An organization’s worst nightmare
DoS and DDoS are common attacks that have the potential to make your server unavailable, if not taken seriously. In both the attack scenarios, the main principle is that the cybercriminals deprive legitimate users from their required service by making your system unresponsive. In the following sections, let’s understand their main differences, the impact, DDoS-ing reasons and attack types.
Denial of service (DoS) attack
In this attack, the attacker makes a massive number of service requests (TCP or UDP protocol packets) to engulf the victim’s server, with phony IP addresses. Gradually, the attacked server’s resources (CPU, memory, etc) are consumed. This is a common kind of denial of service (DoS) attack, called flooding. There are other forms as well, like applicative DoS, where the cybercriminals send out a server bug in a specially crafted packet to make the specific target unavailable. The principle of denial of service (DoS) attack is to refute normal user access to the host server and disrupt the usual functioning of the system. When legitimate users cannot access the website anymore, it causes the server to fail.
Distributed denial-of-service (DDoS) attacks
The number of distributed denial-of-service (DDoS) attacks keep escalating every year. While DoS is an attack between two individual machines, DDoS uses a cluster of coordinated machines in different locations (botnet) to attack the host. Hence, the name “distributed”. Therefore, it is more difficult to detect and block such attacks due to the bombardments from multiple sources within such a short period.
For the cybercriminal, it costs less and is easier to conduct a denial of service (DoS) attack.
What are the consequences of a DDoS attack? Who are the specific targets?
DDoS attack is faster and its intensity on the host server is much more critical and devastating. If your website ceases to work for too long, you might lose your valuable customers to competitors. You will lose your SEO ranking and internal links. Not to mention, the time in revamping your website and financial ramifications on revenue. It might damage your overall reputation in the market and you might have to shut down your business for good.
Botnet as a service usually target relatively large sites and websites of government agencies. Retail sectors are a chief target for such DDoS attacks. If you have a flourishing website, then you are likely to be the target of a DDoS attack at some point of time.
Who conducts DDoS attacks and why?
Many hacktivists might form active groups to conduct DDoS attacks as a means to voice their opinions on a certain topic (political, ethical, etc) or avenge an organization. Sometimes, people who are part of organized criminal groups, do it to get a huge ransom.
Today, DDoS attackers are available on rent in the dark web at a low price. Sometimes, companies hire these attackers and launch such attacks, to disrupt their competitors’ services and redirect traffic to their own website.
Other times, attackers conduct such attacks just to exhibit their skills.
Types of DoS and DDoS
There can be two types of attacks.
The attacker consumes the entire bandwidth to create network congestion with massive volumes of traffic so that legitimate clients are unable to access the specific target network. Most DDoS attacks are volumetric. They can range from 20 gigabytes per second to 2 terabytes per second in volume.
Application layer attacks
The attacker takes advantage of programming errors in the application and attacks the application layer or layer 7 of the OSI model.
Attackers tend to mix these attack types to maximize their impact on the specific target.
Examples of specific attacks
In this volumetric attack scenario (Figure 2), the perpetrators are not attempting to exploit a security flaw on your website, but causing it to break with a high volume of requests. They flood the specific target with multiple synchronization (SYN) packets simultaneously from different machines. The victim sends back acknowledgement (SYN-ACK) packets. However, the attacker does not send an ACK packet in response to complete the three-way handshake, and keeps the victim waiting until the victim’s server depletes its resources. This causes the performance of the victim’s web server to downgrade considerably.
The goal of an amplification attack is to use an amplification factor that magnifies the possible impact. The attackers use a slightly different technique (Figure 3) to cripple the victim’s network bandwidth by expanding the outbound traffic flow. They manipulate open domain name systems (DNS) servers by sending small fake requests (with IP address of the specific target). The server misapprehends the target machine to be the source of the requests and sends an amplified response message to it. The DNS amplification is a popular example of an amplification attack. However, not all amplification attacks exploit the DNS. For example, smurf attack is another type of amplification attack that relies on the router serving a broadcast network.
Slowloris is an application layer attack where the attacker sends incomplete but legitimate HTTP GET requests to the targeted web server periodically. This way it keeps the connections open and devours the connection sockets of the web server slowly and meticulously, thus jamming all other legitimate requests.
How to know if your site gets DDoS-ed?
Apart from coercions from hacktivists, there could be several other signs of being under a DDoS attack. For example, when customers complain that your website has been inaccessible for an extended period or if you observe in your logs an irregular spike in the website traffic. It is indeed hard to tell because the latter could be due to legitimate traffic as well.