How A DDoS Attack Occurs | The Topmost Best Mitigation Steps

The key concern in mitigating a DDoS Attack is differentiating between attack traffic and regular traffic. For example, if a product release has a company’s website swamped with eager customers, cutting off all traffic is a mistake. If that company suddenly has a surge in traffic from known attackers, efforts to alleviate an attack are probably necessary.

Usually, the difficulty lies in telling the real customers apart from the attack traffic. In the modern Internet, DDoS traffic comes in many forms. The traffic can vary in design from un-spoofed single source attacks to complex and adaptive multi-vector attacks. A multi-vector DDoS attack uses multiple attack pathways to overwhelm a target differently.

At the same time, this potentially distracts mitigation efforts on any trajectory. Protecting web applications and server infrastructures from DDoS attacks is no longer a choice for organizations having an online presence. The advent of DDoS-for-hire services has effectively lowered the bar for those capable of executing an assault, making all web entities a target.

A successful DDoS Attack negatively impacts an organization’s reputation and damages existing client relationships. Significant financial losses can amount to as much as $40,000 per hour for major enterprises. Smaller entities can face tens of thousands of dollars in damages, while longer, unmitigated assaults can potentially be business-ending events.

What Is A DDoS Attack?

A Distributed Denial of Service or DDoS Attack is a malicious attempt to make an online service unavailable to users, usually by temporarily interrupting or suspending the hosting server solution services. In most cases, a DDoS Attack is launched from numerous compromised devices, often distributed globally in what is referred to as a botnet in cloud computing technology.

It is distinct from other Denial of Service (DoS) attacks in that it uses a single Internet-connected device (one network connection) to flood a target with malicious traffic. This nuance is the main reason for these two somewhat different definitions. A DDoS Attack is often carried out with networks of Internet-connected machines. These networks consist of computers.

As well as other devices (such as IoT devices) which have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are called bots (or zombies), and a group of bots is called a botnet. Once a botnet has been established, the attacker can direct an attack by sending remote instructions to each bot.

When the botnet targets a victim’s server or network, each bot sends requests to the target’s IP Address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-service to regular traffic. Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.

DoS and DDoS attacks can be divided into three types:
  • Volume-Based Attacks: Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).
  • Protocol Attacks: Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS, and more. This attack consumes existing server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second (Pps).
  • Application Layer Attacks: Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows, or OpenBSD vulnerabilities, and more. Comprised of seemingly legitimate and innocent requests, these attacks aim to crash the web server, and the magnitude is measured in Requests per second (Rps).

The Most Common DDoS Attack Types Using The OSI Model Framework

Different types of DDoS attacks target varying components of a network connection. To understand how other DDoS attacks work, it is necessary to know how a network connection is made. A network connection on the Internet comprises many components or “layers.” Like building a house from the ground up, each layer in the model has a different purpose.

It’s important to realize that the OSI Model is a conceptual framework that describes network connectivity in 7 distinct layers. For example, an attack that simultaneously targets multiple layers of the protocol stack, such as a DNS amplification (targeting layers 3/4) coupled with an HTTP Flood (targeting layer 7), is an example of multi-vector DDoS.

DDoS Attack OSI Model

Mitigating a multi-vector DDoS attack requires various strategies to counter different trajectories. Generally speaking, the more complex the attack, the more likely it is that the attack traffic will be difficult to separate from regular traffic — the attacker’s goal is to blend in as much as possible, making mitigation efforts as inefficient as possible.

Mitigation attempts that involve dropping or limiting traffic indiscriminately may throw good traffic out with the bad, and the attack may also modify and adapt to circumvent countermeasures. To overcome a complex attempt at disruption, a layered solution will give the most significant benefit. Some of the most commonly used DDoS attack types include:

1. UDP Flood

A UDP Flood, by definition, is any DDoS attack that floods a target with User Datagram Protocol (UDP) packets. The attack goal is to flood random ports on a remote host. This causes the host to repeatedly check for the application listening at that port and (when no application is found) reply with an ICMP ‘Destination Unreachable’ packet. This process saps host resources, which can ultimately lead to inaccessibility.

2. ICMP (Ping) Flood

Similar in principle to the UDP flood attack, an ICMP (Ping) Flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies. This attack can consume both outgoing and incoming bandwidth since the victim’s servers often attempt to respond with ICMP Echo Reply packets, resulting in a significant overall system slowdown.

3. SYN Flood

An SYN Flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein an SYN request to initiate a TCP connection with a host must be answered by an SYN-ACK response from that host and then confirmed by an ACK response from the requester.

In an SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response or sends the SYN requests from a spoofed IP address. Either way, the host system waits for acknowledgment for each request, binding resources until no new connections can be made, ultimately resulting in a denial of service.

4. Ping Of Death

A Ping Of Death (POD) attack involves the ethical hacking attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including the header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the full frame size – for example, 1500 bytes over an Ethernet network.

In this case, a large IP packet is split across multiple IP packets (fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient receives an IP packet larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing a denial of service for legitimate packets.

5. Slowloris

Slowloris is a highly-targeted attack. It enables one web server to take down another without affecting other services or ports on the target network. Usually, Slowloris does this by holding as many connections to the target web server open for as long as possible. It accomplishes this by creating links to the target server but sending only a partial request.

Still, Slowloris constantly sends more HTTP headers but never completes a request. The targeted server keeps each of these false connections open. This eventually overflows the maximum concurrent connection pool, denying additional links from legitimate clients.

6. NTP Amplification

In NTP Amplification, the perpetrator exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm a targeted server with UDP traffic. The attack is defined as an amplification assault because the query-to-response ratio in such scenarios is anywhere between 1:20 and 1:200 or more. Any attacker that obtains a list of open NTP servers (e.g., using a tool like Metasploit or data from the Open NTP Project) can quickly generate a devastating high-bandwidth, high-volume DDoS attack.

7. HTTP Flood

In an HTTP Flood DDoS attack, the attacker exploits seemingly legitimate HTTP GET or POST requests to attack a web server or application. HTTP floods do not use malformed packets, IP Spoofing, or reflection techniques and require less bandwidth than other attacks to bring down the targeted site or server. The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to every request.

How To Stop A DDoS Attack

According to recent market research, DDoS Attacks are quickly becoming the most prevalent type of cyber threat, proliferating in the past year in both number and volume. The trend is toward shorter attack duration but more considerable packet-per-second attack volume.

Attackers are primarily motivated by the following:
  • Ideology – So-called “hacktivists” use DDoS attacks to target websites they disagree with ideologically.
  • Feuds – Businesses can use DDoS attacks to strategically take down competitor websites, e.g., to keep them from participating in a significant event, such as Cyber Monday.
  • Boredom – Cyber vandals, a.k.a. “script-kiddies,” use prewritten scripts to launch DDoS attacks. The perpetrators of these attacks are typically bored, would-be hackers looking for an adrenaline rush.
  • Extortion – Perpetrators use DDoS attacks, or the threat of DDoS attacks, to extort money from their targets.
  • Warfare – Government-authorized DDoS attacks can cripple opposition websites and an enemy country’s infrastructure.

The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. But since several causes — such as a legitimate spike in traffic — can create similar performance issues, further investigation is usually required. Traffic analytics tools can help you spot some telltale signs of a DDoS attack.

How to identify an attack:
  • Suspicious amounts of traffic originating from a single IP address or IP range
  • A flood of traffic from users who share a single behavioral profile, such as device type, geolocation, or web browser version
  • An unexplained surge in requests to a single page or endpoint
  • Odd traffic patterns, such as spikes at odd hours of the day or practices that appear to be unnatural (e.g., 10 minutes spike)

Other, more specific signs of DDoS attacks can vary depending on the type of attack. While each offers benefits, their overall effectiveness in stopping DDoS is based on several factors. These include scalability and filtering capabilities, cost and ease of integration, ease of use, and hosting compatibility. There are several approaches to stopping DDoS attacks.

1. DIY Measures

Do-It-Yourself (DIY) protection is widely considered a weak DDoS mitigation approach. Usually, it relies on setting static traffic thresholds (e.g., using mod_evasive) and indiscriminate IP blacklisting rules. It is mainly preferred for budgetary reasons and rarely considered by online businesses.

A significant drawback to DIY solutions is that they’re often employed as a reactive measure. Almost always, a configuration is manually tweaked after an initial attack wave has hit. While such a solution might stop similar future assaults, the successful first wave is usually enough to cause hours of downtime and other issues.

Moreover, perpetrators can easily modify their methods, attacking from disparate sources and using different vectors. This keeps your organization in a defensive position, where it must repeatedly deploy additional configurations while attempting to recover from multiple downtime events. This can go on for days at a time.

However, the real issue with any DIY approach is that it’s always constrained by network bandwidth, which severely limits the scalability required to stop network layer DDoS attacks. With most assaults registering over 10Gbps and few organizations having more than a 10Gbps burst uplink, the DIY solution is almost always doomed to fail.

2. On-Premise Appliances

The on-premise approach to DDoS protection uses hardware appliances deployed inside a network, placed in front of protected servers. Such devices usually have advanced traffic filtering capabilities, geo-blocking, rate limiting, IP reputation, and signature identification.

Typical mitigation appliances can be effectively used to filter out malicious incoming traffic. This makes them a viable option for stopping application layer attacks. However, several factors make it unfeasible to rely on appliances.

Consider the following:
  • Scalability remains an issue. The hardware’s ability to handle large amounts of DDoS traffic is capped by a network’s uplink, which is rarely more than 10Gbps (burst).
  • On-premise appliances need to be manually deployed to stop an attack. This impacts time-to-response and mitigation, often causing organizations to suffer downtime before a security perimeter can be established.
  • Finally, the cost to purchase, install and maintain hardware is relatively high — especially compared to a less costly and more effective cloud-based option. This makes mitigation appliances impractical unless an organization must use on-premise solutions (e.g., by industry-specific regulations).

In the latter scenario, hardware is typically part of a hybrid deployment, complemented by cloud-based solutions that defend against network layer attacks.

3. Off-Premise Solutions

Off-premise solutions are either ISP-provided or cloud-based. ISPs typically offer only network layer protection, while cloud-based solutions provide additional filtering capabilities to stop application layer attacks. Both offer virtually limitless scalability, as they are deployed outside a network and aren’t constrained by the previously-identified uplink limitations.

Generally, off-premise mitigation solutions are managed services. They don’t require any of the investment in security personnel or upkeep required by DIY solutions and on-premise hardware. They’re also significantly more cost-effective than on-premise solutions, providing better protection against network and application layer threats.

Off-premise solutions are deployed as an on-demand or always-on service, with most market-leading vendors offering both.

The options are as follows:
  • On-Demand Option: Enabled by BGP Rerouting, the on-demand option stops network layer attacks — including those directly targeting the origin server and other components of core network infrastructure. These include SYN or UDP Floods and volumetric attacks designed to clog network pipes with fake data packets.
  • Always-On Option: The always-on option is enabled through DNS redirection. It stops application layer assaults attempting to establish TCP connections with an application to exhaust server resources. These include HTTP floods, DNS Floods, and various low-and-slow attacks (e.g., Slowloris).

4. Anycast Network

This mitigation approach uses an Anycast network diffusion strategy to scatter the attack traffic across a distributed server network to the point where the network absorbs the traffic. Like channeling a rushing river down separate smaller channels, this approach spreads the impact of the distributed attack traffic to the point where it becomes manageable.

At the same time, while still diffusing any disruptive capability. The reliability of an Anycast Network to mitigate a DDoS attack is dependent on the size of the attack and the size and efficiency of the network. An essential part of the DDoS mitigation implemented by Cloudflare is using an Anycast distributed network.

5. Blackhole Routing

Another solution available to virtually all network admins is to create a black hole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null way, or blackhole, and dropped from the network.

If an Internet property is experiencing a DDoS attack, the property’s Internet Service Provider (ISP) may send all of the site’s traffic into a black hole as a defense. This is not an ideal solution, as it effectively gives the attacker their desired goal: it makes the network inaccessible.

6. Rate Limiting

Limiting the number of requests a server will accept over a specific time window is also a way of mitigating denial-of-service attacks. While rate limiting is useful in slowing web scrapers from stealing content and mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively. Nevertheless, rate limiting is useful in an effective DDoS mitigation strategy.

7. Web Firewall

Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By putting a WAF between the Internet and an origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic. Filtering requests based on a series of rules used to identify DDoS tools, layer 7 attacks can be impeded. One key value of an effective WAF is the ability to implement custom rules in response to an attack quickly.

In Conclusion;

It’s important to realize that security software such as Imperva mitigates a massive HTTP flood: 690,000,000 DDoS requests from 180,000 botnet IPs through its technology. Imperva provides easy-to-use, cost-effective, and comprehensive DDoS protection that pushes the envelope for cloud-based mitigation technology.

Imperva completely protects its customers from any DDoS attack through a combination of on-demand and always-on solutions, a global network that offers near-limitless scalability, and award-winning filtering solutions for transparent mitigation. Cloudflare has a 197 Tbps network, an order of magnitude greater than the most significant DDoS attack recorded.

If you are currently under attack, there are steps you can take to get out from under the pressure. If you are on Cloudflare already, you can follow these steps to mitigate your attack. The DDoS protection we implement at Cloudflare is multifaceted to mitigate the many possible attack vectors. Learn more about Cloudflare’s DDoS Protection and how it works.

Get Free Newsletters

Help Us Spread The Word