How to protect yourself from a DDOS attack or Distributed Denial-of-Service attack?

In 2020, Neustar published a report, Cyber Threats & Trends Report, which states that Denial-of-service (DDoS) attacks have increased by 151% in 2020 compared to 2019. DDoS attacks are considered one of the main cybersecurity issues.

The attacks become more and more organized and intelligent. Experts say that, with network development, crime is surely expected to continue to grow in 2021 and businesses will have to invest more in digital security to fend off DDoS attacks.

Élodie Huet

An article from

Élodie Huet
Cyber Security and Risk Management Consultant
Published
March 27, 2023
Updated
March 27, 2023
Reading time
minutes
ddos attack - C-Risk

What is a DDoS cyber attack?

Due to the coronavirus pandemic, internet usage has increased significantly. With longer screen time, cybercriminals have amplified the volume of their assaults. To establish efficient cybersecurity strategies, you need to know how to identify those cyber attacks.

Definition of a DDoS attack

A DDoS attack is defined as a cyber attack by “Distributed Denial-of-Service".

A DDoS is an attempt to disrupt the online traffic of a server, a service or a given network by overwhelming it with a huge amount of traffic from multiple sources, which will eventually limit or disable the functions of the network.

According to the National Cyber Security Center, DDoS attacks are one of the criminals' favourite tools these days. These types of attacks are normally cheap, easy to get hands-on on the marketplace and effective.

How a DDoS attack works and who is targeted?

To carry out a DDoS cyber attack, hackers rely on a network of online machines. These can be computers, servers, or IoT (Internet of Things) devices. The hacker infects all of these computing devices with malicious software: "malware".

These machines become what we call "bots", or "zombies". The hacker controls them remotely as a single group, or "botnet". All they have to do is give this botnet a target IP address and all the machines will execute the attack by sending out tens of thousands of internet requests.

The targeted site or server will not be able to convert all the amount of traffic, and that is what is the so-called "denial of service". The DDoS attack succeeds when the online service is unstable or unavailable.

E-commerce sites and online casinos are prime targets for this cyber threat. One of the most famous DDoS attacks dates back to February 2000. The attack led by the cyber hacker Mafiaboy, or Michael Calce, affected the online platforms of Amazon, eBay, E-Trade, and ZDNet.

Transform how you model, measure, and manage cyber risk.

Don't wait for the inevitable cyber incident. Build a resilient, risk-based cybersecurity program with CRQ.

What form can a DDoS attack take?

There are different types of DDoS attacks. The damage of the attack will depend on what layer of OSI (Open Systems Interconnection) is targeted.

The OSI includes 7 layers, some dedicated to applications, others to communication. These network connection layers are the breeding ground for various DDoS attacks, which must be mastered to establish a reliable cyber risk map.

There are 3 main types of DDoS attacks.

Application Layer DDoS Attack:

Attacks targeting the application layers of the server are often referred to as "Layer 7 DDoS attacks". These include cyber attacks targeting vulnerabilities within applications.

These slow-and-low attacks are HTTP GET or POST requests, where HTTP floods in the form of a botnet will saturate the target server's bandwidth capabilities and damage it.

It is particularly difficult to mitigate because the victim has difficulty differentiating between malicious and normal traffic.

Protocol DDoS Attack

Among the best-known protocol attacks are the SYN flood, Smurf DDoS and Ping Flood. These kinds of attacks will exploit the vulnerabilities of actual server resources, such as firewalls and load balancers.

These cyber attacks, also known as "connection table exhaustion attacks", target layers 3 and 4 of the OSI model. They are based on the so-called "communication" layers, which allow computers to connect to each other in a network.

SYN flood

To understand the SYN Flood attack, you have to keep in mind that in order to connect to a network, two computers exploit TCP negotiation. This process is known as a three-way handshake.

In an SYN flood, the attacking computer sends numerous "initial connection requests". This causes the victim machine to respond to all these connection requests via SYN/ACK packets. Since the initiated connection is never finalized, the server will be overloaded.

This heavy TCP negotiation process exhausts the network's resources, until damaging or shutting down the system. In that way, SYN flood exploits weaknesses in TCP connection.

Ping flood

Ping flood is an attempt to overwhelm the target with Internet Control Message Protocol (ICMP) echo-request packets that consist of both incoming and outgoing messages.

The low ability to respond to the high amount of requests on the device also called ping traffic, causes a disruption to the normal traffic.

Smurf DDoS

A Smurf DDoS attack is a similar attempt as the Ping flood. The difference is that a Smurf attack is a DNS amplification, exploiting the vulnerabilities in the Internet Protocol (IP) and ICMP, which can result in more damage.

Volume Based DDoS Attack

The most common of the 3 types of DDoS attacks are volume-based attacks. The goal is to utilize as many computers and internet connections to saturate the bandwidth and to flood a website with traffic. A common example is a UDP flood.

In the case of the UDP flood, the hackers use the UDP (User Datagram Protocol) connection protocol. This allows data to be transferred from one machine to another without negotiating a connection, which is the opposite of TCP transmission. The victim of this attack receives a large number of UDP packets, whose origin it cannot identify. It then sends "destination unreachable" messages by the hundreds, which overloads its resources and ultimately blocks its system.

In reality, the hackers use more advanced systems today, something that is called mixed/blended/multi-vector attacks. For example, a cyberattack can start with a volume-based attack followed by an application-layer DDoS, just to distract the victim from the “real” attack. These hacking techniques are more complex and frequent and can be very dangerous without a proper defense system.

DDoS cyberattacks control a remote botnet

How to protect yourself from Distributed Denial-of-Service attacks?

To ensure the protection of your network against the various types of DDoS attacks, you must be able to identify the signs that characterize them. You also need to know what are the effective measures to reduce the impact.

There are several classic symptoms of a DDoS attack. The challenge is to distinguish a legitimate traffic spike from an abnormal network slowness. IT departments should therefore rely on their traffic analysis to identify the worrying signs:

● unusual traffic patterns;

● flows of traffic from a single IP address or range of IP addresses;

● a spike in requests to a single web page;

● unexplained traffic from machines with identical behaviors, possibly running on the same type of browsers.

We talk more about mitigating a DDoS attack rather than removing it, as it is still difficult to distinguish legitimate traffic from hacked traffic. It is therefore in the best interest of an organization that is a victim of a DDoS attack to refer to a business continuity plan (BCP). The challenge is to continue to process legitimate traffic while stopping the traffic created by the hackers.

The other major challenge in stopping a DDoS attack is its complexity. Some hackers do not hesitate to carry out a "multi-vector" attack. This combines different categories of DDoS attacks and targets several layers of the OSI model. Mitigating a multi-vector DDoS attack, therefore, requires the intersection of various techniques: multi-layer strategies.

So, let's look into how to protect yourself from DDoS attacks.

The Web Application Firewall or WAF

A web application firewall (WAF) is defined as a tool that filters requests that are supposed to destabilize layer 7 of a network connection.

It acts as a reverse proxy, preventing hackers from targeting your IP addresses. This firewall relies on rules that identify DDoS, to protect a given server from illegitimate traffic.

The firewalls and routers are the basic protections that should always be configured and updated.

Request rate limits

To protect from DDoS attacks, server owners can also choose to limit the rate of requests they accept during certain periods.

This strategy is not sufficient to stop multi-vector DDoS attacks. However, it does have the merit of mitigating their impact and preventing joint cyberattacks, such as data theft.

The logical consequence of limiting the request rate is to limit server performance. A lack of efficiency hardly meets the needs of online businesses, whose productivity is synonymous with revenue. Moreover, this strategy does not completely prevent the risk of server overload.

To get around this problem, many companies provide an alternate website to which legitimate traffic is redirected in case of an attack.

Delaying traffic on an Anycast network

Most anti-DDoS cybersecurity professionals offer their customers the use of an Anycast network. This is also referred to as a "vacuum" tool.

This is a network of free servers to mop up malicious traffic and free up the expression of legitimate traffic. It often relies on different data centers, distributed in several locations. Indeed, the larger the Anycast network, the faster the DDoS attack is mitigated.

DDoS suction tool relieves server traffic

The last resort: the black hole

Faced with a DDoS attack, the victim network can choose to send all the website traffic into a black hole.

This system hardly makes the difference between legitimate and malicious network traffic. This is why this technique akin to self-sabotage.

Checklist: 10 tips on how to avoid DDoS attacks

DDoS attacks are not easy to deal with and can be very problematic when they occur. It is often more useful to invest in a security system beforehand than trying to mitigate a DDoS attack.

  1. Monitor your traffic: Use different tools to know and understand your traffic, patterns, and characteristics to identify unusual activities more easily.
  2. Secure your network: Protect yourself with the help of your security team and their risk assessment guidelines. Use firewalls, VPNs, anti-spam software, cloud-based solutions etc.
  3. Have a defensive plan B in place: Be quick and ready to rapidly restore core data and business-critical services in the event of a DDoS attack. Avoid long-chain approval solutions during the attack, you do not have time for that.
  4. Implement cybersecurity in business continuity, disaster recovery, and emergency response planning: Take DDoS attacks seriously. Be proactive - create run books and carry out exercises for your organization to improve readiness.
  5. Maintain strong network architecture: Servers should be located in different places geographically. Spread-out resources are more difficult for hackers to target.
  6. Practice good cyber hygiene: Start from the beginning. Foster a security-oriented corporate culture. Make sure that the different departments follow cybersecurity practices.
  7. Use AI and human mitigation: Attackers evolve, use different types of mitigation to have a more sophisticated defense for your organization.
  8. Zero Trust security model: Consider a Zero Trust framework to ensure that only authorized users have access to critical applications and services.
  9. Be up-to-date: Work proactively with your upstream service providers; evaluate DDoS risks; update your services and always be ready.
  10. Test, test, test: Test your programs, analyze them and identify vulnerabilities to keep the security updated.

FAQ : DDoS

What is a DDoS attack?

A DDoS attack is defined as a “Distributed Denial-of-Service" attack. It aims at rendering a service, a server or an online platform inaccessible. This type of cyber attack consists in saturating the bandwidth of the victim server, or exhausting its system resources to make it unable to handle legitimate traffic.

What is the main objective of a DDoS attack?

The sole purpose of DDoS is to prevent legitimate traffic from reaching a victim server. The DDoS attack does not enable hackers to take over the target server or steal data from it, although these objectives may characterize joint cyber attacks.

How is a DDoS attack triggered?

Most of the time, a DDoS attack is characterized primarily by an abnormal increase in traffic on a network or server. The victim system will be overloaded with requests of various kinds, depending on the type of DDoS attack.

In this article
Improve decision-making with Cyber Risk Quantification

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.