What Is a DDoS Attack and How Can You Stop It?

Understanding DoS and DDoS Attacks

The purpose of a Denial-of-Service (DoS) attack is to disrupt a device or network, thereby making it inaccessible to its intended users. A DoS attack either overwhelms a target system by flooding it with traffic or requests, or by identifying and then exploiting a vulnerable software or system flaw which can lead to a system crash. Similarly, a Distributed Denial-of-Service (DDoS) attack occurs when multiple systems, commonly known as botnets, are remotely controlled to engage in a synchronized DoS attack on a single target. The distributed nature of DDoS attacks makes them substantially harder to thwart and it is typically quite difficult to identify the bad actor behind a DDoS attack because they are launched through a large number of devices.

Although DDoS attacks typically do not result in the direct theft of personal data or account balances, they can be extremely costly and difficult to resolve. While recent advances in cybersecurity have significantly diminished the dangers associated with most basic DoS attacks, DDoS attacks remain among the most ubiquitous and devastating forms of cyberattacks. According to cybersecurity firm Netscout, nearly five million DDoS attacks were launched in the first half of 2020, up 15% compared with 2019.

Types of DDoS Attacks

The vast majority of DDoS attacks can be broadly categorized into three distinct types:

Volumetric Attacks: This approach unleashes an excessive amount of traffic on the target website or network in order to saturate the network’s bandwidth. By sending more traffic to a network address than the system was built to handle, an attacker can potentially destabilize or shut down the entire network. Among cybersecurity professionals, the degree of severity of this form of attack is measured in bits per second (BPS). Examples include:

• User Datagram Protocol (UDP) Floods: A volumetric DDoS attack which seeks to overwhelm a target with a flood of UDP packets, which can be sent to a receiving device prior to establishing a connection with that recipient.

• Internet Control Message Protocol (ICMP) Floods: The attacker attempts to overwhelm its target with excessive ICMP echo-requests, which are a network layer protocol used by network devices to diagnose network communication issues. These attacks are also referred to as ‘Ping flood attacks.’

Protocol Attacks: This approach targets a weakness in how a protocol operates, typically by exploiting server resources or those of intermediate communication equipment such as load balancers and firewalls. Among cybersecurity professionals, the degree of severity of this form of attack is measured in packets per second (PPS). Examples include:

• SYN Floods: In this type of DDoS attack, the attacker initiates connections to a server in rapid succession without finalizing the connection. This results in the target server wasting resources waiting for half-opened connections which can render the system unresponsive to legitimate traffic.

• TCP Fragmentation Attacks: The attacker overwhelms its target by targeting the network’s TCP/IP reassembly mechanisms, which disrupts the target’s ability to put together fragmented data packets. As a result, the data packets the network receives cannot be organized and processed and eventually overwhelm the system. This is also known as a ‘teardrop attack.’

Application Layer Attacks: This method of attack exploits bugs specific to certain web applications by undermining the layer where a server generates web pages and responds to http requests.

Application layer attacks are generally harder to detect and prevent than volumetric and protocol attacks since they launch seemingly legitimate, innocuous requests, which are then dialed up full-scale once it’s too late for a system to react. As a result, application attacks are widely considered to be the most advanced and destructive form of DDoS attack. Among cybersecurity professionals, the degree of severity of this form of attack is measured in requests per second (RPS). In recent years, several large-scale DDoS attacks have combined application layer attacks with volumetric and/or protocol attacks for increased effectiveness.

How Do DDoS Attacks Affect the End User?

DoS and DDoS attacks typically target the servers of high-profile organizations such as financial institutions, e-commerce companies, or government entities. Within the blockchain space, cryptocurrency exchanges are the most frequent targets of DDoS attacks followed by mining pools, with malicious actors seeking to cut off users’ access to their digital assets at inopportune moments, disrupt trading volume, and destabilize the market.

At times, a DDoS attack may only succeed in slowing down its victim or temporarily cutting off user access. As a result, if you are attempting to interact with a website or network that has fallen victim to this type of cyberattack, you may experience anything from unusually slow access and brief service disruptions to prolonged connectivity blackouts.

Unlike social engineering attacks and user-targeted scams, there is generally little a user can do to prevent these attacks from striking its intended target. As a result, the onus for preventing these attacks falls on the online service providers, businesses, and government institutions which are frequently targeted.

How Can Organizations Counter DDoS Attacks?

When it comes to defending against DDoS attacks, it is critical that organizations plan and implement defense systems well in advance. And while DDoS attacks can't always be prevented, there are several steps organizations can take to mitigate potential disruptions:

• Diversified Network Architecture: By locating resources in different data centers, housing data centers on different networks, relying on different cloud availability zones, and ensuring that networks do not have any significant bottlenecks or single points of failure, organizations can make it more difficult for attackers to identify and exploit an individual, critical target.

• Modern Security Solutions: Modern network technologies, including many commercially available network and web application firewalls, cloud providers, and load balancers, can protect network resources to some extent and reduce the potential fallout of a DDoS attack. While security solutions alone are often not enough to fully defend against more sophisticated DDoS attacks, any high-value network should view the application of modern security solutions as a necessary first step, rather than an optional add-on.

• Flexible/Scalable Infrastructure: A diversified architecture and modern security solutions will help to mitigate the impact of a DDoS. However, they can’t completely eliminate the risk. As a result, many organizations employ flexible and scalable systems that can temporarily scale to meet increased load resulting from a DDoS attack.

Among the various cyberattack methodologies, DDoS attacks are relatively inexpensive to launch and difficult to defend against. While there is no fool-proof defense against DDoS attacks, it’s important to be aware that the risk profile of a network which has implemented deliberate, preventative measures vastly differs from that of an unexamined, unprotected network — and that can make all the difference.