If you’ve watched the news lately or read through one of our web hosting articles, you’ve likely heard the term DDoS attack. In this article, Cloudwards.net is going to explain what these are and how you can protect yourself from them.
The number of DDoS attacks is growing and their impact is felt more than ever before. Last year, the longest attack ever recorded lastest 292 hours. DDoS attacks are a real threat and a darling of cybercriminals everywhere because they are easy to set up and difficult to trace.
What are DDoS Attacks?
Let’s start by defining what these attacks actually are. A DDoS attack is just a variation of what is known as a denial-of-service attack. What these do is attempt to interrupt services in order to make a machine or network resource unavailable.
Think about it like this. You’re trying to get into your house, but seven burly men are standing in the doorway. They have no reason to be there, and are blocking access to you, someone who does have reason to be there.
That’s what a DoS attack is. Illegitimate requests are sent to a web server to either slow speed, or crash the server completely. This prevents legitimate requests from being filled, denying authorized users access.
A DDoS attack is a variation of a “regular” DoS attack. The extra “D” in front stands for distributed: instead of a single machine sending all of the requests, they are spread out across a network, often consisting of thousands of computers.
A distributed attack is an umbrella term for all attacks that use more than one unique IP address to carry it out. Under that umbrella, the most common are application layer attacks. The name comes from the Open System Interconnection model. The OSI model has seven layers to describe how a server (or any other computer) communicates from the hardware to the user.
The most important layer for DDoS attacks is the application layer. It sits at the top of the communication chain and is closest to the end user; in most cases, it’s the user interface.
Things like the search box are part of the application layer. Because of that, attackers can target specific functions, like the search bar, to try and disable them. It’s as if thousands of people were trying to use that function of the website at the same time.
Application layer attacks are used to distract IT departments and security from breaches. While the IT department is busy, attackers can gain access to resources that would otherwise be monitored. It’s like the classic “look over there” gag, but with computers.
In short, all DoS attacks accomplish one thing; they take a website offline. The general premise is that a server is flooded with illegitimate requests, blocking access to legitimate traffic.
How Does a DDoS Attack Happen?
DDoS attacks, in their most basic form, are carried out by sending more connection requests than a server can handle. There are 15+ different ways this happens, but we’ll break down some of the most common.
The one truest to form is a UDP flood. UDP stands for User Datagram Protocol, a networking protocol that doesn’t require a physical connection. This attack can also be carried out with TCP packets and works much the same way..
Random ports of the target machine are sent massive amounts of UDP packets. Those ports check for applications listening, find nothing and send back ICMP “destination unreachable” packets. Basically, this process is carried out so many times in such a short span that the machine cannot fulfill legitimate requests.
The next is a ping of death attack. This attack crashes a server by sending a packet larger than the IP protocol allows. Large IP packets, under the maximum byte allowance, are sent and then reassembled before hitting the server. The massive packet can’t be handled and the server crashes.
These attacks are not as much of an issue anymore, broadly speaking. However, the tactic is still used to target specific hardware and applications. Some examples are teardrop, bonk and boink attacks. As these last three are a bit obscure and technical, we’ll skip them for now.
Another type of digital assault is the degradation of service attack. These work much the same way, but have a different goal. Instead of bringing a server down, these attacks aim to reduce speed, leading to long enough load times that a site becomes unusable.
Computers flood the target with a constant stream of traffic, near, but not over, what it can handle. They’re next to impossible to detect, often being confused for a simple increase in website traffic.
For many of the techniques, one thing is required; many machines working together to bring the attack to life.
Some attacks are coordinated, with thousands of people participating. Operation Payback is a prime example. Anonymous, an internet activist group, launched attacks against piracy opponents in response to file sharing websites being taken offline.
More commonly, however, attackers build large networks of computers to initiate the attacks. This is known as a botnet, a large amount of machines that have become infected with malware: we’ve done a investigative piece concerning Hola VPN, a particularly malicious con that suckers people into a botnet.
Malware is an umbrella term for all malicious software that can be loaded on your machine. Viruses, trojan horses, worms and adware all fit under the name.
Trojans, generally speaking, are used in the case of DDoS attacks. They are often silently installed with other software, and then used to gain remote access to your machine, or install other malicious software after the fact.
MyDoom is an example of a piece of malware used in DDoS attacks back in 2004. It was a worm that accounted for nearly 20 percent of all emails sent when it launched. On February 1st, 2004, one of the largest DDoS attacks recorded was initiated, with an estimated one million machines participating unknowingly.
Botnets are bought and sold on black market websites. The means in which machines are added to the botnet are constantly changing, with the goal of building the largest network possible. Some botnets, like the Bamital botnet, brought in $1 million or more each year to its operators.
How to Protect Yourself
If you don’t own a website, you have little to worry about an actual attack. Your main concern should center around your machine becoming infected and being enslaved to a botnet.
General good practice on the internet will avoid most issues. Don’t open spam mail, download sketchy applications from file-sharing websites, etc. However, that won’t cover everything.
In addition to a strong anti-virus solution, the best VPNs for DDoS protection can be used to protect yourself online. Basically, a VPN is an encrypted tunnel you use on the internet. The VPN acts as the middleman so the destination server does not see your source IP address (read more about our best VPN services).
If you do own a website, you’ll have to protect from the actual attack. Even smaller websites can be taken offline. If you’re large enough to make money, you’re large enough to be attacked.
A strong firewall from your web hosting provider is a crucial aspect of server-side defence. Firewalls will not protect against everything, but they will block simple attacks. The best web hosting providers use round-the-clock monitoring by both software and humans to deal with any suspicious activity blocked by the firewall.
On your end, careful monitoring is also required.The best way to defend against a DDoS attack is to be able to detect it early on. Scripts can be written to block traffic that look suspicious, but that rarely works with attacks today.
Monitor your traffic to try and notice suspicious spikes. For example, if you’re a media outlet and you notice a sudden spike in traffic without explanation (you weren’t linked, didn’t publish a controversial article), it may be time to investigate further.
Finally, web hosting providers will integrate upstream filtering on their servers to protect against attacks. These are tunnels where traffic passes before hitting the server that determines what is good and what is bad. Cloudflare, for example, is a free upstream filtering service.
Upstream filtering is a technique used by cloud mitigation providers. These companies monitor traffic to your site without the need for physical hardware. In addition to upstream filtering, they can deter suspicious traffic to dummy sites with massive amounts of network bandwidth.
There are always risks, but generally good behavior on the internet should vastly reduce it. Your information is always valuable, and how malware is loaded on your machine is constantly changing. Make sure you read up on our online privacy guide to learn how to keep yourself safe.
DDoS attacks are a prevalent problem today, and continue to grow each year. The techniques used to take a website offline, or degrade performance, are constantly evolving, with attackers discovering new methods and combining old ones. Read our what is DDoS in gaming article to learn more.
However, security measures are constantly evolving as well. Smart behavior on the internet will protect most people from becoming part of a botnet. Businesses can protect themselves with careful monitoring of traffic and security measures like firewalls and cloud mitigation.
How do you protect yourself online? Let us know in the comments below, thank you for reading.