Emerging Threats

What is a distributed denial of service attack (DDoS) and what can you do about them?

A distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers,” it generally means it has become a victim of a DDoS attack. In short, this means that hackers have attempted to make a website or computer unavailable by flooding or crashing the website with too much traffic.

What are distributed denial-of-service attacks (DDoS)?

Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm them with more traffic than the server or network can accommodate. The goal is to render the website or service inoperable.

The traffic can consist of incoming messages, requests for connections, or fake packets. In some cases, the targeted victims are threatened with a DDoS attack or attacked at a low level. This may be combined with an extortion threat of a more devastating attack unless the company pays a cryptocurrency ransom. In 2015 and 2016, a criminal group called the Armada Collective repeatedly extorted banks, web host providers, and others in this way.

Examples of DDoS attacks

Here’s a bit of history and two notable attacks.

In 2000, Michael Calce, a 15-year-old boy who used the online name “Mafiaboy,” launched one of the first recorded DDoS attacks. Calce hacked into the computer networks of a number of universities. He used their servers to operate a DDoS attack that crashed several major websites, including CNN, E-Trade, eBay, and Yahoo. Calce was convicted of his crimes in the Montreal Youth Court. As an adult, he became a “white-hat hacker” identifying vulnerabilities in the computer systems of major companies.

More recently, in 2016, Dyn, a major domain name system provider — or DNS — was hit with a massive DDoS attack that took down major websites and services, including AirBnB, CNN, Netflix, PayPal, Spotify, Visa, Amazon, The New York Times, Reddit, and GitHub.

The gaming industry has also been a target of DDoS attacks, along with software and media companies.

DDoS attacks are sometimes done to divert the attention of the target organization. While the target organization focuses on the DDoS attack, the cybercriminal may pursue a primary motivation such as installing malicious software or stealing data.

DDoS attacks have been used as a weapon of choice of hacktivists, profit-motivated cybercriminals, nation states and even — particularly in the early years of DDoS attacks — computer whizzes seeking to make a grand gesture.

How do DDoS attacks work?

The theory behind a DDoS attack is simple, although attacks can range in their level of sophistication. Here’s the basic idea. A DDoS is a cyberattack on a server, service, website, or network floods it with Internet traffic. If the traffic overwhelms the target, its server, service, website, or network is rendered inoperable.

Network connections on the Internet consist of different layers of the Open Systems Interconnection (OS) model. Different types of DDoS attacks focus on particular layers. A few examples:

  • Layer 3, the Network layer. Attacks are known as Smurf Attacks, ICMP Floods, and IP/ICMP Fragmentation. 
  • Layer 4, the Transport layer. Attacks include SYN Floods, UDP Floods, and TCP Connection Exhaustion.
  • Layer 7, the Application layer. Mainly, HTTP-encrypted attacks.

Botnets

The primary way a DDoS is accomplished is through a network of remotely controlled, hacked computers or bots. These are often referred to as “zombie computers.” They form what is known as a “botnet” or network of bots. These are used to flood targeted websites, servers, and networks with more data than they can accommodate.

The botnets may send more connection requests than a server can handle or send overwhelming amounts of data that exceed the bandwidth capabilities of the targeted victim. Botnets can range from thousands to millions of computers controlled by cybercriminals. Cybercriminals use botnets for a variety of purposes, including sending spam and forms of malware such as ransomware. Your computer may be a part of a botnet, without you knowing it.

Increasingly, the millions of devices that constitute the ever-expanding Internet of Things (IoT) are being hacked and used to become part of the botnets used to deliver DDoS attacks. The security of devices that make up the Internet of Things is generally not as advanced as the security software found in computers and laptops. That can leave the devices vulnerable for cybercriminals to exploit in creating more expansive botnets.

The 2016 Dyn attack was accomplished through Mirai malware, which created a botnet of IoT devices, including cameras, smart televisions, printers and baby monitors. The Mirai botnet of Internet of Things devices may be even more dangerous than it first appeared. That’s because Mirai was the first open-source code botnet. That means the code used to create the botnet is available to cybercriminals who can mutate it and evolve it for use in future DDoS attacks.

Traffic flood

Botnets are used to create an HTTP or HTTPS flood. The botnet of computers is used to send what appear to be legitimate HTTP or HTTPS requests to attack and overwhelm a webserver. HTTP — short for HyperText Transfer Protocol — is the protocol that controls how messages are formatted and transmitted. An HTTP request can be either a GET request or a POST request. Here’s the difference:

  • A GET request is one where information is retrieved from a server.
  • A POST request is one where information is requested to be uploaded and stored. This type of request requires greater use of resources by the targeted web server.

While HTTP floods using POST requests use more resources of the web server, HTTP floods using GET requests are simpler and easier to implement.

DDoS attacks can be purchased on black markets

Assembling the botnets necessary to conduct DDoS attacks can be time-consuming and difficult.

Cybercriminals have developed a business model that works this way: More sophisticated cybercriminals create botnets and sell or lease them to less sophisticated cybercriminals on the dark web — that part of the Internet where criminals can buy and sell goods such as botnets and stolen credit card numbers anonymously.

The dark web is usually accessed through the Tor browser, which provides an anonymous way to search the Internet. Botnets are leased on the dark web for as little as a couple of hundred dollars. Various dark web sites sell a wide range of illegal goods, services, and stolen data.

In some ways, these dark web sites operate like conventional online retailers. They may provide customer guarantees, discounts, and user ratings.

What are the symptoms of a DDoS attack?

DDoS attacks have definitive symptoms. The problem is, the symptoms are so much like other issues you might have with your computer — ranging from a virus to a slow Internet connection — that it can be hard to tell without professional diagnosis. The symptoms of a DDoS include:

  • Slow access to files, either locally or remotely
  • A long-term inability to access a particular website
  • Internet disconnection
  • Problems accessing all websites
  • Excessive amount of spam emails

Most of these symptoms can be hard to identify as being unusual. Even so, if two or more occur over long periods of time, you might be a victim of a DDoS.

Types of DDoS attacks

DDoS attacks generally consist of attacks that fall into one or more categories, with some more sophisticated attacks combining attacks on different vectors. These are the categories:

  • Volume Based Attacks. These send massive amounts of traffic to overwhelm a network’s bandwidth.
  • Protocol Attacks. These are more focused and exploit vulnerabilities in a server’s resources.
  • Application Attacks. are the most sophisticated form of DDoS attacks, focusing on particular web applications.

Here’s a closer look at different types of DDoS attacks.

TCP Connection Attacks

TCP Connection Attacks or SYN Floods exploit a vulnerability in the TCP connection sequence commonly referred to as the three-way handshake connection with the host and the server.

Here’s how. The targeted server receives a request to begin the handshake. In a SYN Flood, the handshake is never completed. That leaves the connected port as occupied and unavailable to process further requests. Meanwhile, the cybercriminal continues to send more and more requests overwhelming all open ports and shutting down the server.

Application Attacks

Application layer attacks — sometimes referred to as Layer 7 attacks — target applications of the victim of the attack in a slower fashion. That way, they may initially appear as legitimate requests from users, until it is too late, and the victim is overwhelmed and unable to respond. These attacks are aimed at the layer where a server generates web pages and responds to http requests.

Often, Application level attacks are combined with other types of DDoS attacks targeting not only applications, but also the network and bandwidth. Application layer attacks are particularly threatening. Why? They’re inexpensive to operate and more difficult for companies to detect than attacks focused on the network layer.

Fragmentation Attacks

Fragmentation Attacks are another common form of a DDoS attack. The cybercriminal exploits vulnerabilities in the datagram fragmentation process, in which IP datagrams are divided into smaller packets, transferred across a network, and then reassembled. In Fragmentation attacks, fake data packets unable to be reassembled, overwhelm the server.

In another form of Fragmentation attack called a Teardrop attack, the malware sent prevents the packets from being reassembled. The vulnerability exploited in Teardrop attacks has been patched in the newer versions of Windows, but users of outdated versions would still be vulnerable.

Volumetric Attacks

Volumetric Attacks are the most common form of DDoS attacks. They use a botnet to flood the network or server with traffic that appears legitimate, but overwhelms the network’s or server’s capabilities of processing the traffic.

Types of DDoS Amplification

In a DDoS Amplification attack, cybercriminals overwhelm a Domain Name System (DNS) server with what appear to be legitimate requests for service. Using various techniques, the cybercriminal is able to magnify DNS queries, through a botnet, into a huge amount of traffic aimed at the targeted network. This consumes the victim’s bandwidth.

Chargen Reflection

A variation of a DDoS Amplification attack exploits Chargen, an old protocol developed in 1983. In this attack, small packets containing a spoofed IP of the targeted victim are sent to devices that operate Chargen and are part of the Internet of Things. For instance, many Internet-connected copiers and printers use this protocol. The devices then flood the target with User Datagram Protocol (UDP) packets, and the target is unable to process them.

DNS Reflection

DNS Reflection attacks are a type of DDoS attack that cybercriminals have used many times. The susceptibility to this type of attack is generally due to consumers or businesses having routers or other devices with DNS servers misconfigured to accept queries from anywhere instead of DNS servers properly configured to provide services only within a trusted domain.

The cybercriminals then send spoofed DNS queries that appear to come from the target’s network so when the DNS servers respond, they do so to the targeted address. The attack is magnified by querying large numbers of DNS servers.

Check out the DDoS Digital Attack Map

The Digital Attack Map was developed by Arbor Networks ATLAS global threat intelligence system. It uses data collected from more than 330 ISP customers anonymously sharing network traffic and attack information

Take a look at the Digital Attack Map. It enables you to see on a global map where DDoS attacks are occurring with information updated hourly.

How to protect yourself from Distributed Denial of Service attacks

Protecting yourself from a DDoS attack is a difficult task. Companies have to plan to defend and mitigate such attacks. Determining your vulnerabilities is an essential initial element of any protection protocol.

Method 1: Get a protection product for your business

Symantec Complete Website Security’s Distributed Denial of Service (DDoS) protection can provide significant protection from DDoS attacks for your business.

Symantec’s protection is easy to implement and does not require any on-site hardware of software, and no changes need to be made to your hosting provider or applications.

Symantec Complete Website Security’s DDoS protection stops attacks at Symantec’s network, screens out the bogus traffic, while your legitimate users maintain access to your website uninterrupted.

Symantec Complete Website Security’s DDoS protection provides comprehensive protection against a variety of DDoS threats such as Brute force attacks, spoofing, zero-day DDoS attacks, and attacks targeting DNS servers.

Method 2: Take quick action

The earlier a DDoS attack in progress is identified, the more readily the harm can be contained. Companies should use technology or anti-DDoS services that can assist you in recognizing legitimate spikes in network traffic and a DDoS attack.

If you find your company is under attack, you should notify your ISP provider as soon as possible to determine if your traffic can be re-routed. Having a backup ISP is also a good idea. Also, consider services that disperse the massive DDoS traffic among a network of servers rendering the attack ineffective.

Internet Service Providers will use Black Hole Routing which directs traffic into a null route sometimes referred to as a black hole when excessive traffic occurs thereby keeping the targeted website or network from crashing, but the drawback is that both legitimate and illegitimate traffic is rerouted in this fashion.

Method 3: Configure firewalls and routers

Firewalls and routers should be configured to reject bogus traffic and you should keep your routers and firewalls updated with the latest security patches. These remain your initial line of defense.

Application front end hardware which is integrated into the network before traffic reaches a server analyzes and screens data packets classifying the data as priority, regular or dangerous as they enter a system and can be used to block threatening data.

Method 4: Consider artificial intelligence

While present defenses of advanced firewalls and intrusion detection systems are common, AI is being used to develop new systems.

The systems that can quickly route Internet traffic to the cloud, where it’s analyzed, and malicious web traffic can be blocked before it reaches a company’s computers. Such AI programs could identify and defend against known DDoS indicative patterns. Plus, the self-learning capabilities of AI would help predict and identify future DDoS patterns.

Researchers are exploring the use of blockchain, the same technology behind Bitcoin and other cryptocurrencies to permit people to share their unused bandwidth to absorb the malicious traffic created in a DDoS attack and render it ineffective.

Method 5: Secure your Internet of Things devices

This one is for consumers. To keep your devices from becoming a part of a botnet, it’s smart to make sure your computers have trusted security software. It’s important to keep it updated with the latest security patches.

If you have IoT devices, you should make sure your devices are formatted for the maximum protection. Secure passwords should be used for all devices. Internet of Things devices have been vulnerable to weak passwords, with many devices operating with easily discovered default passwords. A strong firewall is also important.

Protecting your devices is an essential part of Cyber Safety.

Victim of a data breach? LifeLock monitors for identity theft and threats.

Norton joined forces with LifeLock, we offer a comprehensive digital safety solution that helps protect your devices, connections and identity.


Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Norton by Symantec is now Norton LifeLock. LifeLock™ identity theft protection is not available in all countries.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, the Checkmark logo, Norton, Norton by Symantec, LifeLock and the LockMan logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the United States and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution Licence. Other names may be trademarks of their respective owners.