What Is a Distributed Denial of Service (DDoS) Attack?
A distributed denial of service (DDoS) attack happens when a hacker intentionally exceeds a network’s capacity by overwhelming it with their own inbound requests. This massive volume of traffic means that legitimate visitors can’t reach or use the site.
This article will further investigate what these attacks are. You’ll learn how DDoS works, what the common types of DDoS attacks are, and how to detect them. Most importantly, you’ll discover how your organization can prevent DDoS attacks.
Defining Distributed Denial of Service
Every network has limited resources. For example, the infrastructure that supports your organization’s website does not have the capacity to handle an infinite number of simultaneous requests or traffic.
In a DDoS attack, a hacker floods your network or server with an abundance of requests. Their goal is to surpass its capacity, rendering it unable to respond to legitimate requests from internal users or online shoppers.
DDoS attacks can shut down your service altogether or make it run so slowly that employees or people looking to do business with you cannot do so. Staff members cannot do their jobs effectively when your network shuts down or slows to a crawl. Would-be customers either can’t reach your site at all or leave because they’re so frustrated by the site’s slow response.
As you can imagine, if a hacker prevents your website or network from functioning properly, they can cripple your business for hours, days, or longer. They could also cost you many thousands of dollars per hour from lost transactions if shoppers cannot reach you.
DDoS attackers can target any type of organization, but typical targets include:
Any enterprise that relies on online connectivity to do business or provide services
An attacker’s motivation for attacking an organization may vary. An attacker could be:
A malicious competitor looking to disrupt your ability to make transactions
An attacker trying to damage your organization’s reputation by interrupting your services
A criminal seeking to extort a large payment in exchange for ending the attack
How a DDoS Attack Works
A simpler denial of service (DoS) attack can be carried out by a single user with a single computer used to flood the targeted network with requests. A DoS can also happen without a large volume of traffic being sent to a service. Instead, there may be a bug in the application’s code that would cause it to run out of resources. For example, if a particular API call causes an infinite loop because of a programming error, a DoS can occur with a single request.
However, hackers usually use a distributed denial of service attack. This means they employ a whole network of devices, enabling them to increase the volume of traffic they can use to flood the targeted server. An attacker’s network can be made up of any number of computers or internet of things (IoT) devices.
The DDoS attacker builds their attack network by first recruiting an army of devices by infecting them with malware that allows the attacker to control them remotely. With their botnet in place, the attacker can now launch a DDoS attack by ordering each bot to send requests to the targeted IP address, flooding the victim’s network or server. The victim’s website is now rendered unusable due to DoS.
One popular form of DDoS is domain name server (DNS) amplification, where attackers use public DNS servers to overwhelm a victim system with DNS response traffic. Learn more about DNS amplification at the US Cybersecurity & Infrastructure Security Agency.
Identifying a DDoS Attack
If a DDoS attack is successful, the obvious result will be a website or service either slowing to a crawl or becoming unavailable altogether. Sometimes, however, a legitimate traffic increase can cause similar problems. If you suspect you may be under DDoS attack, analyzing your traffic can help you get some answers. There are more specific signs depending on the type of DDoS attack, but here are a few things to watch for:
Odd patterns, such as traffic spikes that occur outside of typical hours or repeated spikes in unusual patterns
A sudden surge of traffic from users with a common profile, such as location or device type
Large amounts of traffic coming from one IP address or IP range
A sudden deluge of requests to a single endpoint or page
How to Reduce Your Risk
The real difficulty in mitigating DDoS attacks is being able to tell the difference between legitimate and attack traffic. DDoS traffic can take many different forms, from a single source without spoofing to multi-vector attacks that adapt to your countermeasures. As attack complexity increases, so does the difficulty of differentiating DDoS traffic from normal traffic, making mitigation harder.
While you want to thwart a DDoS attack as quickly as possible, you also don’t want to indiscriminately limit or block traffic. This is why a multi-layered approach to DDoS mitigation is your best bet.
Using rate limiting, you can put a cap on the number of requests (such as login attempts) your server accepts within a determined period of time. It traces requests to the IP address they are coming from and identifies how close together those requests are. If too many requests are made by the same IP too rapidly, rate limiting will not allow that IP’s requests to be fulfilled for a designated amount of time.
Rate limiting is useful because it can mitigate some types of bot attacks and help prevent a flood of data from bogging down your network capacity. It can also hinder attackers trying to steal content and impede brute force login attempts.
The nature of rate limiting also makes it useful against application programming interface (API) overuse. While API overuse isn’t always brought on by bot activity or malicious acts, it’s important to prevent it.
Rate limiting is executed within an application, not on the web server. Used alone, it would likely not be enough to shut down a complex DDoS attack, but it's a useful part of a more comprehensive security and DDoS mitigation strategy.
As a last resort method of warding off a DDoS attack, network administrators usually have the option of creating a blackhole route (also called a null route) through which to channel website traffic. Once implemented, any traffic directed to the blackhole route will be dropped from the network.
In the case of connectionless protocols like user datagram protocol (UDP), no information will be returned to the source about the dropped data. But with protocols like transmission control protocol (TCP) that require a handshake connection with the target’s network, a data-drop notification to the source will be sent.
A blackhole route can be put in place without any criteria that restrict what kind of traffic flows into it. This means that the legitimate traffic will be dropped from the network along with the malicious traffic.
If blackholing is your only option, your internet service provider can (ISP) direct all your site traffic through the blackhole route. However, doing so essentially gives the attacker what they want by making your network inaccessible.
Another drawback of relying on blackholing is that an advanced attack can employ variable attack vectors and IP addresses, forcing you to adjust your blackhole route to try to keep up.
That said, blackholing may be useful when the DDoS attack is targeting a smaller website that belongs to a bigger network. If this is the case, blackholing all traffic being sent to that site could keep the rest of the network from being affected.
Web Application Firewall
A web application firewall (WAF) monitors and filters HTTP traffic between the internet and web applications, helping to guard them against DDoS and other malicious attacks like cross-site scripting, SQL injection, and file inclusion. While a WAF cannot defend an enterprise against every type of attack, it’s an important part of a comprehensive cybersecurity system.
Deployed in front of a web application, a WAF acts as a shield between the larger internet and that application. As a reverse-proxy, it fortifies a server against malicious attacks by making clients pass through it before they reach the server.
The intent of the policies that operate the WAF filter is to filter out malicious traffic. Once in place, it is relatively quick and easy to modify those policies as needed depending on changing attack vectors. This adds agility to how a target is able to respond. For example, during a DDoS attack, having a WAF in place would allow rate limiting to be implemented quickly.
Comprehensive API Security
Over the last few years, digital advancements have led to a massive increase in API development, as APIs play a key role in IoT and mobile apps. This means API security is an ever-increasing area of concern. Unfortunately, APIs are vulnerable to DDoS attacks and make attractive targets for cybercriminals.
Gartner predicted this trend in 2017 when it estimated that by 2022, “API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” They recommended that organizations implement a “continuous approach to API security…designing security into APIs.”
Because APIs are often accessible via public networks accessed from anywhere with an internet connection, they have good public visibility and are prone to reverse engineering. Comprehensive API security can help make this application layer more secure and help shut down attacks if and when they do occur.
While rule-based security is a step in the right direction, it can only be as effective as the rules themselves. Individual API security measures like content delivery networks and WAF can provide some basic protection against DDoS and other types of attacks. However, they simply aren’t enough to stop skilled and determined hackers from taking advantage of unique weaknesses that may be present in each API.
Given the rise of API development and the potential vulnerability, a complete solution for API security is more critical now than ever.
Ping Identity’s API Intelligence uses AI for better traffic visibility, threat blocking, and anomaly detection that can help protect your enterprise against DDoS and other threats. Learn more by downloading Ping’s API Security White Paper.