Of all the threats plaguing the modern digital landscape, few are as disruptive – or as difficult to combat – as Distributed Denial of Service (DDoS) attacks.
Designed to flood a target server with requests until it crashes, a well-executed DDoS can quickly render a website useless, making it a perfect weapon of choice for anyone with political, commercial or personal motives in today’s digital-first world. To make matters worse, DDoS attacks are steadily growing more potent and becoming more frequent, with research indicating that as many as 17,700 attacks are carried out every single day.
Here at Emsisoft, we’re all too familiar with the growing threat of DDoS attacks. Our efforts to eradicate malware often draw the ire of cyber criminals, even going as far as attempting to bring our systems down with a flood of traffic. In January 2017, for example, our ransomware decrypter portal was hit, following our release of a decrypter for MRCR ransomware.
Looks like someone DDoSes our decrypter site. Coincides with MRCR devs showing up in our forums. Guess I pissed someone off again. ¯_(ツ)_/¯
— Fabian Wosar (@fwosar) January 28, 2017
Thankfully, our defenses were up to the challenge and we emerged unscathed, but many others are not as fortunate.
You might have heard that it’s not possible to prevent DDoS attacks. While that’s somewhat true, the good news is that there are precautions you can take to reduce your chances of becoming a victim.
In this post, we will share everything there is to know about DDoS attacks and, most importantly, what you can do to minimize damage from potential attacks.
What is a DDoS attack?
A conventional denial of service attack relies on using one internet-connected device to saturate a target server’s bandwidth and render a website unusable.
A DDoS attack is very similar to a DoS attack, except instead of relying on one device it uses multiple (hundreds or even thousands) of internet-connected devices distributed around the world to carry out the attack. These devices typically take the form of a botnet (otherwise known as a zombie army), a group of machines that have been infected with a type of malware which grants the hacker the ability to control the compromised machines remotely. The distributed nature of a DDoS attack makes it difficult to stop as there are simply too many sources to block.
How does a DDoS attack work?
While there are a few different types of DDoS attacks (more on that later), they all share a similar goal: disrupting the operations of a specific website and making it inaccessible or dysfunctional to regular users.
A traditional DDoS attack might look something like this:
- Spread the malware: Cybercriminals release malware that is designed to spread via the internet and infiltrate computers without being noticed. Common methods of infection include email attachments, drive-by downloads and links in social media posts.
- Build the botnet: The malware lies dormant until required, meaning hackers can give commands to compromised machines without the knowledge of the owner. Less commonly, people may voluntarily offer their devices for use in a botnet if they are working toward a collective goal. Hacktivist group Anonymous has been to known to use voluntary botnets to carry out some of their campaigns. You can get more insight into how botnets work in our previous blog.
- Execute the attack: Once sufficient devices have been recruited into the botnet, the cybercriminals command every device under their control to simultaneously send traffic to a target website.
- Target site faces tremendous traffic: The botnet bombards the target site with requests. The amount of traffic that DDoS attacks are able to produce has continued to increase over the years. In the first quarter of 2017, almost 6 in 10 DDoS attacks exceeded 1 Gbps – the threshold at which most websites will be forced offline.
- Target site is taken offline: If the attack is successful, the target site is knocked offline, resulting in enormous disruption for regular site visitors.
Unfortunately, many cybercriminals are now able to skip the first step entirely and move straight to launching the attack. The advent of booters (often operating under the guise of ‘stress testers’), services that provide DDoS attacks on demand to paying customers, means that just about anyone can initiate a DDoS attack and wreak untold havoc on the target of their choosing. To make matters worse, booters are surprisingly affordable; a 24-hour attack on a non-government site costs just $400, or less than $17 an hour.
As you might imagine, a large-scale attack can have a devastating effect on a company’s finances. A recent study of 1,010 organizations found that peak time DDoS disruptions can result in revenue losses of more than $100,000 per hour.
Understanding the different types of DDoS attacks
There are many different styles of DDoS attacks, which can be classified according to the type and volume of traffic they leverage and the vulnerability they exploit.
1. Volumetric attacks
The most common type of DDoS attack, a volumetric attack relies on a botnet to send massive amounts of traffic to a target site. As the target’s bandwidth is overwhelmed, network operations grind to a crawl or are taken offline entirely. Some examples of volumetric attacks include UDP Flood, DNS Amplification, ICMP Flood and TCP Flood, among many others.
2. Protocol attacks
This type of attack focuses on exploiting server resources by taking advantage of a vulnerability in the Layer 3 and Layer 4 protocol stack. Syn Flood and the notorious Ping of Death both fall under this category.
3. Application layer attacks
Perhaps due to their technical complexity, application layer attacks are the least common type of DDoS attack, but they’re also the most difficult to deal with. This type of attack consumes server resources by targeting web application packets and disrupting data transmission.
Why would someone want to carry out a DDoS attack?
Some forms of cybercrime have fairly straightforward objectives (ransomware, for example, is clearly financially motivated), but when it comes to DDoS attacks the motives are a little less clear cut. Nevertheless, if we look at the history of DDoS attacks, we can see some patterns emerging that explain why someone might want to carry out such an attack:
1. Social activism
It’s not often that cybercrime is used for good, but there is a certain segment of the hacking community that uses DDoS attacks to disrupt organizations that it believes are operating unethically or immorally. While the media often glorifies these types of socially motivated DDoS attacks, they are nevertheless illegal, rarely effective in the long run and often dubiously justified.
One high-profile example of such an attack occurred in 2008 when hacktivist group Anonymous launched a DDoS attack against the Church of Scientology in response to the latter’s alleged abuse of copyright laws.
Hackers are also finding ways to monetize their DDoS attacks, namely through extortion. The criminals demonstrate their power by initiating a small attack and sending the victim a ransom note demanding a payment in bitcoin. If the organization pays up, the hackers relent; if it doesn’t, the hackers ramp up the attack.
While most ransom payments for DDoS extortion are four or five figures, some are substantially larger. For instance, in June 2017, cybercrime group Armada Collective issued ransom notes to seven South Korean banks demanding a total of $315,000 if they wished to avoid downtime at the hands of a DDoS attack.
3. Political reasons
The fact that a DDoS attack can disrupt critical services makes it an ideal weapon to influence political outcomes. The groups carrying out these types of attacks are often state-sponsored and have enormous resources at their disposal.
DDoS attacks were used extensively in Hong Kong during the Occupy Central movement in 2014. The websites Apple Daily and Pop Vote, which staunchly supported the movement, faced DDoS attacks of up to 500 Gbps which, at the time, were known to be some of the largest attacks to have ever taken place.
Another factor that inspires criminals to execute a DDoS attack is simple notoriety and the excitement that comes from taking down a website. Many digital vandals want to be known and accepted by their peers in the community, despite the fact that more advanced hackers have little respect for those using simple pre-made DDoS scripts and/or booter services.
5. Commercial edge
As ecommerce continues to take over the world, online stores are doing whatever it takes to keep one foot ahead of the competition, even if it means resorting to cybercrime. A well-timed DDoS attack can help a business gain a competitive edge in its chosen market on the day of a sale or new product launch.
What can you do to protect yourself?
As it stands, it’s not possible to protect yourself completely from DDoS attacks. However, being proactive and following best IT security practices can help you reduce the risk of becoming a victim.
1. Monitor traffic levels
The most important step in limiting damage during a DDoS attack is to quickly identify when an attack is actually taking place. An effective way to do this is to monitor your website’s traffic levels and develop a good understanding of your average traffic and how much it fluctuates during peak times. After you have a decent idea of your site’s traffic numbers, set thresholds that will automatically alert you and/or your IT security team if exceeded.
2. Talk to your ISP
DDoS protection should be high on your list of things to consider when choosing an ISP. Even if your provider does not offer preventative DDoS protection, you should still contact your ISP during an attack to see if your ISP is also being affected and whether they can reroute traffic to reduce the load on your site.
3. Invest in extra bandwidth
It won’t prevent a DDoS attack from happening, but investing in extra bandwidth can buy you the precious time you need to prepare for and deal with an attack.
Well, as we know, DDoS attacks work by flooding your website with huge amounts of traffic. If you have more bandwidth than you need, your site can effectively absorb at least part of the attack and give you a headstart on mitigating the effects.
4. Think about buying cloud-based DDoS protection
Professional cloud mitigation providers can be pricey but they do offer an effective layer of protection against DDoS attacks. These services have lots of bandwidth that is usually capable of accommodating even large DDoS attacks, and can filter out bogus traffic ensuring only ‘clean’ requests make it through to your server.
Google also offers its own form of DDoS protection: Project Shield. Completely free for news, human rights and elections monitoring websites, Project Shield safeguards your site by filtering harmful traffic and soaking up traffic with caching. Click here to see if you’re eligible for Project Shield and find out how to apply.
5. Regularly update your software
Keeping your company’s software up to date is a critical part of combating cyberattacks and DDoS attacks are no exception. Security vulnerabilities, such as the one found in WordPress version 3.5-3.9, can make your organization more susceptible to DDoS attacks. The longer you go without updating, the greater the risk becomes.
You can also prevent your computer from unwittingly becoming part of a botnet and contributing to the plague of DDoS attacks. Engineered to identify and neutralize all forms of malware, Emsisoft Anti-Malware offers the anti-malware and antivirus protection you need to keep your system free from infection and out of the hands of botnet masters who would like nothing more than to use your computer’s precious resources to carry out elaborate DDoS attacks against innocent organizations.
With DDoS attacks continuing to become more destructive and accessible, it’s vital that companies big and small have a good understanding of how the attacks work and what they can do to minimize the risk of becoming a victim.
Have you ever faced a DDoS attack or a similarly disruptive cyberattack? Let us know in the comments below!
Have a great (malware-free) day!