How to Tell if My Network is Being DDoS: Signs I'm Getting DDoSed

In the ever-evolving landscape of cybersecurity threats, Distributed Denial of Service (DDoS) attacks remain a formidable challenge for individuals and organizations alike. A DDoS attack aims to overload a network with an excessive amount of requests, rendering it unavailable to legitimate users. Given their disruptive potential, it's crucial to recognize the signs of a DDoS attack early on. 

Here, we first list the key indicators that can help determine if your network is under a DDoS attack. We then provide a detailed explanation of the types of DDoS attacks and how to identify them.

What are the Signs of DDoS Attacks?

If your network exhibits the following signs, it is likely experiencing a DDoS attack:

• Unusually Slow Network Performance: One of the initial signs of a DDoS attack is a significant slowdown in network performance. If accessing websites, sending emails, or using internet-based applications becomes markedly slower without a clear reason, this could indicate that your network is being overwhelmed with traffic.
• Inaccessibility of a Particular Website or Service: A telltale sign of a DDoS attack is when a specific website or online service suddenly becomes unavailable. While occasional downtime can occur due to maintenance or server issues, if a site or service that was functioning normally becomes unreachable for an extended period, it may be under attack.
• Internet Disconnection: In severe cases, a DDoS attack can lead to the complete disconnection of your internet service. If you find that you're unable to connect to any website or online service, and this issue persists despite troubleshooting your equipment and connections, your network might be experiencing a DDoS attack.
• Unexplained Surge in Traffic: Monitoring tools that display incoming network traffic can reveal sudden, unexplained surges. This is often a clear indication of a DDoS attempt. The traffic usually originates from multiple sources, which is a characteristic feature of distributed denial of service attacks.

What are the Types of DDoS Attacks?

1. Application layer attacks

Application layer attacks (Layer 7 attacks) are attacks against application layer protocols (such as HTTP, HTTPS, DNS, etc.) designed to exhaust the server's resources and make it unable to respond to legitimate user requests. This type of attack is usually achieved by sending a large number of legitimate but malicious requests.

• HTTP Flood: Send a large number of HTTP requests to exhaust the resources of the web server.
• Slowloris: Exhaust the server's connection resources by keeping a large number of HTTP connections open.
• DNS Query Flood: Send a large number of DNS query requests to exhaust the resources of the DNS server.

2. Protocol layer attacks

Protocol layer attacks (Layer 3/4 attacks) are attacks on network protocols (such as TCP, UDP, ICMP, etc.), designed to exhaust the resources of network devices and make them unable to process legitimate traffic.

• SYN Flood: Send a large number of TCP SYN requests to exhaust the server's connection table.
• UDP Flood: Send a large number of UDP packets to exhaust network bandwidth and server resources.
• ICMP Flood: Send a large number of ICMP Echo requests (pings) to exhaust network bandwidth and server resources.

The ultimate goal of these attacks at different network levels is to exhaust server or network resources, blocking normal access and affecting the use of normal users.

3. Capacity exhaustion attack

Since the bandwidth of the service is limited, volumetric attacks exhaust the network bandwidth by sending a large number of data packets, making it impossible for legitimate traffic to pass.

• DNS Amplification: Using open DNS resolvers, amplify small requests into large responses, exhausting the target's bandwidt
• NTP Amplification: Using open NTP servers, amplify small requests into large responses, exhausting the target's bandwidth.
• SSDP Amplification: Using open SSDP devices, amplify small requests into large responses, exhausting the target's bandwidth.

4. Resource exhaustion attack

Since server resources are limited, resource exhaustion attacks exhaust the server's computing resources (such as CPU, memory, disk I/O, etc.) so that it cannot process legitimate requests.

• HTTP GET/POST Flood: Send a large number of HTTP GET or POST requests to exhaust the server's CPU and memory resources.
• XML Bomb: Send specially crafted XML data to cause the server to exhaust memory when parsing.
• Hash Collision: Send specially crafted requests to cause a large number of hash collisions when the server processes the hash table, exhausting CPU resources.

5. Connection exhaustion attack

Since the number of concurrent connections of the server is limited, the connection exhaustion attack is to exhaust the connection resources of the server, making it unable to establish new connections, thereby affecting the use of normal customers.

• Slowloris: Exhaust the connection resources of the server by keeping a large number of HTTP connections open.
• TCP Connection Flood: Send a large number of TCP connection requests to exhaust the connection table of the server.
• SYN Flood: Send a large number of TCP SYN requests to exhaust the connection table of the server.
   

How to Identify DDoS Attacks?

Knowing the different attack methods and working principles, it is very easy to determine whether you are under DDoS attack.

1. Application layer attacks

• The most intuitive feeling is that the website or application loads slowly or cannot be accessed.
• By checking the server performance, you will find that the CPU and memory usage rates have soared.
• Use web server logs and application logs to view a large number of HTTP requests, most of which are repeated accesses to a single interface. .
• By using traffic monitoring tools (such as Wireshark, NetFlow) to analyze traffic patterns, it is found that there are abnormal traffic that exceeds expectations. These traffic flows are often regular, such as appearing at fixed times of the day.

2. Protocol layer attacks

• The intuitive feeling is similar to that of the web layer being attacked, both of which are increased network connection delays.
• The server connection table is exhausted and new connections cannot be established, resulting in inaccessibility.
• The difference is that because it is only a large number of requests at layer 3/4, the business side will not receive a large number of HTTP requests, and the application layer logs are often more hidden.
• Because there are a large number of TCP SYN requests, UDP packets or ICMP Echo requests, a large number of TCP SYN requests, UDP packets or ICMP Echo requests can be seen in the network device log and firewall log.

3. Capacity exhaustion attack

• The network bandwidth is exhausted and legitimate traffic cannot pass. The abnormal bandwidth usage request can be seen through the grid bandwidth monitoring tool.
• Because there are a large number of amplified response packets, the traffic pattern can be analyzed through the traffic monitoring tool to identify the amplified response packets.
• This process is also accompanied by the performance degradation of network devices (such as routers and switches).

How to Respond to DDoS Attacks?

If you suspect your network is being targeted by a DDoS attack, immediate action is necessary:

1. Contact Your ISP: Inform your Internet Service Provider of the potential DDoS attack. They can help by rerouting traffic or implementing filters to block malicious traffic.
2. Use DDoS Mitigation Tools: Employ services or tools designed for DDoS mitigation. These can absorb or deflect the overflow of traffic, protecting your network's integrity.
3. Analyze and Adapt: After the attack, analyze its nature and impact. Use this information to strengthen your network's defenses against future incidents.

Conclusion

In order to enhance the effect of the attack, attackers usually use a combination of these different attack methods to launch attacks together, causing all-round impacts. These impacts are often very obvious. From subjective experience, abnormal traffic, access response cache or even failure, abnormal high machine load, etc., it can be judged that a DDoS attack has occurred.

Recognizing the signs of a DDoS attack is the first step in defending against them. As cyber threats continue to evolve, staying informed and prepared is vital. By understanding the indicators of such attacks and knowing how to respond, you can protect your network from significant harm and ensure its resilience against future threats.

Tencent EdgeOne offers robust DDoS protection, which is integral for maintaining the availability and security of websites and services. Here are some key advantages:

• Comprehensive Protection: EdgeOne provides extensive DDoS protection that safeguards against various types of attacks, ensuring your services remain online and unaffected.
• Real-time Alarms: The platform features real-time alerts that notify administrators of ongoing attacks, allowing for quick response and mitigation.
• Detailed Attack Logs: Detailed logs of attack attempts are available within the console, offering transparency and aiding in future prevention strategies.
• Global Reach: With edge servers located globally, EdgeOne ensures that traffic can be re-routed and managed efficiently, providing seamless services to users worldwide.

These features collectively contribute to a resilient security infrastructure capable of protecting against sophisticated DDoS threats. If your network is experiencing a DDoS attack, please contact us promptly for further assistance.