A distributed denial-of-service (DDoS) attack aims to exhaust the resources of a network, application or service so that genuine users cannot gain access. There are different types of DDoS attacks, but in general a DDoS assault is launched simultaneously from multiple different hosts and can affect the availability of even the largest enterprises' internet services and resources. They are a daily occurrence for many organizations; according to Arbor Networks' tenth Worldwide Infrastructure Security Report, 42% of respondents saw more than 21 DDoS attacks per month, compared to 25% in 2013. It's not just the frequency of these attacks that is increasing, but their size as well. In 2013, there were fewer than 40 attacks that were more than 100 Gbps, but in 2014 there were 159 attacks over 100 Gbps, the largest being 400 Gbps.
Types of DDoS attacks explored
The different types of DDoS attacks vary significantly but generally fall into one of three broad categories:
- Volumetric attacks -- These attacks aim to overwhelm a network's infrastructure with bandwidth-consuming traffic or resource-sapping requests.
- TCP state-exhaustion attacks -- Attackers use this method to abuse the stateful nature of the TCP protocol to exhaust resources in servers, load balancers and firewalls.
- Application layer attacks -- The target of these attacks is some aspect of an application or service at Layer 7.
Volumetric attacks remain the most common of the types of DDoS attacks, but attacks that combine all three vectors are becoming commonplace, increasing an attack's length and magnitude. The main drivers behind DDoS attacks remain the same: politics and ideology, vandalism and online gaming. Yes, gamers will DDoS a gaming infrastructure just to gain a competitive advantage in playing and winning an online game. While DDoS is the weapon of choice for hacktivists and terrorists, it's also used for extortion or disrupting a competitor's operations. The use of DDoS attacks as a diversionary tactic is also growing. For example, advanced persistent threat campaigns are using DDoS attacks against a network as a distraction while exfiltrating stolen data.
With the hacker community packaging complex and sophisticated attack tools into easy-to-use, downloadable programs, even those who don't have the necessary know-how can buy the ability to launch and control their own DDoS attacks. And the situation is only going to get worse as attackers are beginning to conscript everything, from gaming consoles to routers and modems, to increase the volume of attack traffic that they can generate. These devices have networking features that are turned on by default and use default accounts and passwords, making them easy targets to enlist in a DDoS attack. Most are also Universal Plug and Play-enabled (UPnP), the underlying protocols of which can be abused. Akamai Technologies found 4.1 million internet-facing UPnP devices were potentially vulnerable to being employed in reflection types of DDoS attacks. The growing number of poorly secured or configured internet-connected devices is increasing the ability of attackers to generate ever more powerful attacks.
How to secure systems
Securing internet-facing devices and services is as much about helping to secure the internet as an individual network as it is about reducing the number of devices that can be recruited to participate in a DDoS attack. The main protocols hackers are abusing to generate DDoS traffic are NTP, DNS, SSDP, Chargen, SNMP and DVMRP; any services using them should be carefully configured and run on hardened, dedicated servers. For example, enterprises running a DNS server should follow NIST's Special Publication 800-81 Secure Domain Name System (DNS) Deployment Guide, while the Network Time Protocol site offers advice on securing NTP servers. Many attacks work because attackers can generate traffic with spoofed source IP addresses. Enterprises need to implement anti-spoofing filters as covered in IETF Best Common Practices documents BCP 38 and BCP 84 to prevent hackers from sending packets claiming to originate from another network.
All of the different DDoS attack types can't be predicted or avoided, and even an attacker with limited resources can generate the volume of traffic required to take down or severely disrupt large, heavily defended sites. While it's virtually impossible to completely eliminate or mitigate DDoS attacks, the key to reducing them in the long term is to ensure that all machines and services are correctly configured so that publicly available services cannot be harnessed and misused by would-be attackers. By helping others we will be helping ourselves.
Learn about testing DDoS mitigation processes to prevent disruptions
Find out how to protect your cloud from DDoS attacks
Read about DDoS attacks being commonly used against financial institutions