How DDoS attacks work

DDoS (distributed denial-of-service) attack is one of the most common forms of cyber-attacks these days. Their scale already exceeds one terabit per second and over 2000 of such attacks are being observed daily by Arbor Networks. So, should you care? Surely! It’s important to secure your network to stay calm and ensure uninterrupted services to your customers.

Possible Harm

DDoS attacks disturb regular tasks of a targeted computer system by flooding it with bogus traffic from numerous compromised machines. As a simple example, if your e-commerce site is under DDoS attack, your customers are withheld from placing new orders. If it’s a call center, your clients cannot make or receive calls. If it’s a booking engine, your clients are not able to make new reservations. In other terms, your service is being denied. Still, can these service disruptions make a lasting impact on your system and harm your customer base? Let’s try to answer this point by point.

• Service disruption. First and foremost, DDoS attacks deny access to your website or services. The attacker abuses a network of infected or misconfigured machines – servers, routers or even PCs – to generate enormous amounts of bogus traffic to a single system, making it temporarily unavailable.
• Higher costs. Most hosting and cloud providers charge their clients for additional bandwidth or computing power. When you are having a DDoS attack, your ingress traffic skyrockets and your infrastructure may start scaling out very rapidly, if auto-scaling is enabled. You might get surprised when you receive your next bill, because of the Internet traffic and computing resources expenses that have gone through the roof this month. Do not forget to check your provider’s bandwidth policy to avoid such bills.
• Data loss. Because of an overwhelmed data base and system, unsaved work might not be stored or cached. This may be a serious issue for businesses that deal with mission-critical workloads or run some online transaction processing application where data consistency is paramount.
• Intermixed logs. Your real server logs will mix up with thousands of attack logs, so it will be hard to filter and check if everything works correctly. Alternatively, you may have set if-then rules and made your system self-reactive. In such case, intermixed logs may hurt you a lot by causing real damage to your system.
• Distraction. DDoS can be used as a distraction technique. While you are busy filtering your traffic, small damaging attacks are executed simultaneously. Such an attack happened a few months ago with Electrum Bitcoin wallet, which said to be the safest cold wallet in the world. A huge DDoS attack from over 150 000 infected hosts has been launched onto Electrum network, disrupting all customer transactions. In parallel, a phishing attack forced a roguish message to be popped out to clients, asking them to update their software. People then mistakenly installed malicious software, which immediately pointed all their savings to the scammer’s wallet.

DDoS prevention methods

• Attack surface reduction: Limiting attack surface exposure can help minimize the effect of a DDoS attack. Several methods for reducing this exposure include restricting traffic to specific locations, implementing a load balancer, and blocking communication from outdated or unused ports, protocols, and applications.
• Anycast network diffusion: An Anycast network helps increase the surface area of an organization’s network, so that it can more easily absorb volumetric traffic spikes (and prevent outages) by dispersing traffic across multiple distributed servers.
• Real-time, adaptive threat monitoring: Log monitoring can help pinpoint potential threats by analyzing network traffic patterns, monitoring traffic spikes or other unusual activity, and adapting to defend against anomalous or malicious requests, protocols, and IP blocks.
• Caching: A cache stores copies of requested content so that fewer requests are serviced by origin servers. Using a content delivery network (CDN) to cache resources can reduce the strain on an organization’s servers and make it more difficult for them to become overloaded by both legitimate and malicious requests.
• Rate limiting: Rate limiting restricts the volume of network traffic over a specific time period, essentially preventing web servers from getting overwhelmed by requests from specific IP addresses. Rate limiting can be used to prevent DDoS attacks that use botnets to spam an endpoint with an abnormal amount of requests at once.

DDoS prevention tools

• Web application firewall (WAF): A WAF helps block attacks by using customizable policies to filter, inspect, and block malicious HTTP traffic between web applications and the Internet. With a WAF, organizations can enforce a positive and negative security model that controls incoming traffic from specific locations and IP addresses.
• Always-on DDoS mitigation: A DDoS mitigation provider can help prevent DDoS attacks by continuously analyzing network traffic, implementing policy changes in response to emerging attack patterns, and providing an expansive and reliable network of data centers. When evaluating cloud-based DDoS mitigation services, look for a provider that offers adaptive, scalable, and always-on threat protection against sophisticated and volumetric attacks.

Conclusion

Hackers are getting better each day with more and more methods available for finding vulnerable systems on the Internet. Nevertheless, there are now a lot of ways to protect your business and avoid DDoS attacks whatsoever. Do not hesitate to take preventative actions in advance and you will sleep well at night.