DDoS — simply explained as I understand it

Distributed Denial of Service DDoS is a frequent term that surfaces in IT security conversations at present. It is important to be aware of the threats in today’s IT landscape and be vigilant and proactive in securing IT infrastructure. With the increment of connected devices such as IoT, attackers gain more and more means and resources to use for attacks. This is a simple guide and an explanation of DDoS as I understand it.

What is a DDoS attack

A Distributed Denial of Service (DDoS) attack is an attempt to disrupt, shutdown or take a front end service or an application out of service by sending malicious traffic. Malicious traffic that appears to be legitimate in disguise, floods systems to exhaust its resources. As a result servers & systems unable to process requests anymore and become unavailable.

Impact of a DDoS attack

If an organisation suffers a DDoS attack, it could affect its main modes of business or services it relies upon. If an organisation relies on its website, e-commerce site or any other critical application for its main operations, that organisation could suffer with loss of revenue, loss of sales, breaching SLAs, brand reputation damage or seizure of total operations. Therefore having protection against DDoS attacks are very important to businesses that relies upon online activities.

Common Types of DDoS attacks

There are different types of DDoS attacks. Attackers target different layers of a network using different methods. Two common types are, application layer attacks and protocol targeted attacks. These attacks can be volumetric, generating large number of requests or traffic flows. In modern days a bad actor does not necessarily need to possess high end super computing powers. Even a low end smartphone device can be used to initiate a DDoS attack.

• Application layer attacks — Attacking a front end web page of an application or a system by sending a large number of bogus requests for processing, is an example for an application layer attack. Think of a scenario : If a system has a user login option such as in an online banking page or a user registration page of a job application system, sending large number of requests can exhaust its servers. These types of attacks are harder to mitigate as, malicious attempts appears as legitimate requests. Notice that most of the systems nowadays use verification tools such as recaptcha or verification emails for users to click and interact.
• Protocol Attacks — In a protocol attack, it targets front end web servers or front end devices such as firewalls, routers or load balancer by sending large volumes of traffic. Large volumes of traffic can fill up the state tables in firewalls & load balancing devices, preventing serving anymore connection requests. DNS flooding, DNS amplification, Ping flood attacks are examples in this category. As an example, a ping flood attack is sending large number of ICMP requests to a server that will reply until its resources such as network connectivity is exhausted, causing the server to go offline.

The above vectors can be classified as fast & high volume attacks. They require the malicious actors to use lots of resources in generating large volumes of requests. They are called volumetric attacks. There is a myth that DDoS attacks occur in large volumes and fast. But this is not true. There is another category of attacks called Slow Rate attacks.

• Slow Rate attacks — As the wording suggests, this type of attacks use slow requests and low volumes to take over resources of systems such as web servers. Usual targets are front end services to users such as login pages. Attackers send traffic requests to web pages slowly which fills up the threads of a web server. Once the threads are exhausted it will not be able to serve anymore requests causing service to appear as offline. Some DDoS attacks such as slow rate attacks will be difficult to identify as malicious traffic could appear to be legitimate in disguise.

Ways of mitigating DDoS attacks

• Rate limiting — As the name suggests this method is simply limiting the number of connections or requests a server accepts over a period of time. This method will mitigate volume based attacks. Firewalls and some load balancing equipment have the capability. This is a method that can be used proactively.
• Blackhole routing — This method is a reactive solution. If a service or a server is under attack, simply a route can be configured to take the traffic away from the server or the service. Using this method takes legitimate traffic away as well. Blackhole route will route all traffic on to a path of no return. In a way it serves the purpose of the attacker.
• Anycast routing — A method used by large corporations such as Google to route traffic to the closest location which gives users the same experience regardless of their geographical location. For example Google DNS service 8.8.8.8 gives the same level of response and available via the same IP from different parts of the world. By using anycast routing, it shares the load across different locations and servers. It provides a way to slow down volume based attacks and reduce resource exhaustion of servers.
• Web Application Firewalls (WAF) — Popular acronym is WAF. Service providers such as AWS & Azure have these services for customers that can be configured to protect their workloads. WAFs can act as a proxy to the servers providing front end services, shielding the identity of the real servers. They can inspect application layer traffic to identify malicious requests or traffic originated by a malicious application such as DDoS tools used by attackers.
• Geographic restrictions — A method that can be useful for services that are only served to a certain geographical area only. In this method it will only be accepting traffic from a defined geographical region. IP address ranges can be used to identify locations. Attackers can still spoof IP addresses but at least it prevents malicious attempts coming from different geographical locations where attackers attempt to use multiple hosts of devices.

It is important to have shields against DDoS type attacks as organisation move into digital space and provides online services for customer convenience. Most of the ISPs provide DDoS protection services to their customers. Also there is the option of using a service that specialises in DDoS protection. Arbor networks and Akamai are popular services in this category. These services run smart methods and algorithms to identify and mitigate attacks. Some of the firewall products also have some options that can be configured for DDoS protection. Palo Alto is one of the vendors offer it currently with their firewall hardware. Service providers such as GCP, AWS and Azure have their own methods and services for DDoS protection. Also with the elasticity of their services and high bandwidth connectivity on offer, sharing loads and spreading them across can be done easily. It is important to give some consideration into DDoS protection for your services.