Hackers use many methods to infiltrate systems, steal data, and create general havoc with devices and networks connected to the Internet. Below, we'll look at one of the most common disruptive weapons in a cyber attacker's arsenal — the DDoS (Distributed Denial-of-Service) attack.
Attackers don't even have to get access to a system in order to disrupt services or even take the whole thing down when they use a DDoS attack. So, what's a DDoS attack, and how does it work?
How does a DDoS attack work?
A DDoS attack is the big brother of a DoS (Denial-of-Service) attack. In a standard DoS attack, the attacker attempts to make a machine or network unavailable to its regular users by disrupting services connected to the internet. This is done by overwhelming these services with fake packets, connection requests, and incoming messages.
This is done from only one machine, and in today's digital landscape, where cloud services can scale dynamically to handle changes in load, standard DoS attacks aren't as effective as they once were. Also, a cyberattack coming from one IP address can be blocked easily.
So, hackers have evolved to start using botnets. Essentially, this involves gaining control of remote computers by using phishing schemes and other tactics to get users to download and install malicious software on their computers.
These computers then become "zombie computers," which hackers can control from anywhere in the world. Sometimes they don't even have to use phishing — they can just exploit known vulnerabilities in a system to gain access.
This brings us to DDoS attacks. In DDoS attacks, hackers use networks of machines from locations around the globe to launch the same type of attack. The resulting disruption is even worse because there are hundreds (or even thousands) of machines doing the same DoS attack at once.
Eventually, services will be disrupted, and the systems will become overloaded, making it impossible for the standard users of the service to access them. And because the attack is coming from multiple machines, system overload can happen quickly, and stopping the attack isn't as simple as just blocking one IP address.
Common types of DDoS attacks
There are different types of DDoS attacks, defined by which components in the network are being targeted and what tactics the attacker uses. An attacker could also use more than one of these attacks at the same time.
Application layer attacks
In this type of DDoS attack, the hacker targets the layer of the application that generates the web pages on the server.
A client can send a request for a web page without using many resources. But, on the server-side, one request may require loading multiple files, running server-side code, and connecting to one or more databases.
In an application layer attack, sometimes called a Layer 7 attack, the attacker will use a botnet to send traffic to a specific web application simultaneously from each of the bots. They'll also use random IP addresses, spoofed referrer data, and target random URLs to hide their tracks and keep from getting blocked.
Protocol attacks target the network and transport layer of web applications. They're also known as state-exhaustion attacks. These attacks attempt to disrupt service by using up the network's resources, like load balancers and firewalls.
An example of this type of attack is a syn flood. Using a syn flood, the attacker sends a massive amount of TCP initial connection requests to the targeted system with spoofed IP addresses. The system targeted will then wait on the final step of the TCP handshake for all of these requests, but this step will never happen, and eventually, all resources will be used up waiting on connections.
This type of DDoS attack attempts to use up all the available bandwidth of a system or network. But, instead of taking down or using up the resources on the target system, this type of attack prevents any legitimate traffic from getting through.
An example of this type of attack is DNS reflection. In a DNS reflection attack, the attacker sends small requests to a DNS server masquerading as the targeted computer and using its IP address. These small requests are quick and easy to send but result in very large responses that are then sent to the targeted computer and eventually overwhelm it.
What is a DDoS defense strategy?
Protecting a network or system from a DDoS attack can take some work since it's not something that can just be blocked with anti-virus software. The attack comes from the outside, so you must take different measures.
Here are some of the cybersecurity measures taken to protect networks and systems from DDoS attacks:
- Rate limiting. Limiting the rate at which a specific client can access a system can prevent some DDoS attacks, though this alone may not be enough for a large or complex attack.
- Blackhole routing. A blackhole route is a route that goes nowhere. If they're experiencing a DDoS attack, Network Admins can funnel traffic to a blackhole route where it can do no harm. This method will prevent damage to a system but also has the same result of making the network inaccessible.
- Web application firewalls. A web application firewall can prevent application layer attacks with rules to identify and block DDoS attacks.
- Anycast network diffusion. This approach scatters the traffic from the attack across a large network of servers, so it gets absorbed.
Note that cybersecurity practices also include anti-malware and anti-virus software. While they won't protect a network from a DDoS attack, they will protect devices from becoming a bot in the botnet.
Learn more about cybersecurity
The internet isn't the safest place for data and networks. Hackers are always on the lookout for new systems and networks to target. DDoS attacks are just one of the many kinds of attacks they use, but you can protect yourself from them with the right type of preparation.
The best way to protect yourself from hackers and cyberattacks is through education. If you know what types of cyber threats are out there, how they occur, and how to prevent them, then there isn't much an attacker can do to your system.
Check out our Introduction to Cybersecurity course to get started. You'll learn more about common cyberattacks and how to prevent them, along with the basics of network security, securing personal devices, cryptography, and authentication and authorization.