DDoS Hub

A distributed denial-of-service (DDoS) attack is a cyberattack that uses multiple computers or machines to flood a targeted resource. DDoS attacks are intended to overload a server or web application to interrupt services. The incoming traffic flooding the victim comes from many different sources, thus more sophisticated strategies are required to block and protect against a DDoS attack, as simply attempting to block a single source will not work when there are multiple sources. DDoS attacks rely on multiple machines to overwhelm the target with many data packets to shut down service availability and disrupt the customer experience.

The number of enterprises experiencing at least one DDoS attack per year is rising consistently, with recent years showing a serious shift towards governments, financial institutions, and gaming companies. 23,000 DDoS attacks are launched every 24 hours, with 679,000 DDoS attacks occurring monthly, and that results in an average of 16 DDoS attacks every minute. Many organizations are working under a false sense of security, thinking they are protected, not realizing they spend millions for solutions that are configured to cover a fraction of their online services.

Because DDoS attacks are relatively simple to perform, there are many types of DDoS attacks, but they generally fall within two categories – Volumetric and Application Layer attacks. Protecting online services against DDoS attacks requires constant updates and vulnerability scans, and many organizations do not perform them continuously. Quarterly or bi-annually red team tests are the most common forms of DDoS vulnerability tests, and they provide very limited information about the organization’s defenses and blind spots.

As many organizations move their operations to the cloud and rely heavily on online services, DDoS attacks are becoming a bigger threat to their activity. The dynamic nature of cloud environments and the accompanying workflows make it easier for threat actors to bypass protection controls and launch attacks that severely impact an organization’s uptime. On average, 60% of businesses lose over 120,000 USD in downtime. 15% of organizations that suffered DDoS attacks lost well over $1 million, with some losing over $3 billion in market CAP losses.

DDoS attacks usually target Layers 3,4, and 7 of the OSI model. They affect not only the target organization but also its customers, partners, and other stakeholders. A successful DDoS attack could last hours or even days and in some cases weeks. Due to the rising “popularity” of DDoS attacks with various global threat actors, DDoS attacks have also evolved into ransom attacks, especially against financial institutions and organizations. Perpetrators see the opportunity and launch ransom DDoS attacks that can shut down organizations for substantial periods, and in the past few years, DDoS attacks were used as a cover to divert and distract security teams while other forms of attack were launched to gain access to sensitive data.

The open systems interconnection (OSI) model is a conceptual model created by the International Organization for Standardization which models the diverse communication systems used to communicate using standard protocols.

Layer 3 deals with traffic flow, IP addresses, and routing. Layer 4 covers how end-to-end communication is governed, tracks active network connections, and allows or denies traffic based on the state of the sessions. Layer 7 is the application layer, i.e., web and mail, concerned with the content of the data packets.

A volumetric attack sends a high amount of traffic, or request packets, to a targeted network to overwhelm its bandwidth capabilities. These attacks work to flood the target in the hopes of slowing or stopping their services. Application layer attacks, or layer 7 (L7) DDoS attacks, refer to a type of malicious behavior designed to target the “top” layer in the OSI model where common internet requests such as HTTP GET and HTTP POST occur.

The Hypertext Transfer Protocol (HTTP) is an application layer (layer 7) protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, where hypertext documents include hyperlinks to other resources that the user can easily access, for example by a mouse click or by tapping the screen in a web browser.

HTTPS traffic – Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). Essentially, the HTTP traffic is encrypted using TLS (or SSL).

In networking, a packet is a chunk of data transmitted over computer networks. A packet can be a small segment of a larger message. Data sent over computer networks, such as the Internet, is divided into packets. These packets are then recombined by the computer or device that receives them.

An attack vector is a method an attacker will use to disrupt a network and exploit DDoS vulnerabilities. To increase their probability of success, attackers often use multiple attack vectors simultaneously since that can confuse the defenses and make the attack harder to block. Well-known DDoS attack vectors are SYN flood, UDP flood, TCP flood, DNS amplification, HTTP flood, Smurf attack, and Fraggle attack.

To know more about the top 10 attack vectors, download our eBook.

A botnet is a collection of devices connected via the internet, each running a single bot or series of bots. DDoS attacks are the most common use of botnets, but there is a need to clarify an important issue: everyone is using bots nowadays. Bots have become a legitimate tool for web applications and services, in almost all major fields, from banking to e-commerce, as consumers demand a more personal approach to their online activities, as in being available 24/7 while delivering exceptional customer experience. But there are many cases of leveraging bots for malicious purposes. In such cases, the “bad bots” will mimic human behavior to wreak havoc in service or copy information to tarnish hurt revenue. But botnets are not bots. A botnet is a network of computers infected by malware that is under the control of a single attacking entity, the “bot-herder”.

Threat actors command every machine on their botnet to simultaneously carry out a coordinated attack, in most cases, a DDoS attack. The scale of a botnet can be comprised of millions of bots, which enables the perpetrator to launch attacks that were previously impossible with just one machine. Botnets are under the control of a remote perpetrator in a method referred to as Command and Control (C&C), in which each machine receives updates to change its behavior on the fly. With this ability, the “bot-herder” can rent out their botnets to other perpetrators in underground markets and forums. One of the main advantages of a botnet is harnessing the computing power of hundreds or thousands of machines. Because attacks come from so many different devices, it hides the perpetrator’s origins, thus making them harder to block or trace.

To know more about the top 5 botnets, download our eBook.

Organizations invest heavily in deploying DDoS protection solutions, but security teams cannot test their protection solution all the time due to maintenance windows that cause downtime, manpower, and many other variables. Because online services are constantly being updated and reconfigured, DDoS vulnerability expands exponentially. Due to these changes, it is critical for organizations to detect and remediate the vulnerabilities before attackers can exploit them.

DDoS protection policies are defined for each IP, or per online service, to ensure that only legitimate traffic can flow to services required by external users. Once implementing and performing initial configurations to a DDoS protection, an organization must define the routine for updates, configuration, and tests, as most production networks and services change constantly. Each change represents a potential new DDoS vulnerability in the DDoS protection configuration, and these changes are very difficult for any network security team to keep up with.

There are more than 150 DDoS attack vectors, and malware can also carry DDoS attack mechanisms. Online services can also be compromised with a trojan containing a “zombie agent” – botnets. Attackers will break in using automated tools that exploit protection layer gaps and enlist connections from remote hosts. Botnets use a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the “zombie agents”, that facilitate the DDoS attack. Each handler, or “bot herder”, can control thousands of agents. Botnets can be turned against any IP address.

More sophisticated attackers use DDoS tools for the purposes of extortion – including against their business rivals. It has been reported that there are new attacks from Internet of Things (IoT) devices that have been involved in DDoS attacks, sometimes with over 20,000 requests per second which came from around 900 CCTV cameras that were part of a “zombie herd” controlled by a botnet.

The rate limit is a DDoS protection technique employed to stop bad bots from negatively impacting a website or application. Bot attacks that rate limiting can help against include DDoS attacks, but rate limiting is a false-positive prone technique and does not protect against “Low and slow” attacks, which is the most well-known DDoS attack technique.

Ransomware is a piece of malware used to encrypt a company’s data, which then allows the attacker to demand ransom in exchange for access to the encrypted information. In the context of DDoS, DDoS attacks are increasingly used as smokescreens for more nefarious online services infiltrations, such as ransomware. DDoS attackers are getting more sophisticated; their objective is to cripple a website but sometimes also to distract IT, and security staff, with a low-bandwidth, sub-saturating DDoS attack.

DDoS extortion attacks should not be confused with ransomware attacks, in which malicious software encrypts an organization’s systems and databases, preventing legitimate owners and users from accessing them until the ransom is paid. It’s important to note that payment of ransom does not guarantee anything.

Scrubbing Center

The scrubbing center is the first line of defense against DDoS attacks. Scrubbing centers inspect and filter suspicious traffic, either within a central location or spread across a distributed network of servers. Scrubbing centers are most efficient against volumetric DDoS attacks, with layers 3 and 4, because of their ability to scale and match even some of the largest floods exceeding 10Tbps. As “data cleansers”, scrubbing centers review the flowing traffic and remove suspicious packets that stray from the defined network guidelines.

Most scrubbing centers use the Border Gateway Protocol (BGP), which protects the entire network against DDoS attackers who target direct IP or DNS names. BGP is a network protocol that is responsible for the propagation of routing information between routers on the internet. In other words, the information carried by BGP is used by routers to correctly transfer packets to their destination.

When it comes to the application layer (layer 7), the traffic is encrypted, and scrubbing centers’ ability to effectively mitigate malicious application layer traffic is dependent on whether they have the relevant decryption keys – i.e., “SSL Visibility”.

Firewall

Firewalls are an essential part of the protection layers. They stop unwanted traffic based on information that was determined to be so, according to security protocols. For example, destinations, ports, and sources. But firewalls cannot detect malicious traffic that originates from trusted ports like HTTP/S or IMAP. Not easily, anyway. In addition, web application firewalls, known as WAF, don’t inspect traffic that isn’t web-based. Since many DDoS attacks use multiple devices and IP types, WAFs can’t see the majority of DDoS attack traffic.

Firewalls and WAFs are vulnerable targets that contribute to network outages or failures. WAFS are being used in multiple organizations as part of a DDoS protection layer due to their bot detection capacities, but WAFs are not designed to protect against DDoS attacks. When under a DDoS attack, such as SYN flood, for example, both the firewalls and the WAFs can cause online services to be unavailable, resulting in severe loss of traffic, and business.

CDN

Content Delivery Networks (CDNs) distribute content, placing it as close to the end user as possible to improve performance. CDNs should handle big surges as sometimes a surge of traffic is expected and normal. For example, testing the system, or even a well-deserved performance of the organization. And yes, a huge surge in traffic could also be a DDoS attack, and on a surface level, a CDN should be able to handle that. But CDNs can provide just a part of the solution.

DDoS attacks are not limited to web applications alone but can also target resources and the system itself. An organization cannot rely on CDNs alone, or even CDNs and WAFs. This is because CDN DDoS protection is based on DNS diversion, which can also be referred to as DNS routing. Threat actors can reach and target an organization’s true IP address. In that case, they will “bypass” the CDN, so in that case, the CDN is useless. CDNs and WAFs are a common combination that is sometimes referred to as “enhancement in protection”, but in fact, even this combination still leaves an organization with a wide dynamic attack surface and exposed DDoS attacks, and with.

CPE

Customer Premises Equipment, CPEs, are generally located at the very edge of the organization’s security posture, after the router but before reaching the internal network infrastructure – firewalls, load balancers, etc. Many of the CPE devices deliver in-depth traffic analysis, bandwidth monitoring, and performance reports, allowing for better network traffic planning and DDoS attack analysis.

In addition, post-attack reports may provide important points and action items for the systems to be fine-tuned for future attacks. But CPE equipment without a scrubbing center will not protect against large volumetric attacks, even if the CPE is well configured. CPEs require manual fine-tuning as well as ongoing costs related to infrastructure management.

Load balancer

Load balancers receive traffic from many clients and distribute that traffic evenly between multiple application servers of the same type. Essentially, a load balancer is “the middleman”. Clients connect to it on one end, and the load balancer creates a connection to one of the application servers on behalf of the client. In this way, the load balancer must keep track of every connection’s state. Like many other stateful devices, the load balancer is vulnerable to saturation DDoS attacks like HTTP attacks and SYN floods, because stateful devices tend to belong to the “plug and play” category. These devices are simple to set up and once running, they are rarely updated or reconfigured according to security needs. A load balancer can help offset DDoS attacks by distributing malicious traffic between the application servers, but it will not be enough to stop services from being disrupted.

A denial-of-service (DoS) attack floods a server with traffic, making a website or resource unavailable. The attack comes from one source. In a DoS attack, the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In 1996, Panix, one of the first ISPs in the world, was subject to a DoS attack, which brought down its services for several days while hardware vendors figured out a proper defense. This was the first recorded DoS attack, and ever since then, DoS and especially DDoS attacks have become the most popular cyberattack among threat actors. DoS attacks are characterized by an explicit attempt by attackers to prevent legitimate use of a service. There are two general forms of DoS attacks: those that crash services, which are very rare nowadays, and those that flood services. Perpetrators rarely use DoS attacks anymore since they are fairly easy to mitigate.

The key difference between DoS and DDoS attacks is that DDoS uses multiple internet connections to put the victim’s network offline, whereas Dos uses a single connection. DDoS attacks are more difficult to detect and mitigate because they are launched from multiple locations so that the victim can’t tell the origin of the attack. Another key difference is the volume of attack leveraged, as DDoS attacks allow the attacker to send massive volumes of traffic to the target network. In addition, DDoS attacks are executed differently from DoS attacks as well, using botnets or networks of devices under the control of an attacker. DoS attacks are generally launched with a script or a DoS tool.