How to Stop a DDoS Attack: A Guide
In 2018, GitHub saw one of the largest DDoS attacks ever recorded. According to Wired, the attack measured 1.35 terabits of data per second, and GitHub suffered from outages as a result. Luckily, the company had a mitigation strategy in place and quickly switched to routing traffic through its DDoS protection service, foiling the attack.
According to Netscout, whose subsidiary Arbor Networks created a map that shows daily DDoS attacks, the company detected 23,000 attacks every day in 2019, on average. Its annual threat report cautioned that the rise of IoT, which will yield a projected 20 billion connected devices this year, greatly increases the risks of DDoS attacks, which have grown in frequency and intensity.
But as GitHub’s experience demonstrates, it’s possible to have a plan in place that can lessen the damage and even fend off DDoS attacks when they occur. Companies can take technical precautions, use DDoS protection services and adopt clear business plans in anticipation of an attack.
What is a distributed denial-of-service (DDoS) attack?
What Does Denial of Service Look Like?
Instructor Tom Scott explains on Computerphile that the malicious core of a DDoS attack is denial of service, a form of attack first seen in the 1990s, when most people with computers browsed the internet using a dial-up connection. Dial-up is slow — it taps out at 56,000 bits per second, less than 1 percent the speed of modern broadband connections. According to a blog post by SolarWinds, those speeds make watching videos in real time impossible, and even loading a single page on a modern website would take more than a minute on average.
In the Computerphile video, Scott explains that attackers who had access to faster internet speeds, such as the broadband available to business and university computers, would select a target and send a flood of data at it, leaving the target unable to make additional connections. The most important factor in a successful attack was having a faster internet connection than the target, so the target would run out of bandwidth for handling other requests.
Scott says that, although this type of cyberattack doesn’t steal any information or permanently harm systems, it poses a problem for websites, which are prevented from serving their users due to the attackers crowding out all the legitimate requests. For a user trying to navigate to a website under a denial-of-service attack, the page would never load — it would hang for a long time, then simply time out.
These days, Scott points out, this type of denial-of-service flood attack is less popular, because it’s hard to have one computer with enough bandwidth to take down a website on its own. But attackers are pretty creative, and there are flavors of denial of service that get around that issue.
One interesting spin is known as Slowloris, which instructor Mike Pound describes in a Computerphile video. Instead of sending as much data as possible through the attacker’s computer, the Slowloris attack extends the length of time of each request indefinitely by taking advantage of how web servers and clients communicate. This method ties up connections to the server and eventually monopolizes all traffic to the targeted server. For attackers, the advantage of Slowloris attacks is that they don’t take a lot of bandwidth, but the attack is only effective on servers that have difficulty handling a large number of concurrent connections.
Types of DDoS Attacks
DDoS — which stands for distributed denial of service — is one of the most popular versions of denial-of-service attacks. Cloudflare, a company that offers DDoS protection services, along with other web infrastructure and security products, explains the attack strategy on its website. Instead of launching the attack from a single computer, attackers use many distributed machines in different locations working in concert to overwhelm the target. The distributed machines are often computers, or even smart devices such as baby monitors, that have been secretly infected with malware and conscripted into a botnet under the attacker’s control. The attacker is then able to use the distributed machines — or bots — to send traffic wherever is needed to carry out any type of DDoS attack.
According to Cloudflare CTO John Graham-Cumming, these days it’s common for attacks to use multiple types of DDoS in a single attack: “It’s just an attempt to overwhelm the network, so they’ll try to send as many different things as possible,” he told Built In.
That said, the attacks tend to fall into three categories.
The first type of DDoS attack, known as an application layer attack, works like denial-of-service flood attacks, just on a larger scale, according to Cloudflare’s website. Bots send a torrent of traffic at a target, crowding out other users trying to access the target server. Attackers typically direct the traffic at time-intensive endpoints on the target — think requests that require large database queries or generate big files. These types of endpoints don’t require a lot of resources on the part of the attacker to hit, but they are bandwidth-intensive for the target to respond to. That means the target may quickly burn through its resources.
“It’s just an attempt to overwhelm the network, so they’ll try to send as many different things as possible.”
Another type of DDoS attack targets the way that internet protocols — the rules that facilitate how computers communicate over the internet — are supposed to work. An example outlined by Cloudflare is the SYN flood attack, which targets the transmission control protocol (TCP). In a normal TCP transaction, the client and the server establish a connection by exchanging a standardized series of messages known as a “handshake,” similar to how, in rock climbing, the climber communicates with the belayer with standardized acknowledgements. This handshake tells both sides that a connection is successfully established.
A SYN flood attack shares some similarities with a Slowloris denial of service. During the attack, the attacker sends only the first of the three-part handshake to the target server. The server then responds with the second, but the attacker does not send the final acknowledgement, leaving the server waiting and unable to use that connection to respond to additional requests for a while. Having a botnet do this multiplies the effect on the target.
The third type of DDoS attack is the amplification attack. According to Cloudflare, these attacks take advantage of a variety of internet protocols to multiply the size of each request sent from an attacker. For instance, the domain name system (DNS) amplification attack uses the DNS protocol, which computers normally use to look up the IP address that corresponds to a given website URL, a step that makes navigating the internet possible. Clients normally send a request containing the website URL they want to look up to a DNS server, and get back a response with the corresponding IP address.
Cloudflare explains that the attacker carries out DNS amplification by “spoofing” where the request came from — making the DNS server think the request was sent from the target rather than the attacker. The request will usually ask the DNS server for a large amount of data, which the DNS server then sends along to the target. The amplification effect comes from the comparatively small bandwidth it takes for the attacker to send the request, relative to the bandwidth required for the target to receive the response, and from the attacker’s ability to send requests to multiple DNS servers. As with all distributed attacks, this is multiplied by the number of bots in the botnet carrying out the attack.
Lessening the Effects of DDoS
DDoS attacks, like other cyberattacks, are illegal under the United States Computer Fraud and Abuse Act, but that hasn’t stopped people from using them. Activists have used DDoS as a form of online protest, and the hacking collective Anonymous has even petitioned for DDoS to be made legal, arguing that it is a form of free speech similar to in-person protestors denying access to a building. Attacks against online gamers have been so prevalent that gaming companies even post guides on prevention strategies. Governments have also been targets and perpetrators of DDoS attacks.
To avoid becoming the next victim, companies can take preventative steps. In the Pluralsight course “Ethical Hacking: Denial of Service,” instructor Troy Hunt explains that DDoS does its damage by taking up all the network connections or bandwidth the company should be spending on legitimate users. Quickly scaling up servers to handle more connections and bandwidth can mitigate the issue — but can also be expensive. Companies that host their sites on cloud providers usually have easy access to this option.
Hunt explains in his course that another strategy is for companies to place endpoints that perform resource-intensive functions behind some kind of protection, making it difficult for bots to get to them. For instance, companies can prevent bots from quickly tying up server resources by placing endpoints with intensive database queries or large file downloads behind login pages. The ubiquitous CAPTCHA test, with its wavy words or images for users to decipher, is another way of protecting resource-hungry endpoints from bots.
The way companies architect their websites is also important, Hunt says. Coding a website as interconnected components, instead of an interdependent monolith, would allow other sections of a site to remain functional even if one section is affected by a DDoS attack.
How DDoS Protection Services Work
Today, many companies offer DDoS protection as a service.
Cloudflare is one of the largest of these DDoS protection services. It uses some of the same techniques that individual companies use to protect against DDoS, but according to the company’s blog, its biggest weapon is a large network of servers around the world that intercept web traffic on behalf of customers.
Cloudflare’s network sits in between a customer’s servers and the rest of the internet, accepting incoming client requests and passing them along to the customer’s servers. As the middleman, Cloudflare can look for suspicious activity and filter out any malicious requests, dropping them before they get to the customer.
Even when a DDoS attack is directed at a customer, Cloudflare is able to absorb the onslaught of data by spreading it across Cloudflare’s network and splitting the work across many servers. At each server, Cloudflare checks for each type of DDoS attack and filters requests accordingly.
“All these different types of attacks, what you want to do is split them up so they go to as many different cities as possible,” Graham-Cumming told Built In. “Within each data center, you then identify what’s bad and get rid of it. So whether it’s like a SYN flood, ACK attack, something that’s using DNS amplification, it’s in many ways the same thing.”
“Literally you can look at the pattern of data in the packet and say, ‘That’s a SYN flood.’”
It can be difficult for individual companies to handle attacks involving multiple types of DDoS, especially because some varieties are more challenging to detect than others. Graham-Cumming said the hardest types for companies to detect are application layer attacks, where DDoS attacks can look like regular requests, aside from the volume.
Cloudflare deals with application layer attacks by analyzing for signs of malicious intent. Some of this analysis is helped along by machine learning, Graham-Cumming said.
“Because of the scale of a cloud-first network — with such a large number of users using Cloudflare, traffic coming through us — we can actually look for anomalous behavior on our network, which would be indication of some type of attack, and then we can use that to protect other users,” he said. “It’s more about looking at the traffic, looking at the packets coming toward you, doing a fingerprint on them and saying, ‘We know this packet, actually, is participating in a DDoS because of some characteristic of the packet itself.’”
The fingerprints Cloudflare developed to recognize attack patterns are quite sensitive, he said.
“Literally, you can look at the pattern of data in the packet and say, ‘That’s a SYN flood,’” Graham-Cummings said.
But companies that use DDoS protection services should still be vigilant.
“Attackers then try to go around the service,” he said. “They’ll try to find the original IP address of your service and go after it directly.”
Graham-Cumming recommended that customers using DDoS protection services set up filtering on their traffic — so their servers only accept traffic coming from the service’s IP address — to fix this problem.
What Every Business Needs in the Event of a DDoS Attack
DDoS can damage a company’s reputation, negatively impact revenue and require substantial expenses to remedy the attack. Hunt explains in his Pluralsight course that legitimate users and customers aren’t able to access the targeted site, preventing business from operating normally and cutting off purchases and ad revenue from the site.
DDoS attacks cannot directly steal information from a target, but attackers have been known to use DDoS to distract companies from concurrent cyberattacks — while the organization is busy trying to manage the DDoS, attackers go after their true objectives. And DDoS attacks that go on for an extended period of time can be used to extort their targets, similar to ransomware attacks.
Hunt explains in his course that the best way to respond to a DDoS attack is to already have a plan in place when it occurs. It’s a good idea to prepare a company statement that would be released to the public in the event of an attack. Companies should also think about the costs associated with a DDoS attack on their particular sites and use that estimate to determine what they’re willing to pay to resolve an attack.
Trying to make a cost-benefit calculation in the middle of a crisis isn’t a good idea, Hunt says, especially if the attack is costing the company revenue every minute. But with business-side strategies prepared in advance and technical protective measures in place, companies won’t be caught off guard and can survive a DDoS attack.