood attack which exploits the TCP handshake by sending the target many TCP “Initial Connection Request” packets with spoofed source IP addresses. The target machine responds to each connection request and then waits for the final step in the handshake, which never occurs, exhausting the target’s resources in the process.
This category of attack attempts to create congestion by consuming all the available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet. A good example is DNS Amplification which makes a request to an open DNS server with a spoofed IP address (the real IP address of the target). The target IP address then receives a response from the server. The attacker structures the request such that the DNS server responds to the target with a large amount of data. The Dyn DDoS attack was a good example of DNS amplification.
How to defend against DDoS attacks?
Detecting and mitigating the effects of a DDoS attack can be a complex and demanding challenge. Attack traffic must always be differentiated from normal web traffic, but this can be difficult as attackers will use multi-vector attacks. A good example is the Stacheldraht (Barbed Wire) attack that uses User Datagram Protocol (UDP) flood, Internet Control Message Protocol (ICMP) flood, Transmission Control Protocol (TCP) SYN flood and Smurf attack.
Cloudflare recommends the following technical mitigation strategies:
Black hole routing
In the event of an attack, both legitimate and malicious network traffic is routed to a null route or blackhole and dropped from the network. If an internet property is experiencing a DDoS attack, the property’s internet service provider (ISP) may send all the site’s traffic into a black hole as its first line of defence.
Limiting the number of requests a web server will accept over a certain time window is also a way of mitigating denial-of-service attacks. While rate limiting is useful in slowing web scrapers from stealing content and for mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively.
Web application firewall
A Web Application Firewall (WAF) is a tool that can assist in mitigating a Layer 7 DDoS attack. By putting a WAF between the internet and an origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic.
Anycast network diffusion
This mitigation approach uses an Anycast network to scatter the attack traffic across a network of distributed servers to the point where the traffic is absorbed by the network. The reliability of an Anycast network to mitigate a DDoS attack is dependent on the size of the attack and the size and efficiency of the network. Cloudflare has a 20 Tbps network, which is an order of magnitude greater than the largest DDoS attack recorded.