What is a Distributed Denial-of-Service (DDoS) attack?

Distributed Denial-of-Service (DDoS) attacks are malicious attempts to block businesses from its traffic. During a DDoS attack, the target server/service/network is flooded with malicious traffic generated by exploited systems on the internet. At the same time, legitimate customers and users cannot access the target.

How does a DDoS attack work?

A DDoS attack requires an attacker to gain control of an online computer network in order to launch an attack. Hundred of thousands of computing system such as IoT devices, unpatched personal computer, or even commercial servers are infected with malware, turning each computer into a robot (or zombie). The attacker can then remotely control the bot group, which is called a botnet.

DDoS attack is exactly like a bunch of malicious monsters queueing to board a train while real passengers being blocked from it.

Once the botnet is established, the attacker can send updated instructions to each robot via the remote control method to guide the machine. When the victim’s IP address is targeted by the botnet, each bot will respond by sending a request to the target, which may cause the target server or network to overflow capacity, resulting in a denial of service to normal traffic. Since each robot is a legitimate internet device, it can be difficult to separate attack traffic from normal traffic.

Mitigation of a DDoS Attack

  1. Simple Solution (Low Effectiveness)

    • Black Hole Routing – One solution available to virtually all network admins is to create a blackhole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route or blackhole and dropped from the network. If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a black hole as a defense.

    • Rate Limiting – Limiting the number of requests a server will accept over a certain time window is also a way of mitigating denial-of-service attacks. While rate limiting is useful in slowing web scrapers from stealing content and for mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively. 

  2. Commercial Solution (Multi-Layer Mitigation)

    • Layer 3/4 Attacks Mitigation – This can protect attacks such as UDP Amplification, DNS Flooding, TCP SYN Flooding, and etc. Those attacks are usually volumetric and aim to saturate the target website’s network layer to prevent real users access. mlytics DDoS protection feature can effectively protect Layer 3/4 attacks. These attacks can be mitigated via the following method:

      1. Access Control List
      2. Spoofed IP filtering
      3. Bagon IP filtering
      4. IP reputation
      5. Specific Protocol Protection. For example, TCP Proxy to mitigate protocol attack such as SYN Flooding, etc.
  1. Layer 7 Attacks Mitigation – This can protect attacks such as HTTP Flood or CC attack. HTTP flood or CC attacks generate high volumes of HTTP GET or POST requests from multiple sources, targeting the application layer to cause service degradation or unavailability. mlytics DDoS protection feature can also cover Layer 7 from vicious attacks. These attacks can be mitigated via the following method:

      1. Fingerprint HTTP requests to protect sites from known and emerging botnets with automatic mitigation rules.
      2. Progressive risk score approach to challenge and response to a suspicious attack or user mimicking attack.
      3. Control. Rate limiting mechanism to give granular control to block harder-to-detect application attacks.

DDoS impact to the internet

The most well-known and spectacular DoS attacks in the last few years:

  • In 2013: 39 attacks above 100 Gbps (Gigabits per second), which have steadily increased over time.
  • March 2013: the Spamhaus DDoS attack saw 120 Gbps of traffic hitting their networks – one of the largest attacks up to March 2013
  • August 2013: Part of the Chinese internet went down in one of the largest DDoS attacks. Despite one of the most sophisticated security systems in the world and the government having some of the highest abilities to carry out cyber attacks themselves, China wasn’t capable of defending itself from the attack.
  • Summer 2014: A massive 300 Gbps DDoS attack exploited flaws of 100,000 unpatched servers, joined together as a botnet. An unidentified data center was faced with the extremely huge scale of a DDoS attack.
  • December 2014: An unnamed internet service provider experienced an NTP (Network Time Protocol) DDoS attack that reached a new level of strength with 400Gbps – the largest Denial of Service event in history so far.
  • Spring 2015: UK-based phone carrier Carphone Warehouse gets targeted by a DDoS attack – while hackers steal millions of customers’ data
  • July 2015: The New York Magazine gets hit by a DDoS attack just after publishing interviews of 35 women accusing Bill Cosby of sexual assault.
  • December 2015: Threats of a DDoS attack on Microsoft’s Xbox Live service claim to take down both the Xbox Live and PlayStation network over the Christmas period for up to a week. The attackers are trying to highlight the continued weak security of Microsoft’s services.
  • January 2016: The latest target of a sophisticated DDoS attack saw some of the HSBC customers losing access to their online banking accounts two days before the tax payment deadline in the United Kingdom.

CIA Triad and DDoS Attack

In cybersecurity, we think of the CIA triad in terms of types of attacks:

  • Confidentiality: Is my information secret?
  • Integrity: Is my information accurate and trustworthy?
  • Availability: Can I get my information when and where I need it?

DDoS attacks don’t steal information; they only keep it from being legitimately used. Therefore, DDoS attacks affect the “availability” in the security triad.