What is a DDoS Attack?

An article introducing DDoS attacks and protection.

Learning Center

What are DoS and DDoS Attacks?

DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks are cyberattacks that aim to disrupt or shut down a targeted server, network, or website by overwhelming it with a massive amount of traffic or requests, rendering it inaccessible to legitimate users.

  • DoS Attack: In a DoS attack, a single attacker or system sends a large number of requests or data packets to the target server, network, or website, overwhelming its resources and causing it to crash or become unresponsive. This can be done using various methods, such as flooding the target with traffic, exploiting vulnerabilities, or sending malformed packets.
  • DDoS Attack: A DDoS attack is a more advanced and coordinated form of a DoS attack. Instead of using a single system, the attacker uses multiple compromised systems (often referred to as a botnet) to launch simultaneous attacks on the target. This distributed nature of the attack makes it more challenging to trace the source and defend against it, as the traffic comes from many different sources.

Both DoS and DDoS attacks can cause significant damage to businesses and organizations, leading to loss of revenue, reputation damage, and potential legal consequences. To mitigate these attacks, organizations often employ various security measures, such as firewalls, intrusion detection systems, and traffic filtering.

DDoS attacks can be segregated by which layer of the Open Systems Interconnection (OSI) model they attack. They are most common in the Network (layer 3), Transport (Layer 4), Presentation (Layer 6) and Application (Layer 7) Layers.

ddos-OSI.png

What are the Types of DDoS Attacks?

When analyzing and classifying attack methods, we categorize the attacks into the infrastructure layer (Layer 3 and Layer 4) and the application layer (Layer 6 and Layer 7). Attacks on Layer 3 and Layer 4 are typically classified as infrastructure layer attacks, which are also the most common types of DDoS attacks. Attacks on Layer 6 and Layer 7 are usually classified as application layer attacks. While these are less common, they tend to be more complex. Compared to infrastructure layer attacks, these attacks are usually smaller in volume. Based on common attack scenarios, the attack types are categorized as follows:

Protocol Attacks

These attacks target network layer or transport layer protocols, primarily focusing on the 3rd and 4th layers. These are the most common types of DDoS attacks, including Synchronous (SYN) flood attacks and other reflection attacks such as User Datagram Protocol (UDP) flood vectors. These attacks are usually large in number, aiming to overload the capacity of the network or application server. However, these attacks are also the types with clear identifiers and are easier to detect.

This type of attack is like the staff in the supply room receiving requests from the store counter. The staff receives the request, goes to fetch the package, waits for confirmation, and then delivers the package to the counter. The staff receives too many package requests but gets no confirmation, until they can't handle more packages, and are overwhelmed, resulting in no one being able to respond to the requests.

These attacks exploit the TCP handshake (a series of communications that two computers go through when initiating a network connection) by sending a large number of TCP 'initial connection request' SYN packets with spoofed source IP addresses to the target. The target computer responds to each connection request and then waits for the last step in the handshake, but this step never happens, thus exhausting the target's resources in the process. They consume the resources of servers or network devices (such as load balancers and firewalls).

Application Layer Attacks

These attacks target specific applications or services, primarily focusing on the 6th and 7th layers. They are the most complex attacks, often mimicking normal user traffic. Examples include HTTP floods, slow attacks (such as Slowloris), and DNS query floods. Although these attacks are less common, they are often more complex. Compared to infrastructure layer attacks, these attacks are usually smaller in number but often focus on specific critical parts of the application, making it impossible for real users to use the application. Examples include a large number of HTTP requests on the login page, expensive search APIs, or even Wordpress XML-RPC flooding (also known as Wordpress pingback attacks). It's like pressing refresh over and over again in a large number of different computer web browsers - a large number of HTTP requests flood the server, leading to denial of service. This type of attack can be simple or complex. Simpler implementations can use the same range of attack IP addresses, referrers, and user agents to access a URL. Complex versions may use a large number of aggressive IP addresses and use random referrers and user agents to target random URLs.

Volumetric Attacks

These are the most common types of DDoS attacks, aiming to saturate network bandwidth. The attacker needs to control a large number of 'botnets' to generate enough traffic, trying to create and send a large amount of traffic to make network services unavailable. Examples include UDP floods, ICMP floods, and other indiscriminate amplified traffic attacks. Specific types include:

  • SYN Flood: SYN flood is a type of DoS attack that exploits the TCP handshake process by sending numerous SYN requests to a target server, overwhelming its resources and causing it to become unresponsive. This attack prevents legitimate users from establishing connections, leading to service disruptions.
  • UDP Flood: The attacker sends a large number of UDP packets to random ports on the target server. The server tries to respond to each packet, eventually exhausting its ability to handle legitimate requests.
  • ICMP (Ping) Flood: Using the ICMP protocol, the attacker sends a large number of 'echo requests' (ping requests) to the target system. If the target system responds to all requests, it may be overloaded, preventing legitimate traffic from reaching.
  • Other Spoofed Packet Floods: The attacker spoofs IP addresses to send a large number of packets. These packets can be any type of protocol, aiming to consume as much bandwidth as possible.
  • Amplification Attacks: The attacker uses protocols with large responses, such as DNS or NTP, to send small query requests and spoof the victim's IP address. Since responses are usually much larger than requests, this results in the victim receiving a large amount of unrequested data.
  • DNS Amplification: A specific type of amplification attack, where the attacker uses DNS servers to amplify the attack. The attacker sends small query requests but requests the DNS server to return larger responses to the victim's address.
  • NTP Amplification: Similar to DNS amplification attacks, but uses Network Time Protocol (NTP) servers. The attacker requests the NTP server to send time synchronization responses to the victim's IP address.
  • Smurf Attack: The attacker sends ICMP requests to the network broadcast address, and all responses are sent to the victim's IP address. This not only exhausts the victim's bandwidth but also affects intermediate network devices.
  • Fraggle Attack: Similar to Smurf attacks, but uses UDP instead of ICMP. The attacker sends UDP echo requests to the broadcast address, and all responses are directed to the victim.

Reflection and Amplification Attacks

Attackers exploit third-party servers to amplify attack traffic. For example, NTP amplification, DNS amplification, and SNMP reflection attacks. These attacks forge the victim's IP address, directing the response of the reflection server towards the victim, thereby amplifying the attack traffic. It's like someone calling a restaurant and saying, 'Order one of each dish and call me back to repeat the entire order,' but the callback number belongs to the victim. With little effort, a lengthy response can be generated and sent to the victim. After sending a request to an open DNS server using a forged IP address (the victim's IP address), the target IP address will receive the server's response.

 Multi-Vector Attacks

These attacks combine several of the above methods, attacking the target in multiple ways simultaneously. They are harder to defend against because they require dealing with multiple attack surfaces at once.

How DDoS Attacks are Typically Carried Out?

How to DDoS?

Attackers typically carry out DDoS attacks through the following steps:

  1. Establish a botnet: Attackers first infect a large number of internet-connected devices (such as computers, smartphones, and IoT devices) through malicious software, phishing, or exploiting vulnerabilities, turning these devices into a part of a botnet. These infected devices, called bots, execute the attacker's commands without the permission of the device owners.
  2. Command and control: Attackers control the botnet through a Command and Control (C&C) server. The C&C server issues commands, instructing the devices in the botnet to launch attacks.
  3. Choose a target: Attackers identify the target they want to attack, such as a website, server, or network device.
  4. Launch the attack: Attackers issue commands through the C&C server, directing the devices in the botnet to send a large volume of traffic or requests to the target. These requests may include TCP connections, UDP packets, HTTP requests, etc. Since these requests come from a large number of devices distributed worldwide, it is difficult to trace the source of the attack.
  5. Target incapacitation: The attack traffic quickly consumes the target's network bandwidth, processing capacity, and system resources, causing the target to become inoperable. Legitimate users are unable to access the affected services during this time.
  6. Terminate the attack: Attackers usually terminate the attack when their objectives are met or when they face the risk of being traced. However, attackers may launch another attack shortly after.

Common DoS and DDoS Tools

Attackers use several common DDoS tools to launch Distributed Denial of Service attacks. Some of these tools include:

  • LOIC (Low Orbit Ion Cannon): LOIC is an open-source network stress testing and DoS attack application. It generates a large volume of network traffic to overwhelm the target server or network. LOIC can be used by individual attackers or as part of a coordinated botnet.
  • HOIC (High Orbit Ion Cannon): HOIC is an upgraded version of LOIC, designed to generate a more significant volume of network traffic. It allows attackers to use multiple simultaneous connections and target multiple URLs, making it more challenging to defend against.
  • Slowloris: Slowloris is a DDoS tool that targets web servers by opening and maintaining many simultaneous connections, slowly sending partial HTTP requests. This method consumes server resources and eventually causes the server to become unresponsive without generating a high volume of network traffic.
  • hping: hping is a command-line utility that can be used to generate custom TCP/IP packets for network auditing and testing. In the hands of an attacker, hping can be used to launch DDoS attacks by sending a large number of packets to the target server.
  • NTP Amplification: This type of DDoS attack exploits vulnerabilities in the Network Time Protocol (NTP) to amplify the volume of traffic sent to the target server. Attackers send small NTP requests with a spoofed IP address (the target's IP address) to NTP servers, which then send a much larger response to the target, overwhelming its resources.
  • Mirai: Mirai is a malware that targets Internet of Things (IoT) devices and turns them into a botnet to launch DDoS attacks. The Mirai botnet has been responsible for some of the largest DDoS attacks in history.

To defend against DDoS attacks, organizations should adopt various security measures, such as deploying firewalls, intrusion detection systems, traffic filtering, and load balancing. Additionally, patching vulnerabilities promptly, strengthening cybersecurity awareness training, and sharing threat intelligence with other organizations can also help reduce the risk of DDoS attacks.

How to Defend Against DDoS Attacks?

Mitigating DDoS attacks is about distinguishing between attack traffic and normal traffic. For example, if a company's website experiences a surge of visitors due to the release of an application, and the load increases dramatically, it may be under a DDoS attack. It would not be appropriate to cut off all traffic. If the company sees a sudden increase in traffic from known malicious users, it may need to work to mitigate the attack. The challenge is to distinguish between real customer traffic and attack traffic. In the modern internet, DDoS traffic comes in many forms. The design of the traffic may vary, from non-deceptive single-source attacks to complex adaptive multi-directional attacks. Multi-directional DDoS attacks use a variety of attack methods, knocking down targets in different ways, likely distracting mitigation efforts at all levels. A typical example of a multi-directional DDoS attack targets multiple levels of the protocol stack (such as DNS amplification (targeting layers 3/4) plus HTTP flood (targeting layer 7)). To defend against multi-directional DDoS attacks, multiple different strategies need to be deployed to mitigate attacks at different levels. Generally, the more complex the attack, the harder it is to distinguish between attack traffic and normal traffic - the attacker's goal is to blend in with normal traffic as much as possible, thereby reducing the effectiveness of mitigation. If mitigation measures indiscriminately discard or limit traffic, they may discard normal traffic along with attack traffic, and the attack may also be modified to evade mitigation measures. To overcome complex destructive methods, a layered solution is ideal.

Blackhole Routing

Blackhole routing is a method of mitigating Distributed Denial of Service (DDoS) attacks. When a network or server is under a DDoS attack, a large amount of malicious traffic is sent to the target system, preventing legitimate user requests from being responded to. The principle of blackhole routing is to redirect all traffic heading towards the attacked target to a 'black hole', a special network address where any traffic sent to it is discarded without any response. The purpose of this is to prevent malicious traffic from reaching the target server, thereby protecting the server from attack. Implementing blackhole routing usually involves the following steps:

  • Detecting the attack: First, there needs to be a mechanism to detect the occurrence of a DDoS attack.
  • Triggering blackhole routing: Once an attack is detected, the network administrator can manually or automatically trigger blackhole routing.
  • Broadcasting routing updates: By using BGP (Border Gateway Protocol) or other routing protocols, update the routing table to tell all routers to redirect traffic from the target IP address to the black hole.
  • Traffic discard: All traffic sent to the attacked IP address will be routed to the black hole and discarded there.

Although blackhole routing can effectively reduce the impact of malicious traffic on the target system, it has a significant drawback: legitimate traffic is also discarded. This means that during an attack, the affected service is unavailable to all users. Therefore, blackhole routing is often seen as a last-resort defense measure. In some cases, more refined methods may be used, such as 'Scrubbing Centers' or other types of traffic analysis and filtering, to distinguish and block malicious traffic while allowing legitimate traffic to pass.

Rate Limiting

Limiting the number of requests a server receives in a certain period is also a method of defending against denial-of-service attacks. Although rate limiting helps slow down web crawlers stealing content and defending against brute force attacks, relying solely on rate limiting may not be sufficient to effectively deal with complex DDoS attacks. However, in an efficient DDoS defense strategy, rate limiting is an effective measure.

Web Application Firewall

A Web Application Firewall (WAF) is an effective tool that helps mitigate Layer 7 DDoS attacks. Once a WAF is deployed between the internet and the origin server, it can act as a reverse proxy, protecting the target server from specific types of malicious traffic. such as DDoS traffic alarms, IP block lists/whitelists, configuring regional blocking rules, port filtering, feature filtering, protocol blocking rules, and connection attack protection, which can prevent Layer 7 attacks. A key value of an effective WAF is its ability to quickly implement custom rules to respond to attacks.

Conclusion

Tencent EdgeOne DDoS Protection is a security service provided by Tencent Cloud that aims to protect internet-facing applications, services, and networks from Distributed Denial of Service (DDoS) attacks. DDoS attacks are a type of cyber attack where multiple compromised systems are used to target a single system, overwhelming its resources and causing it to become unavailable to legitimate users.

Tencent EdgeOne DDoS Protection provides the following features:

  1. Traffic Monitoring and Detection: The service continuously monitors network traffic and detects abnormal traffic patterns that may indicate a DDoS attack.
  2. Automatic Mitigation: Once an attack is detected, Tencent EdgeOne DDoS Protection automatically triggers mitigation measures to block the malicious traffic and protect the targeted system.
  3. Real-time Reporting: The service provides real-time reports on attack traffic, including the source IP addresses, attack types, and other relevant information.
  4. Customizable Protection Policies: Users can customize protection policies based on their specific needs, such as setting up whitelist and blacklist rules, adjusting traffic thresholds, and more.
  5. Global Coverage: Tencent EdgeOne DDoS Protection leverages Tencent's global network infrastructure to protect users worldwide.

By using Tencent EdgeOne DDoS Protection, businesses can ensure the availability and performance of their online services, even in the face of large-scale DDoS attacks. Learn more about Tencent EdgeOne's DDoS protection