“Distributed Denial of Service” is a form of malicious attack designed to try and make a server or network resource unavailable to normal users. This is usually accomplished through interruption or suspension of the host’s connection to the web service.
Basically, DDoS attacks usually come in one of three forms:
Volume based attacks including UDP floods and ICMP floods. The goal of a volume-based attack is to saturate the victim site’s bandwidth so that it is unable to handle the attack and stops operating.
Protocol attack designed to target server resources using tactics such as SYN flooding and fragmented packet attacks.
Finally, application layer attack has become more common in recent months. This takes the form of a seemingly legitimate request targeting a specific aspect of the web server.
What’s the effect?
DDoS attacks are many and varied. While the attack methods may differ (as seen above), the goal is always to overwhelm the targeted website’s resources, with the aim of stopping its operations
There are several things that can result from this. If the website is an ecommerce venture, then they can potentially lose thousands of sales. They can also lose out on potential leads from customers. If a website relies on advertisements for revenue, it will lose traffic and therefore be questioned by sponsors. They may also receive bad publicity regarding their security protocols.
Like all forms of web security attacks, DDoS attacks have constantly changed and evolved over the last few years – as a result, DDoS protections must adapt quickly to counter these threats. Volume-based network layer attacks were originally the most common form of attack, using rendered target servers useless through large numbers. At its peak, this is a very effective tactic.
The more recent Application Layer (aka. Layer 7) attacks, however, are proof that hackers are ready to use their brains over brawn. Attacks are often disguised as legitimate traffic (sometimes through use of a headless browser), and focus on targeting individual features such as inquiry forms rather than entire websites. This more stealthy approach makes them much more difficult to intercept. Indeed, if perfectly orchestrated, application layer attacks are indistinguishable from normal traffic.
One recent attack, monitored by DDoS protection service provider Incapsula, provides a good indication of how DDoS attacks have progressed.
In terms of size, the attack was relatively small, monitored as 4Gbps and generating around 8 million DNS requests per second – enough to cripple an unprotected site, but not massive, when compared to other DDoS events.
The troubling thing about these attacks isn’t the volume, but the fact that they come from a single source: from the same network, of course, and possibly even from the same device. In terms of the amount of power coming from a single source, this is more or less unprecedented. In recent years, entire botnets have had to be mobilized to carry out attacks, using tens of thousands of devices at once. Now, it turns out, this can be done with just one machine.
It’s clear from the numbers involved in these attacks that the stakes are getting higher when it comes to DDoS. For example, if this attack uses amplification methods that are common across many attacks, a 200Gbps attack can be made using a single network or computer.
Botnets are always taken very seriously, and rightly so. However, these DDoS “cannon” style attacks are on a whole different level in terms of the firepower that can be generated from a single source. If this method is used with three or four computers simultaneously (as we can assume it will probably in the future), the consequences can be disastrous for even the largest websites.