DDoS Attacks - What are your protection options?

On Oct. 21, 2016, internet users across the U.S. noticed many major websites and web-connected applications were suddenly unavailable. Spotify, Reddit, Twitter, and GitHub – to name just a few – wouldn't load for hours that day. All of them shared a domain name service (DNS) provider that had become the target of a massive distributed denial-of-service (DDoS) attack.

Normally, that provider's DNS service would function like a phonebook or a contacts list, i.e., as the go-to resource for discovering how to connect to specific party – in this case, websites. Proper DNS ensures each web address you enter (like airbnb.com) resolves into a corresponding IP address that reaches the right web servers.

However, under the pressure of the DDoS attack the underlying lookup process broke, as meaningless traffic overwhelmed the DNS provider's ability to process any requests. The DDoS attack type in this incident is known as DNS flood, which true to its name inundates its target and causes widespread damage.

The DNS flood isn't the only type of DDoS attack, but it paints a representative picture of how these campaigns work in general and why they're so challenging even for experienced firms to mitigate. DDoS attacks thrive on the asymmetry between attacker and target; the latter must devote considerable resources to counteract what the former can do with so little.

Let's dive deeper to look at the origins of DDoS attacks and the common forms they take, so you can plan mitigation solutions and other protection services.

The roots and branches of DDoS: What you should know about these massive attacks

The first DDoS attacks were small-scale. They exploited flaws in pioneering web services like Internet Relay Chat to disrupt access for multiple users. Since that time, they've become much larger in scale by harnessing powerful infrastructure such as botnets. A typical modern DDoS attack might use literally thousands of bot-driven endpoints to jam its target with junk requests.

While DDoS attacks uniformly cause disruption, there's considerable variation in how they actually work, with three main differentiating criteria: the Open Systems Interconnection (OSI) model layers targeted, the web protocols and services they exploit (i.e., their attack vectors) and the motivations of their perpetrators.

OSI layers

Typically, DDoS attacks target the network, transport and/or application layers, also known as Layers 3, 4 and 7, respectively, in the OSI hierarchy. A lower-layer attack interferes with the network's basic resources for processing traffic, while an application layer disrupts the higher-level web servers, protocols (like HTTP) and application programming interfaces (APIs) that handle requests from clients.

Application layer attacks are the fastest growing type of DDoS. A 2017 Imperva report found they increased 23 percent, in terms of the number of weekly attacks, from Q4 2016 to Q1 2017. The growth of Layer 7 DDoS speaks to its efficacy. Sometimes, an action as simple as channeling a botnet toward an API can render the target unavailable. Application layer DDoS often creates havoc for both web servers and network resources.

Attack vectors

The attack's layer will influence the protocols and services it goes after. Many DDoS attacks are multi-vector, meaning they target a combination of applications and network resources to cause maximum chaos. Some of the major attack vectors of modern DDoS include:

• Network bandwidth and resources: DDoS campaigns in this bucket often exploit the UDP and ICMP protocols below the application layer. The goal is to saturate the target's bandwidth through a high number of meaningless requests that the network eventually can't handle.
• Public servers: DNS amplification is a classic example. Attackers transform requests to DNS servers into huge UDP packets that then overwhelm the target with traffic. Botnets help scale these attacks and obscure the identities of the orchestrators. NTP attacks, directed at public time-keeping servers, also fit into this group.
• Web protocols: HTTP GET and HTTP POST requests are now common entry-points for DDoS attacks targeting applications and web servers. Attacks in this mold send what seems like legitimate HTTP requests, forcing servers to allocate considerable resources to each one until its capacity is exhausted.

This is just a small sampling of specific DDoS vectors and techniques. Others include low-and-slow attacks that avoid calling attention to their exploitation of HTTP and zero-day DDoS campaigns that use novel approaches.

Motivations

A successful DDoS attack is embarrassing for the target, which has to deal with the effects of its site being unavailable. The reasons for launching a DDoS attack and achieving this effect vary from extortion to hacktivism.

One motivation that organizations should definitely be aware of is smokescreening. This term refers to the use of DDoS as a distraction from another cyberattack. While IT diverts its attention to getting the site back online, attackers may be exploiting unattended vulnerabilities across the network to steal sensitive data.

A look at mitigation through DDoS protection solutions

Fending off DDoS attacks requires a multi-pronged approach. The optimal recourse will depend on the attack type. For example, a web application firewall is useful against HTTP floods, as are captchas and computational challenges against some bot-initiated attacks.

A DDoS-protected core for managed and hosted services also lowers the risk of debilitating attacks. Telesystem includes DDoS protection solutions in its network infrastructure, providing a front line of defense against the bots, botnets and malicious traffic that drive today's DDoS campaigns. Built on industry-leading threat intelligence, the Telesystem core delivers proactive defense at no extra charge to customers.

Ultimately, staying ahead of DDoS attacks requires eliminating the vast disparity we mentioned earlier, between the ease of initiating an attack and the difficulty of responding to one. Partnering with an experienced provider of hosted and managed network services is the first critical step in getting on to a level playing field with DDoS cyber attackers. Learn more by visiting our security page or contacting our team.