A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the traffic of a targeted server, online service, or network. This is done with a DDoS attack by overwhelming the target or the surrounding infrastructure with an abundance of internet traffic.
DDoS attacks are effective by using multiple compromised computer systems as sources of attack traffic. These machines can be computers, but also other network resources such as Internet of Things devices. A DDoS attack can be compared to a traffic jam that causes the highway to become clogged, so that regular traffic can no longer arrive at the desired destination.
How does a distributed denial-of-service attack work? #
To carry out a DDoS attack, an attacker must gain control over a network of online machines. For example, computers and other machines (such as IoT devices) are infected with malware and turn any computer into a bot (known as a “zombie”). In that case, the attacker has remote control over the group of bots, collectively referred to as a botnet.
Once a botnet is set up, the attacker can remotely monitor the machines and send instructions to each individual bot. When a victim’s IP address is specified as a target of the botnet, each bot responds by sending requests to the target. This hits the target’s server or network with overcapacity. This results in a denial of service for all normal traffic that the server normally handles. Because each bot is often seen as a legitimate internet device, it can be difficult to separate attack traffic from normal traffic. Fortunately, there are advanced DDoS solutions to detect these types of bots.
What are common DDoS attacks? #
Although each type of DDoS attack uses an overwhelming amount of traffic to be sent to the target device or network, DDoS attacks fall into three categories. An attacker can use one or more different attack vectors, or cycle attack vectors that may be based on countermeasures taken by the target.
The three DDoS categories are:
- Application Layer Attacks
- Protocol Attacks
- Volumetric Attacks.
- Application Layer AttacksThe Application Layer Attack is sometimes referred to as a layer 7 DDoS attack. Layer 7 refers to a layer of the OSI-model. The goal of this type of DDoS attack is to deplete the target’s resources. The attacks often target the layer where webpages are generated on the server and delivered in response to HTTP requests.
A single HTTP request is inexpensive to execute on the client side, but can be costly for the target server to respond to. This is because the server often has to load multiple files and run database queries to display a webpage. Layer 7 attacks are difficult to defend because it is complicated to analyze the traffic and mark it as ‘malicious’ where necessary.
2. Protocol Attacks #
Protocol attacks, also known as state-exhaustion attacks, disrupt service by consuming all available state table capacity of web application servers, or resources from intermediate devices such as firewalls and load balancers. Protocol attacks use weaknesses in Layer 3 and Layer 4 of the protocol stack to make the target inaccessible.
3. Volumetric Attacks #
A Volumetric Attack attempts to create congestion by consuming all available bandwidth between the attack target and the wider internet. Large amounts of data are sent to a target through an amplification form or other means of generating massive traffic, such as requests from a botnet.