DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks are cyberattacks that aim to disrupt or shut down a targeted server, network, or website by overwhelming it with a massive amount of traffic or requests, rendering it inaccessible to legitimate users.
Both DoS and DDoS attacks can cause significant damage to businesses and organizations, leading to loss of revenue, reputation damage, and potential legal consequences. To mitigate these attacks, organizations often employ various security measures, such as firewalls, intrusion detection systems, and traffic filtering.
DDoS attacks can be segregated by which layer of the Open Systems Interconnection (OSI) model they attack. They are most common in the Network (layer 3), Transport (Layer 4), Presentation (Layer 6) and Application (Layer 7) Layers.
When analyzing and classifying attack methods, we categorize the attacks into the infrastructure layer (Layer 3 and Layer 4) and the application layer (Layer 6 and Layer 7). Attacks on Layer 3 and Layer 4 are typically classified as infrastructure layer attacks, which are also the most common types of DDoS attacks. Attacks on Layer 6 and Layer 7 are usually classified as application layer attacks. While these are less common, they tend to be more complex. Compared to infrastructure layer attacks, these attacks are usually smaller in volume. Based on common attack scenarios, the attack types are categorized as follows:
These attacks target network layer or transport layer protocols, primarily focusing on the 3rd and 4th layers. These are the most common types of DDoS attacks, including Synchronous (SYN) flood attacks and other reflection attacks such as User Datagram Protocol (UDP) flood vectors. These attacks are usually large in number, aiming to overload the capacity of the network or application server. However, these attacks are also the types with clear identifiers and are easier to detect.
This type of attack is like the staff in the supply room receiving requests from the store counter. The staff receives the request, goes to fetch the package, waits for confirmation, and then delivers the package to the counter. The staff receives too many package requests but gets no confirmation, until they can't handle more packages, and are overwhelmed, resulting in no one being able to respond to the requests.
These attacks exploit the TCP handshake (a series of communications that two computers go through when initiating a network connection) by sending a large number of TCP 'initial connection request' SYN packets with spoofed source IP addresses to the target. The target computer responds to each connection request and then waits for the last step in the handshake, but this step never happens, thus exhausting the target's resources in the process. They consume the resources of servers or network devices (such as load balancers and firewalls).
These attacks target specific applications or services, primarily focusing on the 6th and 7th layers. They are the most complex attacks, often mimicking normal user traffic. Examples include HTTP floods, slow attacks (such as Slowloris), and DNS query floods. Although these attacks are less common, they are often more complex. Compared to infrastructure layer attacks, these attacks are usually smaller in number but often focus on specific critical parts of the application, making it impossible for real users to use the application. Examples include a large number of HTTP requests on the login page, expensive search APIs, or even Wordpress XML-RPC flooding (also known as Wordpress pingback attacks). It's like pressing refresh over and over again in a large number of different computer web browsers - a large number of HTTP requests flood the server, leading to denial of service. This type of attack can be simple or complex. Simpler implementations can use the same range of attack IP addresses, referrers, and user agents to access a URL. Complex versions may use a large number of aggressive IP addresses and use random referrers and user agents to target random URLs.
These are the most common types of DDoS attacks, aiming to saturate network bandwidth. The attacker needs to control a large number of 'botnets' to generate enough traffic, trying to create and send a large amount of traffic to make network services unavailable. Examples include UDP floods, ICMP floods, and other indiscriminate amplified traffic attacks. Specific types include:
Attackers exploit third-party servers to amplify attack traffic. For example, NTP amplification, DNS amplification, and SNMP reflection attacks. These attacks forge the victim's IP address, directing the response of the reflection server towards the victim, thereby amplifying the attack traffic. It's like someone calling a restaurant and saying, 'Order one of each dish and call me back to repeat the entire order,' but the callback number belongs to the victim. With little effort, a lengthy response can be generated and sent to the victim. After sending a request to an open DNS server using a forged IP address (the victim's IP address), the target IP address will receive the server's response.
These attacks combine several of the above methods, attacking the target in multiple ways simultaneously. They are harder to defend against because they require dealing with multiple attack surfaces at once.
Attackers typically carry out DDoS attacks through the following steps:
Attackers use several common DDoS tools to launch Distributed Denial of Service attacks. Some of these tools include:
To defend against DDoS attacks, organizations should adopt various security measures, such as deploying firewalls, intrusion detection systems, traffic filtering, and load balancing. Additionally, patching vulnerabilities promptly, strengthening cybersecurity awareness training, and sharing threat intelligence with other organizations can also help reduce the risk of DDoS attacks.
Mitigating DDoS attacks is about distinguishing between attack traffic and normal traffic. For example, if a company's website experiences a surge of visitors due to the release of an application, and the load increases dramatically, it may be under a DDoS attack. It would not be appropriate to cut off all traffic. If the company sees a sudden increase in traffic from known malicious users, it may need to work to mitigate the attack. The challenge is to distinguish between real customer traffic and attack traffic. In the modern internet, DDoS traffic comes in many forms. The design of the traffic may vary, from non-deceptive single-source attacks to complex adaptive multi-directional attacks. Multi-directional DDoS attacks use a variety of attack methods, knocking down targets in different ways, likely distracting mitigation efforts at all levels. A typical example of a multi-directional DDoS attack targets multiple levels of the protocol stack (such as DNS amplification (targeting layers 3/4) plus HTTP flood (targeting layer 7)). To defend against multi-directional DDoS attacks, multiple different strategies need to be deployed to mitigate attacks at different levels. Generally, the more complex the attack, the harder it is to distinguish between attack traffic and normal traffic - the attacker's goal is to blend in with normal traffic as much as possible, thereby reducing the effectiveness of mitigation. If mitigation measures indiscriminately discard or limit traffic, they may discard normal traffic along with attack traffic, and the attack may also be modified to evade mitigation measures. To overcome complex destructive methods, a layered solution is ideal.
Blackhole routing is a method of mitigating Distributed Denial of Service (DDoS) attacks. When a network or server is under a DDoS attack, a large amount of malicious traffic is sent to the target system, preventing legitimate user requests from being responded to. The principle of blackhole routing is to redirect all traffic heading towards the attacked target to a 'black hole', a special network address where any traffic sent to it is discarded without any response. The purpose of this is to prevent malicious traffic from reaching the target server, thereby protecting the server from attack. Implementing blackhole routing usually involves the following steps:
Although blackhole routing can effectively reduce the impact of malicious traffic on the target system, it has a significant drawback: legitimate traffic is also discarded. This means that during an attack, the affected service is unavailable to all users. Therefore, blackhole routing is often seen as a last-resort defense measure. In some cases, more refined methods may be used, such as 'Scrubbing Centers' or other types of traffic analysis and filtering, to distinguish and block malicious traffic while allowing legitimate traffic to pass.
Limiting the number of requests a server receives in a certain period is also a method of defending against denial-of-service attacks. Although rate limiting helps slow down web crawlers stealing content and defending against brute force attacks, relying solely on rate limiting may not be sufficient to effectively deal with complex DDoS attacks. However, in an efficient DDoS defense strategy, rate limiting is an effective measure.
A Web Application Firewall (WAF) is an effective tool that helps mitigate Layer 7 DDoS attacks. Once a WAF is deployed between the internet and the origin server, it can act as a reverse proxy, protecting the target server from specific types of malicious traffic. such as DDoS traffic alarms, IP block lists/whitelists, configuring regional blocking rules, port filtering, feature filtering, protocol blocking rules, and connection attack protection, which can prevent Layer 7 attacks. A key value of an effective WAF is its ability to quickly implement custom rules to respond to attacks.
Tencent EdgeOne DDoS Protection is a security service provided by Tencent Cloud that aims to protect internet-facing applications, services, and networks from Distributed Denial of Service (DDoS) attacks. DDoS attacks are a type of cyber attack where multiple compromised systems are used to target a single system, overwhelming its resources and causing it to become unavailable to legitimate users.
Tencent EdgeOne DDoS Protection provides the following features:
By using Tencent EdgeOne DDoS Protection, businesses can ensure the availability and performance of their online services, even in the face of large-scale DDoS attacks. Learn more about Tencent EdgeOne's DDoS protection.