DDoS

A distributed denial-of-service (DDoS) attack is a malign attempt to interrupt a targeted server’s, service’s, or network’s regular traffic by flooding the target or its surrounding networks with Internet traffic.

In plain terminology, a DDoS attack is similar to an unanticipated traffic jam that clogs the highway and prevents normal traffic from reaching its target.

DDoS attacks are successful because they use several compromised computer systems as attack traffic sources. Computers and other networked infrastructure, such as IoT units, are examples of exploited machines.

How does it work?

DDoS attacks are carried out using networks of computers that are linked to the Internet.

These networks are made up of malware-infected computers and other devices (such as IoT devices), which can be managed remotely by an intruder. Individual devices are known as bots (or zombies), and a botnet is a collection of bots.

The attacker can direct an attack once a botnet has been created by sending remote commands to each bot.

When a botnet targets a victim’s server or network, each bot sends requests to the user’s IP address, possibly overloading the server or network and triggering a denial-of-service to regular traffic.

How to identify?

A site or service unexpectedly being sluggish or inaccessible is the most obvious character of a DDoS attack. Some of these obvious signs of a DDoS attack can be detected using traffic analytics tools:

  • Unusual levels of traffic coming from a single IP address or a number of IP addresses.
  • A surge in traffic from users with similar behavioral profiles, such as computer model, location services, or browser version.
  • Unexpectedly high demand for a single page or terminal.
  • Unusual traffic patterns, such as spikes at unusual times of day or patterns that seem to be abnormal.
What are some of the most popular DDoS attacks?

Various forms of DDoS attacks target different aspects of a network link.

Although virtually all DDoS attacks include flooding a target system or network with traffic, there are three types of attacks. In response to the target’s countermeasures, an attacker can use one or more different attack vectors, or cycle attack vectors.

Protocol attacks

The goal:

This action is similar to repeatedly refreshing a web page on several machines at the same time – a large number of HTTP requests flood the site, causing a denial-of-service.

Protocol attacks, also known as state-exhaustion attacks, interrupt service by consuming server resources and/or network equipment resources such as firewalls and load balancers.

Protocol attacks take advantage of flaws in the protocol stack’s layer 3 and layer 4 to make the target unavailable.

SYN flood

A SYN Flood is similar to a stock room employee getting orders from the front of the shop.

The worker receives an order, goes to get the package, and then waits for approval before delivering it to the customer. The worker then receives several additional package requests without confirmation, until they are unable to bring any more orders, are overloaded, and requests go unanswered.

Application layer attacks

The attack’s goal:

The purpose of a layer 7 DDoS attack, also known as a denial-of-service attack, is to drain the target’s resources to cause a denial-of-service.

The attacks go after the layer that generates web pages on the server and releases them in response to HTTP requests.

Volumetric attacks

The goal:

This type of attack tries to clog up the Internet by using all available bandwidth in between target and the rest of the world. Amplification or another method of generating huge traffic, such as requests from a botnet, is used to send large quantities of data to a target.

Blackhole routing

Creating a blackhole route and funneling traffic into it is one option open to almost all network administrators. When blackhole filtering is used without any restriction requirements, all legitimate and malicious network traffic is routed to a null path, or blackhole, and then eliminated from the network.

As a protection against a DDoS attack, an Internet property’s Internet service provider (ISP) can send all of the site’s traffic into a blackhole.

DNS Amplification

A DNS amplification is similar to saying to a diner, “I’ll have one of all, please call me back and repeat my entire order,” where the callback number is actually the victim’s. A lengthy response is produced and sent to the victim with very little effort.

By making a request to an open DNS server with a spoofed IP address (the IP address of the victim), the target IP address then receives a response from the server.

The target IP address receives a response from an open DNS server after sending a request with a spoofed IP address (the victim’s IP address).

Process of mitigating the attack

Differentiating between attack and regular traffic is a major concern when dealing with a DDoS attack.

For example, if a company’s website is flooded with excited buyers as a result of a product launch, cutting off all traffic is a mistake. If the organization unexpectedly receives a flood of traffic from known attackers, mitigation efforts are almost certainly needed.

The challenge is distinguishing genuine customers from attack traffic.

Vulnerability Assessment

Assess the vulnerability of your network. Detect flaws in the networks until they are exploited by a malicious user. A vulnerability evaluation entails finding security flaws in the infrastructure so you can patch it up and be adequately equipped for a DDoS attack or some other cyber security threats.

Rate limiting

Denial-of-service attacks can also be mitigated by limiting the amount of requests a server accepts over a set period of time.

Although rate limiting is useful for slowing down web scrapers and preventing brute force login attempts, it would almost certainly be inadequate to effectively manage a complex DDoS attack.

Nonetheless, rate limiting is an essential part of a successful DDoS mitigation strategy.

Anycast network diffusion

This mitigation method employs an Anycast network to disperse attack traffic through a network of distributed servers until it is consumed by the network.

This strategy spreads the effect of dispersed attack traffic to the point that it becomes manageable, trying to defuse any destructive capacity, similar to directing a flowing river down different smaller channel.

The capacity of an Anycast network to mitigate a DDoS attack is determined by the scale of the attack as well as the network’s size and performance.

Web application firewall

A Web Application Firewall (WAF) is a mechanism that can help with layer 7 DDoS mitigation. When a WAF is placed between the Internet and an origin site, it may serve as a reverse proxy, shielding the targeted server from malicious traffic.

Layer 7 attacks can be thwarted by filtering requests based on a set of rules used to classify DDoS resources. One of the most important features of a good WAF is the ability to rapidly apply rule sets in the event of an attack.

Reference:

https://www.cloudflare.com/

www.loggy.com

https://blogs.akamai.com/

www.dsm.net/it