What is a DDoS Attack? How they Work + Protection Strategies

A Distributed Denial of Service (DDoS) attack, is an illegal attempt to make a website unavailable by overloading its server with high amounts of fake traffic.

The onslaught of malicious connection requests places legitimate visitors at the back of an undiminishing traffic queue which prevents the website from loading.

Targets don't just include web servers, a DDoS attack can disrupt any service connected to the internet such as networks, databases, mobile devices, and even specific application functions.

How Does a DDoS Attack Work?

A DDoS attack begins by compromising a series of IoT (Internet of Things) devices. Each targeted IoT device is infected with malware so that it can be controlled remotely and then connected to other comprised devices, creating a botnet.

There is no limit to the size of a botnet, they could span across the entire globe. With a large enough botnet, malicious traffic requests will keep compounding, and if they're all directed at a singular target, server RAM and CPU reserves will have no chance of coping with the traffic demand.

What's the Difference Between a DoS attack and a DDoS Attack?

In a DoS attack, malicious connection requests are sent from just one compromised device, but in a DDoS attack, malicious traffic is sent from multiple compromised devices.

Dos vs. DDoS Attack

Types of DDoS Attacks

All DDoS attacks have a single goal - to overload online resources to the point of being unresponsive.

There are three primary categories of DDoS attacks:

1. Volume-Based DDoS Attacks

Volume-based attack direct and overwhelming amount of traffic at web resources. The magnitude of these attacks is measured in Bits per second (Bps). Volume-based attacks include ICMP flood attacks, UDP flood attacks, and other spoofed packet attacks.

What is an ICMP Flood Attack?

An Internet Control Message Protocol (ICMP) echo requests are normally sent to network devices to diagnose their health status. Each targeted device responds with an echo reply, outlining its current condition. An ICMP flood attack (also known as a ping flood attack) sends a high magnitude of echo requests resulting in an equally high number of reply packets, overwhelming the targeted device.

For an ICMP flood attack to be possible, an attacker needs to know the target's IP address. There are three categories of ICMP attacks, identified by the method of IP address retrieval:

  • Targeted local disclosed - This type of DDoS attack requires knowledge of the target's IP address. An attack sends a flood of traffic to a specific computer or device.
  • Router disclosed - This type of DDoS attack requires knowledge of the internal IP address of a local router. Network requests are then sent to the router to disrupt network communications.
  • Blind ping - Involves a reconnaissance campaign to discover a target's IP address to make a DDoS attack possible.

What is a UDP Flood Attack?

A UDP flood attack exploits a server's natural response sequence to User Datagram Protocol (UDP) packets. Under normal conditions, a server's response to UDP packets at each port is a two-step process:

  1. The server checks if any running programs associated with the requested datagrams are utilizing the specified port.
  2. When no such applications are found, the server responds with an ICMP - "Destination Unreachable" packet.

During an UDP flood attack, a targeted server is flooded with such requests, causing it to overload and deny service to legitimate traffic.

How to Mitigate UDP Flood Attacks

The standard method of mitigating UDP flood attack is by limiting the response rate of ICMP packets. However, this defense strategy has two major disadvantages:

  1. Such a binary filtration method is likely to also reject legitimate packet requests.
  2. If the UDP flood attack is large enough, the state table and server firewall will be overwhelmed. This will result in a catastrophic bottleneck of UDP packets occurring upstream from the targeted server.

A better method of mitigating UDP flood attacks is by deploying defense mechanisms upstream rather than at the physical level. This will prevent reliance on a bandwidth being depleted by packets from the cyberattack.

2. Protocol or Network-Layer DDoS Attacks

Protocol or network-layer DDoS attacks direct a high volume of packets at management tools and network infrastructures. The volume of these attacks is measured in packets per second (PPS). These types of attacks include SYN floods and Smurf DDoS attacks.

What is a SYN Flood Attack?

During normal operating conditions, a client sends a SYN to a server which then responds with a SYN+ACK message. While the server waits for a SYN+ACK response from the client, the state information is stored in a TCP buffer.

During a SYN flood attack, a high volume of SYN packers ate sent to a server from spoofed IP addresses that never provide a SYN-ACK response when the server requests them. The result is the TCP buffer reaching its limit, causing all open port connections to be overwhelmed, which in turn results in the server denying any new  TCP connections.

How to Mitigate SYN Flood Attacks

There are three methods of mitigating SYN flood attacks:

1. Overwrite Senior Half-Open TCP Connections

To prevent compounding backlog requests, the oldest half-open TCP connection should've recycled whenever the backlog has been filled. This cyclical connection process will only mitigate SYN attacks if connections can be established faster than the backlog is filled.

Increasing the backlog limit, could buy the server enough time to recycle the oldest TCP connection before the backlog queue is exhausted.

2. Increase Backlog Limit

To raise the limit of the backlog queue, the operating system needs sufficient memory to sustain the increased processing demands of a larger backlog. Otherwise, performance may be impeded.

If memory bandwidth is sufficient, increase the maximum number of possible half-open connections.

With the backlog queue increased, the system should operate for a longer period of time during a SYN flood attack, allowing more time to identify and block the spoofed IP address launching the attack.

3. Create TCP SYN Cookies

A TCP SYN cookie creates an additional level of protocol security within load balancers and DDoS engines. This mitigation method removes the requirement of a TCP buffer and its corresponding storage limitations. The state table is replaced with a mathematical function that calculates the TCP sequence number linked to each SYN-ACK response.

Each received ACK packet is compared against the expected TCP sequence number calculated by the mathematical function. Alignment confirms legitimate connection request which is then established as normal.

Before implementing SYN cookies on a server, be sure to check its processing capabilities. Some x86 servers aren't able to meet the processing requirements of computing TCP sequence calculations fast enough to meet spoof connection demands.

4. Use a Firewall

A firewall can replace SYN cookies, and the concern of overwhelming server resources, if it's capable of monitoring the state table and blocking new connections beyond a specific limit. Fortunately, most modern servers are capable of this.

Intelligent firewalls can identify a SYN flood attack by monitoring SYN packets per second and respond by liberating half-open connections to maintain availability. A capable firewall is on e that maintains connectivity to legitimate users during a high-volume attack.

Lower-grade firewalls, however, have rudimentary SYN attack filters that may reject legitimate TCP sessions during a SYN flood attack.

What is a Smurf DDoS Attack?

During a Smurf attack, an illegitimate ping is sent to networked computers from the targeted server by spoofing its IP address, forcing each recipient to respond with an operational update.

Because such pings are not verified with a handshake, they can be compounded without limitations. The result is networked computers launching a DDoS attack against the own server.

How to Mitigate Smurf DDoS Attacks

The majority of attack vectors that made Smurf attack possible have now been rectified. However, some legacy systems are still vulnerable to this self-damaging DDoS tactic.

A quick mitigation solution is to disable all IP broadcasting addresses at each firewall and network router. This setting is likely to be disabled on new routers, but legacy routers are likely to have it enabled.

3. Application Layer-Attacks

During an Application, later DDoS attack, also known as a layer 7 (L7) attack, the top later of the OSI model is targeted. This is where high-traffic packet requests occur, - HTTP, GET, and HTTP Post.

DDoS Attack Warning signs

An unusually slow loading website could be evidence of a DDoS attack occurring. If this then progresses to a Server 503 unreliable message, a DDoS attack is likely occurring.

Error 503 example

At this point, immediate further verification is critical. This can be achieved by generating a log of all active server requests from the Command Log Interface (CLI).

During a DDoS attack, the command log will indicate multiple connections to a single server port from the same IP address.

Example of web server log during DDoS attack
Example of web server log during DDoS attack - source: loggly.com

Ready to see
UpGuard in action?