Defending Against DDoS: Understanding Common Attacks and Effective Countermeasures
A Distributed Denial of Service (DDoS) attack aims to render a website inaccessible by inundating it with requests for information. This frequently leads to website crashes and the unavailability of online services. Overloading a target system with malicious traffic seems like a straightforward yet highly effective method for incapacitating it. However, the prevalence and actual impact of DDoS attacks warrant examination.
In the first half of 2023, malevolent actors instigated approximately 7.9 million DDoS attacks, marking a 31% year-over-year surge. The escalation in DDoS incidents is linked to global occurrences such as the Russia-Ukraine conflict and NATO bids. Notably, pro-Russian hacktivists targeted Finland in 2022 during its pursuit of NATO membership. Furthermore, DDoS attacks were launched against Turkey and Hungary due to their opposition to Finland's NATO aspirations.
Sweden also encountered a similar attack in connection to its NATO bid, culminating in a DDoS attack of five hundred Gbps in May. Collectively, DDoS attacks driven by ideological motives have been directed at several countries, including the United States, Ukraine, Russia, and various others.
Attackers have also targeted some of the biggest corporations. Google and Amazon reported successfully repelling the most extensive DDoS attack globally. However, they caution internet users that unless cybersecurity measures are enhanced, these types of attacks have the potential to cause widespread disruption.
According to Google, the attack commenced in August and surpassed the magnitude of the previous largest attack by 7.5 times, reaching a peak of 398 million requests per second on its site.
The motivation behind DDoS attacks
Seeking financial gain or economic advantage is a prevalent motive behind DDoS attacks. Notably, research firm Forrester notes a rising trend of targeting e-commerce sites and banks, particularly during holiday seasons. Also, extortion or blackmail is a common incentive for employing DDoS attacks, as hackers often leverage these tactics to use DDoS assaults as a financial weapon. In such instances, attackers demand Bitcoin via email in exchange for halting the overwhelming traffic.
Additionally, revenge is a motivation for DDoS attacks directed at organizations and individuals. Community colleges, law enforcement entities, courts, non-profit organizations, and journalists have all fallen victim to this form of retaliation. Typically, the disgruntled individuals orchestrating the attacks aim to cause harm in response to perceived grievances.
Furthermore, driven by ideological beliefs, hacktivists find motivation to target political entities due to their convictions against government or state policies. This ideological motivation has emerged as a significant factor behind numerous DDoS attacks, where independent "hacktivists" employ DDoS tactics to disrupt and cause outages on government websites. In an illustrative incident from January 2019, a hacktivist group named Anonymous orchestrated a DDoS attack on Zimbabwean government-related websites as a protest against internet censorship.
An intellectual challenge is also a motivation for attackers who engage in DDoS activities to highlight their technical skills. Some attackers target websites with DDoS attacks to demonstrate their proficiency and prowess. The availability of DDoS tools and services on the Dark Web further facilitates attackers in deploying and experimenting with cutting-edge technologies, including automation and botnets, against their chosen targets.
Engaging in cyberwarfare for political and military advantages is a practice primarily attributed to nation-states. This form of warfare is strategically crafted to impose economic or physical consequences on targeted entities. Typically orchestrated by well-trained and organized groups affiliated with government militaries or terrorist organizations, cyberwarfare employs sophisticated strategies and tactics. Numerous governments globally have allocated substantial resources and time to execute cyberattacks aimed at disrupting the critical infrastructure of their adversaries.
Types of DDoS Attacks
1. Volumetric Attacks Aimed at Overwhelming Network Infrastructure
Volumetric attacks, including UDP floods, ICMP floods, and DNS amplification, aim to inundate a target with a colossal volume of traffic. As a result, it overloads its network infrastructure, causing networkwide disruptions. UDP floods exploit the stateless nature of UDP, while ICMP floods create network congestion through an excess of ping requests. On the other hand, DNS amplification leverages insecure DNS servers, generating overwhelming response traffic. The impact of these attacks includes degraded network performance, service unavailability, and increased operational costs for organizations managing the surge in traffic.
2. Protocol Attacks that Exploit Communication Protocols
Protocol attacks, such as SYN/ACK floods and HTTP floods, target specific communication protocols to disrupt normal operations. SYN/ACK floods overwhelm the target with connection requests, exploiting the TCP handshake process and causing service disruption. HTTP floods flood web servers with a high volume of requests, impeding their ability to respond to legitimate users. Consequently, these attacks result in increased latency, server crashes, and potential data breaches due to diverted security resources.
3. Application Layer Attacks that Target Vulnerabilities
Application layer attacks, such as HTTP/S DDoS and Slowloris, exploit vulnerabilities in the application layer. HTTP/S DDoS overloads web servers with legitimate requests, hindering the differentiation between malicious and genuine traffic. On the other hand, Slowloris opens multiple connections to a target web server, gradually exhausting server resources. Application layer attacks cause disrupted user access, degraded web application performance, and potential financial losses for businesses relying on web services.
4. Reflective/Amplification Attacks that Exploit Third-Part Services
Reflective/amplification attacks, like DNS reflection, NTP amplification, and SSDP amplification, exploit third-party services to amplify attack traffic. DNS reflection uses open DNS servers to amplify traffic, causing increased congestion. However, NTP and SSDP amplification leverage vulnerable servers to magnify the scale of the assault. These attacks result in significant bandwidth consumption, rendering legitimate services inaccessible and impacting the target's overall network performance.
5. Resource Depletion Attacks
Resource depletion attacks, including Ping of Death and Slow Read/Slowloris, exploit vulnerabilities in network protocols and web servers. Ping of Death sends oversized or malformed packets, causing system crashes or unresponsiveness. Slow Read/Slowloris gradually sends HTTP headers to exhaust web server resources. The impacts of resource depletion attacks include system crashes, prolonged service downtime, and potential data loss, highlighting the exploitation of weaknesses in targeted systems' ability to handle and process incoming data.
Protecting your organization
Undoubtedly, every wireless network faces the risk of encountering DDoS attacks, whether intentional or accidental. Consequently, any company utilizing a Wi-Fi network for critical business applications must be ready to address potential interference.
While monitoring signal strength is a starting point, it falls short of pinpointing a device's exact location. Hence, there is a pressing need for enhanced capabilities to identify the traffic patterns indicative of a DDoS attack.
In cases where eliminating the culprit causing the DoS attacks proves challenging, strategic measures are taken. This may involve reconfiguring Access Points (APs) to use different Service Set Identifiers (SSIDs), implementing robust authentication methods, and selecting less congested channels. Ideally, network controllers and APs are configured to automate mitigation controls upon detecting interference. This comprehensive approach enhances the resilience of the wireless network against potential disruptions.
The way forward - getting expert assistance
Are you looking to level up or get started? Pulsar Security can help. You can contact us today to learn more about our security solutions to enhance the protection of your organization.
Corey Belanger
Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.