Flooding the System: An Introduction to DDoS Attacks

Businesses across Canada have likely heard quite a bit about distributed denial of service (DDoS) attacks in the past year. The first three months of 2015 saw twice as many DDoS attacks as the same period the year before. Knowing how to secure your organization against DDoS attacks is key to protecting your brand reputation and preserving customer trust, but it’s first important to understand how DDoS attacks work and why they happen.

Information overload

The goal of DDoS attacks is to limit legitimate traffic from accessing an organization’s online assets and resources. While DDoS attacks come in a variety of flavours, you should be aware of two common categories:

• Volumetric attacks: Also known as network floods, these simple yet effective attacks rely on the brute force of thousands of simultaneous information requests that clog a target’s Internet ‘pipe’, congesting their network and making their website inaccessible to the majority of their users. It’s like a massive bumper-to-bumper online traffic jam where four lanes of traffic have to merge into a single lane.

• Low-and-slow attacks: These attacks use smaller volumes of carefully-crafted information requests over a longer period of time – making them harder to detect. They focus on consuming the available memory or processing power of an application or server, gradually exhausting the computing resources of load balancers, servers and firewalls. Tied up by this illegitimate traffic, their ability to deal with real requests becomes limited – causing the infrastructure to run inefficiently or even crash.

In both cases, the attack usually mimics legitimate traffic to escape detection, but the end result is the same: the system or application slows to a crawl or stops working altogether, which can keep users from accessing the affected organization’s online services.

An army of bots

DDoS attacks are called ‘distributed’ because the requests come from hundreds or even thousands of sources at once, rather than from a single computer. This approach typically relies on a ‘botnet’ – a network of malware-infected computers – to launch a coordinated assault on a particular target.

Most botnets are created through specially designed malware, which is spread to as many computers as possible through malicious attachments, web scripts and other tools. Any computer that runs the malware becomes part of the botnet, linked up to its command-and-control server and awaiting further instructions.

Because the malware comes to life only when directed by the command-and-control server, most people have no idea their computer is part of a botnet. The U.S. Federal Bureau of Investigation estimates some  500 million computers are infected globally each year, with 18 new bots created every second.

That said, creating a botnet can take a long time. Fortunately for cyber criminals, several underground ‘DDoS-for-hire’ services have popped up in recent years, making it possible to rent existing botnet infrastructures or even pay someone to launch an end-to-end attack on a target of their choosing. The cost? Only a few dollars per week – meaning anybody with a credit card and a motive can quickly and easily launch an attack.

Establishing a motive

Most DDoS attacks are driven by personal or political reasons, from ‘hacktivism’ (in protest against governments or companies the attacker dislikes) to vandalism. But because they are so disruptive and difficult to stop, the threat of an attack is sometimes used to extort money from victims.

DDoS attacks can also be used as diversions for more expensive attacks; while IT teams are focused on the website or server outage, it’s easier to break into the internal network to steal valuable personal or financial data.

Warning signs

Spiking bandwidth consumption is often a sign of a DDoS attack, yet not every company has the in-house capabilities to detect such changes in real time. In a survey conducted by Corero Network Security, 21% of respondents said customer complaints were their primary indicator of an attack. Only 14% were alerted to an attack by an application failure while another 14% mentioned infrastructure failure. All told, nearly half of the companies surveyed responded reactively, working to stop an attack well after the damage had already been done.

The bottom line 

As DDoS attacks become more frequent and larger in scope, it becomes increasingly difficult for security and IT teams to defend against and respond to them manually. This is why security experts recommend a combination of on-premises security as well as network or cloud-based security that can automatically detect, mitigate and filter DDoS attacks before they even have a chance to reach your corporate network.

In future posts, I’ll cover the direct and indirect damage DDoS attacks can inflict on a business, how you can properly defend your organization, and compare the pros and cons of network- and cloud-based DDoS security solutions.

Do you have additional questions about how DDoS attacks work? Please let us know in the comments, below.

By Corey Still, Network and Cyber Security Professional at Bell