In 2023, CloudFlare detected and thwarted the largest attack they'd ever seen, at 201 million requests per second (rps), which was almost 8 times larger than their previous 2022 record of 26 million rps and 5 times larger than the 46 million rps Google recorded. Additionally, CloudFlare also reported that DDoS attacks had also reached new heights in complexity, alongside size.
But what exactly is a DDoS attack? How can it threaten our cyber security? What should we do during a DDoS attacks? In this blog post, we take a close look at one of the most common security threats and answer these questions to help you safeguard against them.
What is a DDoS attack?
A DDoS (Distributed Denial-of-Service) attack causes a server to be overwhelmed with too many maliciously sent web requests, causing the server to crash and become unavailable to users. To accomplish this, the attacker manipulates many internet-connected devices to flood the server with these web requests.
Think of DDoS attacks as millions of people trying to crowd into a tiny room. In no time, the room will be packed and nobody will be able enter or exit. DDoS attacks can also be likened to intentional traffic jams that clog up highways and stop regular traffic from reaching its destination.
In general, DDoS attacks are most common in Layer 3, 4, 6, and 7 of the OSI model.
💡 What is a web request?
A web request (also just called a request) is a command given to the computer or system by a user. For instance, if you click on a link, a button, or enter some text, you're sending a request. The system will then process your request and respond accordingly, for example, by displaying a certain web page, saving data, or opening an application.
How do DDoS attacks work?
How can attackers send such a massive amount of requests simultaneously, and where does the traffic come from?
Attackers first infect computers or other internet-connected devices, such as connected cars and devices which are part of IoT, with malicious viruses. This allows the attackers to remotely manipulate others' computers and/or devices. These compromised computers and devices, also called bots or zombies, will be used to send requests.
As a result, the target server will crash and become unavailable. Since these requests come from legitimate devices, it is difficult to tell normal traffic apart from malicious traffic.
Types of DDoS attacks
DDoS attacks target different layers and can be divided into the following types:
Infrastructure layer attacks
Infrastructure layer attacks target Layer 3 and 4 and happen more frequently, attempting to overwhelm the server with large amounts of data. Two common examples of infrastructure layer attacks are SYN flood and UDP flood attacks.
Application layer attacks
Application layer attacks, on the other hand, focus on Layer 6 and 7, and are more complicated. This type of DDoS attack targets a specific part of an application to make it unavailable to users.
Common DDoS attacks
Here are some common attack types to look out for:
ICMP flood attacks: Internal Control Message Protocol (ICMP) pings, or echo-request packets, are used to overwhelm a server or a network.
UDP flood attacks: Massive amounts of IP packets which contain User Datagram Protocol (UDP) packets are sent, overwhelming ports on the host.
SYN flood attacks: Attackers initiate but don't finalize a connection to a server in a rapid fashion. The server will then have to wait for half-opened connections, which causes it to waste resources and be unable to respond to legitimate traffic.
HTTP flood attacks: HTTP GET or POST that appear to be legitimate are used on the target server or application.
Slowloris attacks: Connections are opened between a computer and the target web server with partial HTTP requests. These connections are kept open for as long as possible in order to slow the server down.
DNS amplification attacks: Queries that are initially small are amplified to be much larger by exploiting open DNS servers, thus bringing down the target server.
NTP amplification attacks: UDP traffic is amplified using Network Time Protocol (NTP) servers that can be accessed by the public in NTP, overwhelming the target server.
How to identify DDoS attacks
As DDoS attacks are nearly indistinguishable from the usual traffic received by a server or a network system, they are difficult to detect. However, they tend to exhibit the following symptoms:
- Inability to access any or certain websites
- Denied access over a long period of time
- Increase in spam
- Unusually slow network (while opening files or accessing websites)
- Unusual connection issues
- Server disconnection, lag, and latency problems
These symptoms may also be similar to availability problems, requiring further investigation and analysis to determine if a DDoS attack is indeed happening. The following signs regarding traffic indicate the presence of a DDoS attack:
- An unusually large amount of traffic from a single IP address or IP range
- An unusually large amount of traffic from users who share similarities (e.g. using the same type of device, sharing the same geolocation, having the same web browser version, etc.)
- Inexplicable rise of requests to a certain page or endpoint
- Unusual traffic patterns (e.g. traffic surging at odd hours or every 30 minutes)
How to mitigate a DDoS attack?
What can you do to protect against DDoS attacks? Here are 5 ways:
1. Differentiate malicious traffic from legitimate traffic
While limiting incoming traffic appears to be a logical solution, your web server or service will then be unavailable to legitimate users, which hinders your business activities. To differentiate malicious traffic from legitimate traffic, analyze the incoming traffic and compare the traffic that your server can normally handle with unusual traffic received.
2. Reduce attack surface area
To mitigate DDoS attacks, simply limit the options the attacker has by reducing the surface area that is vulnerable to attacks. Make sure not to expose applications or resources to minimize possible points of attack. For instance, you can use CDNs or load balancers to divert traffic to edge servers, and avoid overwhelming amounts of traffic coming into your server.
3. Scale capacity
Transit capacity and server capacity are at risk during DDoS attacks. To defend against DDoS attacks, you can increase those to reduce the chance of your server or service becoming unavailable. Redundant internet connectivity and resources can also buy you time to further investigate malicious traffic and counter it with more specific measures.
4. Direct traffic to scrubbing centers
Scrubbing centers are used to mitigate malicious attack traffic and return clean traffic back to the network or server. They can effectively defend against DDoS attacks.
5. Configure WAFs
A Web Application Firewall (WAF), when set up between the internet and the original server, can act as a reverse proxy to protect the server that is under attack. Commonly used for mitigating Layer 7 DDoS attacks, WAFs filter and block requests based on certain rules.
Hi Cloud Anti-DDoS solutions
As scary as it sounds, DDoS attacks can be thwarted with the right tools. Partnering with major cloud providers, Hi Cloud can help you plan your anti-DDoS protection with products such as AWS Shield, Azure DDoS Protection, and Google Cloud Armor to meet your specific needs. Contact our cloud security experts and book a free consultation now.
