What is a DDoS attack?
A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This can be achieved by thwarting access to virtually anything: servers, devices, services, networks, applications, and even specific transactions within applications. In a DoS attack, it’s one system that is sending the malicious data or requests; a DDoS attack comes from multiple systems.
Generally, these attacks work by drowning a system with requests for data. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is available internet bandwidth, CPU and RAM capacity becomes overwhelmed.
Related video: Early warning signs of a DDoS attack
3 types of DDoS attacks
There are three primary classes of DDoS attacks:
- Volume-based attacks use massive amounts of bogus traffic to overwhelm a resource such as a website or server. They include ICMP, UDP and spoofed-packet flood attacks. The size of a volume-based attack is measured in bits per second (bps).
- Protocol or network-layer DDoS attacks send large numbers of packets to targeted network infrastructures and infrastructure management tools. These protocol attacks include SYN floods and Smurf DDoS, among others, and their size is measured in packets per second (PPS).
- Application-layer attacks are conducted by flooding applications with maliciously crafted requests. The size of application-layer attacks is measured in requests per second (RPS).
For each type of attack, the goal is always the same: Make online resources sluggish or completely unresponsive.
DDoS attack symptoms
DDoS attacks can look like many of the non-malicious things that can cause availability issues – such as a downed server or system, too many legitimate requests from legitimate users, or even a cut cable. It often requires traffic analysis to determine what is precisely occurring.
A DDoS attack timeline
It was an attack that would forever change how denial-of-service attacks would be viewed. In early 2000, Canadian high school student Michael Calce, a.k.a. MafiaBoy, whacked Yahoo! with a distributed denial of service (DDoS) attack that managed to shut down one of the leading web powerhouses of the time. Over the course of the week that followed, Calce took aim, and successfully disrupted, other such sites as Amazon, CNN and eBay.
Certainly not the first DDoS attack, but that highly public and successful series of attacks transformed denial of service attacks from novelty and minor nuisance to powerful business disruptors in the minds of CISOs and CIOs forever.
Since then, DDoS attacks have become an all too frequent menace, as they are commonly used to exact revenge, conduct extortion, as a means of online activism, and even to wage cyberwar.
They have also gotten bigger over the years. In the mid-1990s an attack may have consisted of 150 requests per second – and it would have been enough to bring down many systems. Today they can exceed 1,000 Gbps. This has largely been fueled by the sheer size of modern botnets.
In October 2016, internet infrastructure services provider Dyn DNS (Now Oracle DYN) was stuck by a wave of DNS queries from tens of millions IP addresses. That attack, executed through the Mirai botnet, infected reportedly over 100,000 IoT devices, including IP cameras and printers. At its peak, Mirai reached 400,000 bots. Services including Amazon, Netflix, Reddit, Spotify, Tumblr, and Twitter were disrupted.
In early 2018 a new DDoS technique began to emerge. On February 28, the version control hosting service GitHub was hit with a massive denial of service attack, with 1.35 TB per second of traffic hitting the popular site. Although GitHub was only knocked offline intermittently and managed to beat the attack back entirely after less than 20 minutes, the sheer scale of the assault was worrying, as it outpaced the Dyn attack, which had peaked at 1.2 TB a second.
An analysis of the technology that drove the attack revealed that it was in some ways simpler than other assaults. While the Dyn attack was the product of the Mirai botnet, which required malware to infest thousands of IoT devices, the GitHub attack exploited servers running the Memcached memory caching system, which can return very large chunks of data in response to simple requests.
Memcached is meant to be used only on protected servers running on internal networks, and generally has little by way of security to prevent malicious attackers from spoofing IP addresses and sending huge amounts of data at unsuspecting victims. Unfortunately, thousands of Memcached servers are sitting on the open internet, and there has been a huge upsurge in their use in DDoS attacks. Saying that the servers are “hijacked” is barely fair, as they’ll cheerfully send packets wherever they’re told without asking questions.
Just days after the GitHub attack, another Memecached-based DDoS assault slammed into a US service provider with 1.7 TB per second of data.
The Mirai botnet was significant in that, unlike most DDoS attacks, it leveraged vulnerable IoT devices rather PCs and servers, It’s especially scary when one considers that by 2020, according to BI Intelligence, there will be 34 billion internet connected devices, and the majority (24 billion) will be IoT devices.
Unfortunately, Mirai won’t be the last IoT-powered botnet. An investigation across security teams within Akamai, Cloudflare, Flashpoint, Google, RiskIQ and Team Cymru uncovered a similarly sized botnet, dubbed WireX, consisting of 100,000 compromised Android devices within 100 countries. A series of large DDoS attacks that targeted content providers and content delivery networks prompted the investigation.
On June 21, 2020, Akamai reported that it had mitigated a DDoS attack on a large European bank that peaked at 809 million packets per second (Mpps), the largest ever packet volume. This attack was designed to overwhelm the network gear and applications in the target’s data center by sending billions of small (29 bytes including IPv4 header) packets.
Akamai researchers said that this attack was unique because of the large number of source IP addresses used. “The number of source IPs that registered traffic to the customer destination increased substantially during the attack, indicating that it was highly distributed in nature. We saw upward of 600x the number of source IPs per minute, compared to what we normally observe for this customer destination,” the researchers noted.
DDoS attacks today
While the volume of DDoS attacks has wavered over time, they are still a significant threat. Kaspersky Labs reports that the number of DDoS attacks for Q2 2019 increased by 32% over Q3 2018, primarily due to a spike in attacks in September. For 2020, Cloudflare reports that the volume of DDoS attacks increased every quarter except Q4,
Recently discovered botnets like Torii and DemonBot capable of launching DDoS attacks are a concern, according to Kaspersky. Torii is capable of taking over a range of IoT devices and is considered more persistent and dangerous than Mirai. DemonBot hijacks Hadoop clusters, which gives it access to more computing power.
Another alarming trend is the availability of new DDoS launch platforms like 0x-booter. This DDos-as-a-service leverages about 16,000 IoT devices infected with the Bushido malware, a Mirai variant.
A DDoS report from Imperva found that most DDoS attacks in 2019 were relatively small. For example, network-layer attacks typically did not exceed 50 million PPS. The report’s authors attributed this to DDoS-for-hire services, which offer unlimited but small attacks. Imperva did see some very large attacks in 2019 including a network-layer attack that reached 580 million PPS and an application-layer attack that peaked at 292,000 RPS and lasted 13 days.
That trend changed in Q4 2020 when Cloudflare reported a “massive uptick” in the number of attacks over 500Mbps and 50K pps. Those attacks also became more persistent with nearly 9% of attacks observed between October and December lasting more than 24 hours.
Cloudflare also observed what it called a “distrubing trend” in the increased number of RDDoS attacks in 2020, where organizations receive a threat of a DDoS attack that will disrupt their operations unless a ransom is paid. The malicious parties tend to target victims that are less able to respond and recover from such an attack.
DDoS attack tools
Typically, DDoS attackers rely on botnets – collections of a network of malware-infected systems that are centrally controlled. These infected endpoints are usually computers and servers, but are increasingly IoT and mobile devices. The attackers will harvest these systems by identifying vulnerable systems that they can infect through phishing attacks, malvertising attacks and other mass infection techniques. Increasingly, attackers will also rent these botnets from those who built them.
How DDoS attacks evolve
As mentioned briefly above, it’s becoming more common for these attacks to be conducted by rented botnets. Expect this trend to continue.
Another trend is the use of multiple attack vectors within an attack, also known as Advanced Persistent Denial-of-Service APDoS. For instance, an APDoS attack may involve the application layer, such as attacks against databases and applications as well as directly on the server. “This goes beyond simply ‘flooding,’” attacks says Chuck Mackey, managing director of partner success at Binary Defense.
Additionally, Mackey explains, attackers often don’t just directly target their victims but also the organizations on which they depend such as ISPs and cloud providers. “These are broad-reaching, high-impact attacks that are well-coordinated,” he says.
This is also changing the impact of DDoS attacks on organizations and expanding their risk. “Businesses are no longer merely concerned with DDoS attacks on themselves, but attacks on the vast number of business partners, vendors, and suppliers on whom those businesses rely,” says Mike Overly, cybersecurity lawyer at Foley & Lardner LLP. “One of the oldest adages in security is that a business is only as secure as its weakest link. In today’s environment (as evidenced by recent breaches), that weakest link can be, and frequently is, one of the third parties,” he says.
Of course, as criminals perfect their DDoS attacks, the technology and tactics will not stand still. As Rod Soto, director of security research at JASK explains, the addition of new IoT devices, rise of machine learning and AI will all play a role in changing these attacks. “Attackers will eventually integrate these technologies into attacks as well, making it more difficult for defenders to catch up with DDoS attacks, specifically those that cannot be stopped by simple ACLs or signatures. DDoS defense technology will have to evolve in that direction as well,” Soto says.