Introduction to DDoS Attacks
DDoS attacks have increased in frequency and sophistication, causing serial business damages because customers cannot tolerate downtime and expect companies to stay “always-on” and online. A distributed denial of service (DDoS) attack is when an attacker attempts to manipulate online traffic and causes an infrastructure breakdown, making it impossible for all users to access a service.
DDoS attackers remotely control a group of compromised devices, often known as botnets, to launch attacks. Botnets include personal computers, mobile phones, smart devices connected to the internet and infected with malicious computer applications.
How a Botnet Attack Works
DDoS attacks are grouped into three broad categories
Volumetric attacks, commonly known as floods, overwhelm the target network bandwidth by sending a large volume of requests until the online traffic pipeline gets blocked and genuine users face service unavailability. In such events, incoming traffic jumps to gigabit or even terabit levels above the regular traffic. Attackers use hijacked devices, spoofed IP addresses, and amplify their attack techniques to create a large flood of network traffic.
An internet protocol is a set of rules applied between computing devices for seamless communication. Attackers exploit vulnerabilities in these protocols and overwhelm core services, such as routers, firewalls, or load balancers that forward requests to the target network. Protocol attacks are launched in Layer 3 or Layer 4 of the OSI model. The most common examples are TCP SYN Flood, Empty Connection Flood, and UDP Flood.
Application layer attacks in layer 7 target web application-specific resources and overwhelm their functions. The most common types of application attacks are HTTP floods, SlowLoris, Brobot, SSL Negotiation HULK. Application attacks include extensive file downloads or form submissions on the website, exhausting the resources. Because these requests appear to be legitimate, DDoS attack prevention becomes challenging.
Attack detection becomes more challenging because DDoS attackers often use multiple vectors or a mix of different attack types. In addition, the best-of-breed mitigation solutions perform only after an attack and not before. DDoS prevention, therefore, requires deploying ongoing preemptive intelligence that can automatically block DDoS attacks.
Dos vs. DDoS attacks. The primary difference between the two is that the former comprises one computer to launch an attack. At the same time, the latter consists of several computers being compromised to launch a distributed attack. Simple mitigation solutions such as firewalls can easily detect the source of a denial-of-service (DoS) attack; however, DDoS attacks are difficult to detect because of their often hidden multiple source locations. In addition, DDoS attacks channeled by a large number of botnets are powerful to create large volumes of traffic, while a DoS attack is limited in creating an impact. As a result, a DDoS attack can be launched faster than a DoS attack, making it more challenging to mitigate.