Distributed Denial of Service (DDoS) Attack

What is a DDoS Attack?

Distributed denial-of-service (DDoS) attacks (pronounced dee-dos) are sometimes considered entry-level cybercrimes. They often require little to no technical skills and tools and are capable of taking a service offline almost immediately. They flood a website, server, or other Web resource with so much traffic that it prevents users from accessing it. However, large-scale and sophisticated DDoS attacks do require advanced knowledge and resources.

A DDoS attack is explained using an analogy: Led Zeppelin hadn’t played together for 19 years. When they announced they’d play a concert at the O2 Arena in London on 10 December 2007, the excitement was immense. So much so that 80,000 rock fans were trying to register online for tickets per minute! The ticketing website was overwhelmed and crashed.

This is exactly what a DDoS attack does – it takes a website or service offline. A business will suffer reputational damage, operational capability, and, potentially, lost revenue. And that lost revenue could be long-term. If customers go to a competitor because your service is unavailable, that competitor may also get repeat business.

Some DDoS attacks are completely debilitating for the victim yet astonishingly simple to conduct. However, attacks targeting businesses and large organizations with cybersecurity defenses are more sophisticated, requiring advanced knowledge and resources.

Table of Contents Table of Contents

1. What is a DDoS Attack?
2. Key Takeaways
3. How a DDoS Attack Works
4. Who Are Behind DDoS Attacks?
5. Are DDoS Attacks Legal?
6. How to Identify a DDoS Attack
7. Motives of the DDoS Attacks
8. Types of DDoS Attacks
9. Why Anyone Can Perform a DDoS Attack
10. Tips to Protect Yourself From DDoS Attacks
11. The Bottom Line
12. FAQs
13. References

Show Full Guide

Table of Contents

1. What is a DDoS Attack?
2. Key Takeaways
3. How a DDoS Attack Works
Show Full Guide
4. Who Are Behind DDoS Attacks?
5. Are DDoS Attacks Legal?
6. How to Identify a DDoS Attack
7. Motives of the DDoS Attacks
8. Types of DDoS Attacks
9. Why Anyone Can Perform a DDoS Attack
10. Tips to Protect Yourself From DDoS Attacks
11. The Bottom Line
12. FAQs
13. References

How a DDoS Attack Works

The following steps outline the basics of a DDos attack. The more sophisticated the attack, the more resources the attacker requires.

Who Are Behind DDoS Attacks?

DDoS attacks can be carried out by a wide range of threat actors, from state-sponsored advanced persistent threat (APT) groups with significant resources to “script kiddies” – unskilled individuals using programs created by other hackers.

Are DDoS Attacks Legal?

It is illegal to conduct a DDoS attack, meaning it is punishable by law. In the U.S., under the Computer Fraud and Abuse Act (CFAA), sentences of up to 10 years imprisonment and fines can be imposed. In the U.K., the Computer Misuse Act governs such offenses, also leading to imprisonment and/or fines. Other countries where DDoS attacks are illegal include Australia, Canada, France, Germany, India, Japan, and others.

How to Identify a DDoS Attack

A site or service suddenly slowing or unavailable is a common indicator of a DDoS attack. However, as shown in the earlier concert ticket analogy, a legitimate spike in traffic may also have this effect.

Here’s how to identify a DDoS attack:

Motives of the DDoS Attacks

Types of DDoS Attacks

Like the many sub-categories of malware, there are many sub-categories of DDoS attacks. The main types of attacks fall into three categories: volumetric, application-layer, and protocol attacks. Within these categories, sophisticated DDoS attacks may use a blend of each type of attack all at once.

Volumetric Attacks

Volumetric attacks are the most common types of DDoS attacks. They overwhelm the target’s network bandwidth by bombarding it with bogus data requests – on one port or every open port. The victim’s computer or device must try to deal with these fake requests, which occupy 100 percent of its bandwidth and processing capabilities. When this happens, legitimate requests cannot be serviced, and the target computer or service is essentially offline.

Typically, the messages sent to the victim’s computer are either User Datagram Protocol (UDP) packets or Internet Control Message Protocol (ICMP) packets.

• UDP is tailored for fast data transmission, which makes it a prime tool for threat actors.
• ICMP attacks send false error messages or false requests for information, tying up the target computer as it tries to service all these bogus requests.

Application-Layer Attacks

The application layer is the topmost tier, layer 7, of the Open Systems Interconnection (OSI) network model. It is concerned with the software that interacts with the network traffic. These attacks typically misuse direct web traffic using protocols such as Hypertext Transfer Protocol (HTTP), Secure Hypertext Transfer Protocol (HTTPS), Domain name system (DNS), or Simple Mail Transfer Protocol (SMTP).

While DDoS attacks are commonly associated with overwhelming bandwidth (i.e., flooding the computer or device and choking it with bogus network interactions), application-layer attacks focus on exhausting server processing power rather than flooding it to prevent legitimate traffic.

An application-layer DDoS attack example is the low and slow attack. These use a relatively low amount of traffic, so it can be harder to identify as a direct attack. They work by making a steady stream of connection requests with every step of each interaction paused for as long as possible but without causing the target computer to time out.

The target computer is working, but dreadfully slowly – to the point that it might as well not be. It’s like being in the queue for the checkout at a store and every person in front of you purposely being as slow as they can.

Protocol Attacks

A protocol attack may use a flood of purposefully malformed packets to attempt to confuse and crash the target device by overrunning internal buffers or corrupting data tables. Other protocol attacks make use of the so-called three-way handshake that takes place when a Transmission Control Protocol/Internet Protocol (TCP/IP) connection is requested, accepted, and connected.

How does a three-way handshake work?

A SYN Flood Attack

A SYN flood attack is a protocol attack that exploits the three-way handshake. It works by sending a flood of SYN packets to the target machine. It responds with a SYN+ACK packet to each of these requests and waits for the final ACK from each of the remote devices.

But these are never sent. This means that each of these bogus connections ties up networking resources within the target machine until each of the incomplete connections times out. With a flood of SYN requests relentlessly hitting the target computer, it cannot accept any genuine connection requests.

ICMP Request Packets

Another technique is to use ICMP request packets. These are not sent to the victim’s computer – instead, they are sent to other, large networks.

The ICMP packets request that the packet be shared with all the hardware on the network. The request is replicated and sent to all networked devices. The request is for a dump of information about each device, which they obligingly provide.

However, the initial ICMP request was forged to look like it had been sent by the victim’s computer. All the responses from each of the network devices get sent to the victim’s website, server, or another internet-facing service.

By sending one packet, a deluge of information can be sent to the victim. This is known as amplification. The attacker uses a sizable number of innocent, large networks to bombard the target computer.

It’s like attacking a mountain village by going into the hills and poking the snow. The avalanche wipes out the village, and the threat actor hasn’t had any direct communication with the village itself.

Why Anyone Can Perform a DDoS Attack

Numerous DDoS attack software packages can be freely downloaded from the web. Not the dark web – they can be found on the regular or “clear web.”

Keep in mind that engaging in DDoS activities is illegal and carries legal consequences.

Download them and follow a few simple instructions. Source code for some DDoS programs can be obtained from GitHub. Clone the repository, compile the source code, and follow a list of instructions. This is achievable by anyone with minimal IT experience.

If you can find your way onto the dark web, you can find DDoS-as-a-Service outlets, where you pay attackers to mount the campaigns on your behalf. Typically, they will have developed malware and previously infected computers or other networked devices. These infected devices, called bots, can be used to generate the flood of traffic needed to topple a website.

The more bots the DDoS-as-a-Service outlet has, the more traffic it can generate. Depressingly, there are services available for as little as $20 per hour. The price for DDoS-for-hire services scales with the size of the botnet, duration, and intensity of the attack.

Tips to Protect Yourself From DDoS Attacks

The Bottom Line

The DDoS attack definition refers to flooding a website or other web resource with so much traffic that it prevents users from accessing it. This is an intentional, malicious cyberattack that has become one of the go-to forms of digital revenge and extortion.

Often, the attacker thinks their crime is untraceable. While they wouldn’t commit a physical crime for fear of getting caught, they mistakenly believe the digital nature of the crime shields them from detection and punishment. But crime is crime, and there’s a big difference between being able to commit a crime and getting away with it.

This type of naive cybercriminal is often caught – and caught quickly – but that can be of little consolation to the victim who has been brought offline and lost revenue, customers, and dependability.

FAQs