The Most Common Types of DDoS Attacks Dissected
Every electronic system has a finite data processing capacity. This threshold is never exceeded under normal conditions, but things may change when anomalous activity kicks in. A distributed denial-of-service (DDoS) attack fits the mold of a stratagem that can drain a web server’s resources and disrupt the associated online service.
This brutal vector of cybercrime made its debut in the mid-1990 as ideological weaponry favored by the Anonymous and like-minded hacktivists. As time went by, it embraced extra motivations ranging from script kiddies’ whim to satisfy their ego and get an adrenaline rush – to unscrupulous entrepreneurs’ plots aimed at sucker-punching business rivals.
Extortion through what’s called “ransom DDoS” is the latest evil quirk of threat actors. To set it in motion, an adversary threatens to knock an organization’s website offline unless the would-be victim pays a specified amount of Bitcoin.
DDoS has grown into a multipurpose cybercrime heavyweight over time, and it’s getting worse. With that said, it is high time organizations stepped up their preparedness to tackle this challenge.
This article provides a summary of known attack methods and shines the light on effective countermeasures.
(Screenshot image by David Balaban, source NETSCOUT Cyber Threat Horizon )
What Makes DDoS So Dangerous?
With organizations heavily relying on uninterrupted availability of their websites these days, service downtime entails reputational issues and customer churn, which translates to adverse financial implications down the line. Unsurprisingly, the above-mentioned extortion tactic with DDoS at its core is flourishing.
Since mid-August 2020, several high-profile hacker gangs, including the infamous Lazarus Group and Fancy Bear, have been sending such blackmail notes to thousands of companies around the world, primarily ones from the finance and retail sectors.
The felons demand a minimum of 10 BTC (currently worth about $106,000) for not mounting the attack. On August 28, the FBI alerted U.S. companies to the menace by issuing an ad hoc flash warning.
One more facet of the problem is that DDoS can be used as a red herring in data exfiltration or ransomware attacks. It creates “noise” that distracts a target company’s InfoSec staff from a more impactful threat, thereby impeding swift incident response.
An extra concern is that DDoS operators are increasingly adept at amplifying their attacks via huge botnets consisting of unsecured IoT devices. This approach was behind the most powerful assaults reported to date, including the 2016 Dyn cyber-attack that generated rogue traffic exceeding 1Tbps.
Who Is DDoSed in 2020?
With the COVID-19 crisis being underway, the implementation of remote learning programs saw a dramatic spike this year, and so did DDoS attacks targeting the education and academic sector. Mostly orchestrated by hacktivists and rebellious students, these incursions lead to network downtime and disrupt virtual classes.
Unethical business competition is another area where DDoS plays a role. For instance, malicious actors often swamp Minecraft servers to lure gamers into switching to another hosting service.
Cryptocurrency exchanges are common targets as well. By disrupting these services via DDoS-for-hire platforms, unscrupulous rivals encourage coin traders to look for alternatives.
(Image source: Neustar)
During January through June 2020 compared to the same period in 2019, the number of DDoS attacks sized 100 Gbps and above grew an enormous 275%. At the same time, the number of small attacks, sized 5 Gbps and below, grew also by more than 200%.
Demystifying the DDoS Ecosystem
Security professionals single out numerous techniques that differ in the logic of precipitating a denial-of-service condition. To better understand the network disruption repertoire of the present-day crooks, go over a hands-on summary of the most common DDoS types.
- DNS Flood. To execute this incursion, malefactors deluge a DNS server with a huge number of malformed requests coming from numerous different IP addresses. This is one of the toughest attacks to detect and recover from.
- UDP Flood. An adversary fires out a slew of rogue User Datagram Protocol (UDP) packets at a victim server to make it run out of processing capacity. A serious pitfall in terms of identifying this attack is that UDP connections provide scarce methods to verify source IP addresses.
- SYN Flood. This foul play abuses the TCP three-way handshake, a fundamental mechanism used to set up a connection between a client, a host, and a server in the TCP protocol framework. Criminals flood a target server with multiple SYN (synchronize) packets coming from a rogue IP. For the record, the role of SYN packets in a benign scenario is to request a connection with a server.
- Fragmented ACK Flood. An attacker shells a network with patchy ACK (acknowledge) packets. When attempting to organize these requests, routers encounter a denial-of-service condition. This raid is one of the crooks’ favorites because it can disrupt a network with a comparatively small number of partial packets.
- Ping Flood. This DDoS attack revolves around fraudulent Internet Control Message Protocol (ICMP) echo requests. The victim server allocates all of its resources to spawn packets in response to these numerous pings and denies service to legitimate clients.
- HTTP Flood. To initiate this incursion, a threat actor shells a web application with malformed GET or POST requests. To imitate natural traffic, this technique may engage a botnet of previously infected devices.
- Ping of Death Attack. A malefactor deluges a network with ping packets that “weigh” more than 64 bytes, which is the maximum permitted size. The receiving server tries to reassemble these offbeat packets to no avail and eventually crashes.
- IP Null Attack. To launch this incursion, an evildoer targets a server with IPv4 packets in which the header value is set to null. These irregular messages confuse the server to the extent that it can no longer operate properly.
- Fraggle Attack. This foul play involves rogue UDP packets carrying a knockoff IP address of the target’s router. As a result, the network device replies to itself non-stop until it becomes incapable of reacting to legitimate requests.
- LAND Attack. LAND – short for Local Area Network Denial – is a raid relying on dodgy SYN packets in which the source IP and the destination IP are an exact match. The victim server is thereby pulled into a loop of iterative responses to itself, which causes a denial-of-service predicament.
- Slowloris. An attacker initiates a bevy of simultaneous connections to a web server and keeps them active by periodically adding split packets and HTTP headers. These connections stay uncompleted for a long time and waste the server’s processing capacity. On a side note, a single computer can be enough to execute the Slowloris onslaught.
- Low Orbit Ion Cannon (LOIC). Ideally, LOIC is used as a tool that allows security experts to identify the pain points of a network by stress-testing it. However, sometimes criminals turn the original purpose upside down by mishandling it to deplete a server’s resources with fake HTTP, UDP, and TCP packets.
- High Orbit Ion Cannon (HOIC). This is a LOIC spin-off with a much higher stress-testing potential under its hood. DDoS actors often hinge on it to generate myriads of HTTP POST and GET requests and knock a target server offline in a snap. Incidentally, HOIC can concurrently home in on more than 250 domains.
- APDoS. The acronym stands for “Advanced Persistent Denial-of-Service”. This mechanism kicks in when attackers blend a series of different techniques to deteriorate the performance of a network or a server. Another hallmark of this attack is that it usually lasts for weeks and withstands traditional incident response methods.
- IoT Botnet Attack. This is one of the most destructive types of DDoS as it can generate immense data transfer rates that reach several terabits per second. These attacks parasitize a network of compromised Internet of Things (IoT) devices to generate fraudulent traffic and route it toward a computer network.
(Image source: Kaspersky Lab, DDoS Report Q2 2020)
According to Kaspersky Lab, SYN flooding is the most popular method for now. The share of SYN flooding is currently 94.7%. The leader is followed by ICMP flooding 4.9%.
DDoS Mitigation Best Practices
Here is a roundup of the most effective methods to fend off DDoS attacks:
- Use a cloud DDoS protection service. Outsourcing your defenses to a trusted cloud-based service such as Cloudflare, Sucuri, or Akamai is a reliable method to survive even the most powerful assaults.
- Leverage a web application firewall (WAF). The role of a WAF is to monitor incoming Internet traffic and thwart web application abuse via cross-site scripting (XSS), cross-site request forgery (CSRF), or SQL injection.
- Step up your traffic filtering techniques. This tactic enhances a WAF through deep packet inspection, IP blacklisting, and rate limiting.
- Deploy an intrusion prevention system (IPS). An IPS will protect your network against malicious code and hacker attacks that try to exploit known software vulnerabilities.
- Perform code auditing. InfoSec teams should regularly sanitize the code running in an enterprise environment to ascertain that it doesn’t have any exploitable flaws. This is a countermeasure for application layer (layer 7) DDoS attacks.
- Keep your systems up to date. Timely updates are a hugely important element of DDoS protection. Vulnerability patches raise the bar for malefactors and prevent the network infrastructure from becoming easy prey.
This type of cybercrime is quickly evolving relying on botnets, open-source network stress testing frameworks, scams, and other means. Therefore, organizations should have effective defenses in place to emerge unscathed if the disaster strikes.
This guest post was written by David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects.