What is a DDoS Attack?

An article introducing DDoS attacks and protection.

A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system, such as a website or application, to legitimate end users. Typically, attackers generate large volumes of packets or requests ultimately overwhelming the target system. In case of a Distributed Denial of Service (DDoS) attack, and the attacker uses multiple compromised or controlled sources to generate the attack.

In general, DDoS attacks can be segregated by which layer of the Open Systems Interconnection (OSI) model they attack. They are most common at the Network (layer 3), Transport (Layer 4), Presentation (Layer 6) and Application (Layer 7) Layers.

ddos-OSI.png

What are the Classifications of DDoS Attacks?

When analyzing and classifying attack methods, we categorize the attacks into infrastructure layer (Layer 3 and Layer 4) and application layer (Layer 6 and Layer 7). Attacks on Layer 3 and Layer 4 are typically classified as infrastructure layer attacks, which are also the most common types of DDoS attacks. Attacks on Layer 6 and Layer 7 are usually classified as application layer attacks. While these are less common, they tend to be more complex. Compared to infrastructure layer attacks, these attacks are usually smaller in volume. Based on common attack scenarios, the attack types are categorized as follows:

Protocol Attacks

These attacks target network layer or transport layer protocols, primarily focusing on the 3rd and 4th layers. These are the most common types of DDoS attacks, including Synchronous (SYN) flood attacks and other reflection attacks such as User Datagram Protocol (UDP) flood vectors. These attacks are usually large in number, aiming to overload the capacity of the network or application server. However, these attacks are also the types with clear identifiers and are easier to detect.

This type of attack is like the staff in the supply room receiving requests from the store counter. The staff receive the request, go to fetch the package, wait for confirmation, and then deliver the package to the counter. The staff receive too many package requests but get no confirmation, until they can't handle more packages, and are overwhelmed, resulting in no one being able to respond to the requests.

These attacks exploit the TCP handshake (a series of communications that two computers go through when initiating a network connection) by sending a large number of TCP 'initial connection request' SYN packets with spoofed source IP addresses to the target. The target computer responds to each connection request and then waits for the last step in the handshake, but this step never happens, thus exhausting the target's resources in the process. They consume the resources of servers or network devices (such as load balancers and firewalls).

Application Layer Attacks

These attacks target specific applications or services, primarily focusing on the 6th and 7th layers. They are the most complex attacks, often mimicking normal user traffic. Examples include HTTP floods, slow attacks (such as Slowloris), and DNS query floods. Although these attacks are less common, they are often more complex. Compared to infrastructure layer attacks, these attacks are usually smaller in number but often focus on specific critical parts of the application, making it impossible for real users to use the application. Examples include a large number of HTTP requests on the login page, expensive search APIs, or even Wordpress XML-RPC flooding (also known as Wordpress pingback attacks). It's like pressing refresh over and over again in a large number of different computer web browsers - a large number of HTTP requests flood the server, leading to denial of service. This type of attack can be simple or complex. Simpler implementations can use the same range of attack IP addresses, referrers, and user agents to access a URL. Complex versions may use a large number of aggressive IP addresses and use random referrers and user agents to target random URLs.

Volumetric Attacks

These are the most common types of DDoS attacks, aiming to saturate network bandwidth. The attacker needs to control a large number of 'botnets' to generate enough traffic, trying to create and send a large amount of traffic to make network services unavailable. Examples include UDP floods, ICMP floods, and other indiscriminate amplified traffic attacks. Specific types include:

  • UDP Flood: The attacker sends a large number of UDP packets to random ports on the target server. The server tries to respond to each packet, eventually exhausting its ability to handle legitimate requests.
  • ICMP (Ping) Flood: Using the ICMP protocol, the attacker sends a large number of 'echo requests' (ping requests) to the target system. If the target system responds to all requests, it may be overloaded, preventing legitimate traffic from reaching.
  • Other Spoofed Packet Floods: The attacker spoofs IP addresses to send a large number of packets. These packets can be any type of protocol, aiming to consume as much bandwidth as possible.
  • Amplification Attacks: The attacker uses protocols with large responses, such as DNS or NTP, to send small query requests and spoof the victim's IP address. Since responses are usually much larger than requests, this results in the victim receiving a large amount of unrequested data.
  • DNS Amplification: A specific type of amplification attack, where the attacker uses DNS servers to amplify the attack. The attacker sends small query requests, but requests the DNS server to return larger responses to the victim's address.
  • NTP Amplification: Similar to DNS amplification attacks, but uses Network Time Protocol (NTP) servers. The attacker requests the NTP server to send time synchronization responses to the victim's IP address.
  • Smurf Attack: The attacker sends ICMP requests to the network broadcast address, all responses are sent to the victim's IP address. This not only exhausts the victim's bandwidth but also affects intermediate network devices.
  • Fraggle Attack: Similar to Smurf attacks, but uses UDP instead of ICMP. The attacker sends UDP echo requests to the broadcast address, all responses are directed to the victim.

Reflection and Amplification Attacks

Attackers exploit third-party servers to amplify attack traffic. For example, NTP amplification, DNS amplification, and SNMP reflection attacks. These attacks forge the victim's IP address, directing the response of the reflection server towards the victim, thereby amplifying the attack traffic. It's like someone calling a restaurant and saying, 'Order one of each dish and call me back to repeat the entire order,' but the callback number actually belongs to the victim. With little effort, a lengthy response can be generated and sent to the victim. After sending a request to an open DNS server using a forged IP address (the victim's IP address), the target IP address will receive the server's response.

 Multi-Vector Attacks

These attacks combine several of the above methods, attacking the target in multiple ways simultaneously. They are harder to defend against because they require dealing with multiple attack surfaces at once.

How to Defend Against DDoS Attacks?

Mitigating DDoS attacks is about distinguishing between attack traffic and normal traffic. For example, if a company's website experiences a surge of visitors due to the release of an application, and the load increases dramatically, it may be under a DDoS attack. It would not be appropriate to cut off all traffic. If the company sees a sudden increase in traffic from known malicious users, it may need to work to mitigate the attack. The challenge is to distinguish between real customer traffic and attack traffic. In the modern internet, DDoS traffic comes in many forms. The design of the traffic may vary, from non-deceptive single-source attacks to complex adaptive multi-directional attacks. Multi-directional DDoS attacks use a variety of attack methods, knocking down targets in different ways, likely distracting mitigation efforts at all levels. A typical example of a multi-directional DDoS attack is one that targets multiple levels of the protocol stack (such as DNS amplification (targeting layers 3/4) plus HTTP flood (targeting layer 7)). To defend against multi-directional DDoS attacks, multiple different strategies need to be deployed to mitigate attacks at different levels. Generally, the more complex the attack, the harder it is to distinguish between attack traffic and normal traffic - the attacker's goal is to blend in with normal traffic as much as possible, thereby reducing the effectiveness of mitigation. If mitigation measures indiscriminately discard or limit traffic, they may discard normal traffic along with attack traffic, and the attack may also be modified to evade mitigation measures. To overcome complex destructive methods, a layered solution is ideal.

Blackhole Routing

Blackhole routing is a method of mitigating Distributed Denial of Service (DDoS) attacks. When a network or server is under a DDoS attack, a large amount of malicious traffic is sent to the target system, preventing legitimate user requests from being responded to. The principle of blackhole routing is to redirect all traffic heading towards the attacked target to a 'black hole', a special network address where any traffic sent to it is discarded without any response. The purpose of this is to prevent malicious traffic from reaching the target server, thereby protecting the server from attack. Implementing blackhole routing usually involves the following steps:

  • Detecting the attack: First, there needs to be a mechanism to detect the occurrence of a DDoS attack.
  • Triggering blackhole routing: Once an attack is detected, the network administrator can manually or automatically trigger blackhole routing.
  • Broadcasting routing updates: By using BGP (Border Gateway Protocol) or other routing protocols, update the routing table to tell all routers to redirect traffic from the target IP address to the black hole.
  • Traffic discard: All traffic sent to the attacked IP address will be routed to the black hole and discarded there.

Although blackhole routing can effectively reduce the impact of malicious traffic on the target system, it has a significant drawback: legitimate traffic is also discarded. This means that during an attack, the affected service is unavailable to all users. Therefore, blackhole routing is often seen as a last resort defense measure. In some cases, more refined methods may be used, such as 'Scrubbing Centers' or other types of traffic analysis and filtering, to distinguish and block malicious traffic while allowing legitimate traffic to pass.

Rate Limiting

Limiting the number of requests a server receives in a certain period of time is also a method of defending against denial of service attacks.Although rate limiting is helpful in slowing down web crawlers stealing content and defending against brute force attacks, relying solely on rate limiting may not be sufficient to effectively deal with complex DDoS attacks.However, in an efficient DDoS defense strategy, rate limiting is an effective measure.

Web Application Firewall

A Web Application Firewall (WAF) is an effective tool that helps mitigate Layer 7 DDoS attacks. Once a WAF is deployed between the internet and the origin server, it can act as a reverse proxy, protecting the target server from specific types of malicious traffic. such as DDoS traffic alarms, configuring IP block lists/whitelists, configuring regional blocking rules, configuring port filtering, configuring feature filtering, configuring protocol blocking rules, and configuring connection attack protection, it can prevent Layer 7 attacks. A key value of an effective WAF is its ability to quickly implement custom rules to respond to attacks.

Conclusion

Tencent EdgeOne DDoS Protection is a security service provided by Tencent Cloud that aims to protect internet-facing applications, services, and networks from Distributed Denial of Service (DDoS) attacks. DDoS attacks are a type of cyber attack where multiple compromised systems are used to target a single system, overwhelming its resources and causing it to become unavailable to legitimate users.

Tencent EdgeOne DDoS Protection provides the following features:

  1. Traffic Monitoring and Detection: The service continuously monitors network traffic and detects abnormal traffic patterns that may indicate a DDoS attack.
  2. Automatic Mitigation: Once an attack is detected, Tencent EdgeOne DDoS Protection automatically triggers mitigation measures to block the malicious traffic and protect the targeted system.
  3. Real-time Reporting: The service provides real-time reports on attack traffic, including the source IP addresses, attack types, and other relevant information.
  4. Customizable Protection Policies: Users can customize protection policies based on their specific needs, such as setting up whitelist and blacklist rules, adjusting traffic thresholds, and more.
  5. Global Coverage: Tencent EdgeOne DDoS Protection leverages Tencent's global network infrastructure to provide protection for users worldwide.

By using Tencent EdgeOne DDoS Protection, businesses can ensure the availability and performance of their online services, even in the face of large-scale DDoS attacks. Learn more about Tencent EdgeOne's DDoS protection