Imagine someone calling your phone over and over again, using different phone numbers so you won’t be able to blacklist them. You’d probably end up turning off your phone and becoming unreachable. This is what a usual Distributed Denial of Service (DDoS) attack looks like.
DDoS attacks were here long before Steve Jobs presented his first iPhone. And they’re still extremely popular among hackers because they’re effective, easy to initiate, and leave little or no trace. So how can you defend against DDoS attacks? Can you ensure a high level of protection against DDoS attacks for your web servers and applications? In this article we’ll address how to prevent DDoS attacks and will look at some specific DDoS protection and prevention techniques.
Types and methods of DDoS attacks
A distributed denial of service attack, or simply DDoS, is a coordinated attack intended to render a victim’s resources unusable. It can be performed by either a group of hackers who coordinate their actions or with the help of multiple compromised devices connected to the internet. These devices that are under the attacker’s control are usually called a botnet.
There are a variety of tools for performing DDoS attacks: Trinoo, Stacheldraht, Shaft, Knight, Mstream, and so on. The availability of these tools is one of the reasons why DDoS attacks are so widespread and popular.
An attack may last from several minutes to several hours or even days. One of the longest DDoS attacks in recent years took place in January 2018 and lasted for nearly 300 hours, according to a report by Kaspersky Lab.
There are two common ways of launching a DDoS attack:
- Exploit software vulnerabilities – Hackers can target both known and unknown software vulnerabilities and send malformed packets in an attempt to crush the victim’s system.
- Consume computational or communication resources – Hackers can send massive volumes of legitimate looking packets, thus consuming the victim’s network bandwidth, CPU, or memory until the targeted system can no longer process any requests from legitimate users.
While there’s no standard classification of DDoS attacks, we can divide them into four large groups:
- Volumetric (volume-based) attacks
- Protocol attacks
- Application attacks
- Zero-day attacks
Figure 1 shows one of the most common classifications of DDoS attacks.
Let’s take a closer look at each of these types of attacks.
Volumetric attacks try to block access to the end resource by flooding it with massive volumes of traffic, usually with the help of botnets and amplification techniques. The most common types of volumetric attacks are:
- UDP flood – Hackers send User Datagram Protocol (UDP) packets forged with the victim’s source addresses to random ports. The host generates massive volumes of reply traffic and sends it back to the victim.
- ICMP flood – Hackers use an extensive series of Internet Control Message Protocol (ICMP) requests, or pings, in an attempt to exhaust the victim’s server bandwidth.
In 2018, Netscout reported on one of the largest DDoS attacks so far: a customer of one US-based service provider faced a massive 1.7 Tbps reflection/amplification attack.
Protocol attacks target weaknesses in the way protocols work and are the second-most common attack vector according to Verisign’s Q1 2018 DDoS Trends Report . The most common types of protocol attacks are:
- SYN flood – Hackers exploit a weakness in the three-way handshake TCP mechanism. A client sends a SYN packet to a server, receives a SYN-ACK packet, and never sends an ACK packet back to the host. Thus, the victim’s server is left with numerous unfinished SYN-ACK requests and, eventually, crashes.
- Ping of death – Hackers use a simple ping command to send oversized packets, thus causing the victim’s system to freeze or crash.
SYN flood was one of the five attack vectors used to crush an online gambling website back in 2014.
Application attacks exploit weaknesses in the Level 6 and Level 7 protocol stack, targeting specific applications instead of the entire server. They usually target common ports and services such as DNS or HTTP. The most common application-level attacks are:
- HTTP flood – Using botnets, attackers flood an application or a web server with massive volumes of standard GET and POST requests. As these requests often appear as legitimate traffic, detecting an HTTP flood attack is quite a challenge.
- Slowloris – True to its name, Slowloris crashes the victim’s server slowly. Attackers send an HTTP request to a victim’s server in timed intervals and small portions. The server keeps waiting for these requests to be completed, which never happens. Eventually, these unfinished requests exhaust the victim’s bandwidth, making the server unreachable for legitimate users.
Hacktivists used Slowloris to take down government websites in Iran following the presidential election in 2009.
Zero-day DDoS attacks
Alongside well-known attacks, there are also so-called zero-day DDoS attacks. They exploit unknown software vulnerabilities that haven’t been patched yet or use an uncommon attack vector and, therefore, are much more difficult to detect and protect from. For instance, back in 2016, attackers exploited the Lightweight Directory Access Protocol (LDAP) to launch an attack that had an amplification factor as high as 55.
Now let’s talk about ways of detecting a DDoS attack.
Detecting a DDoS attack
While it’s impossible to prevent DDoS attacks from happening altogether, there are effective practices that can help you detect and stop a DDoS attack that’s already underway.
Anomaly detection – Statistical models and machine learning algorithms such as neural networks, decision trees, and nearest neighbor can be used for analyzing network traffic and classifying traffic patterns as either normal or DDoS attacks. You can also search for anomalies in other network performance factors such as device CPU utilization or bandwidth use.
Knowledge-based methods – Using such methods as signature analysis, state transition analysis, expert systems, description scripts, and self-organizing maps, you can detect DDoS by comparing traffic to specific patterns of known attacks.
ACLs and firewall rules – Alongside ingress/egress traffic filtering, access control lists (ACLs) and firewall rules can be used for enhancing traffic visibility. In particular, you can analyze ACL logs to understand what kind of traffic runs through your network. You can also configure your web application firewall to block suspicious incoming traffic based on specific rules, signatures, and patterns.
Intrusion prevention and detection system alarms – Intrusion prevention systems (IPS) and intrusion detection systems (IDS) provide additional traffic visibility. Despite a high rate of false positives, IPS and IDS alarms can be early indicators of anomalous and potentially malicious traffic.
Detecting an ongoing attack at an early stage can help you lessen its consequences. However, you can take proper precautions to protect against DDoS attacks and make it harder for attackers to overwhelm and crash your network. Using an effective anti-DDoS solution is one of these measures.
IoT Toys: A New Vector for Cyber Attacks
How to write an effective anti-DDoS solution
Whether you want to create your own anti-DDoS solution or you’re looking for a commercial DDoS attack protection system for your web application, here are some of the basic system requirements to keep in mind:
- Hybrid DDoS detection approach – A combination of signature-based and anomaly-based detection methods is key to detecting different types of DDoS attacks.
- Protection from Level 3–4 and Level 6–7 attacks – It’s preferable if your solution can detect and mitigate all three main kinds of DDoS attacks: volumetric, application, and protocol.
- Effective traffic filtering – One of the biggest challenges of DDoS protection is to distinguish malicious requests from legitimate ones. It’s hard to create effective filtering rules because the majority of requests involved in a DDoS attack look as if they’re coming from legitimate users. Popular methodologies like rate limits usually have a lot of false positives, leading to blocking legitimate users from accessing your services and applications.
- SIEM integration – It’s important for your anti-DDoS solution to be well integrated with your SIEM systems so that you can gather information about attacks, analyze it, and use it to improve your DDoS protection and prevent future attacks from taking place.
If meeting these requirements seems too much of a challenge for you, consider turning to experts for help. You’ll need an experienced team of developers with deep understanding of cybersecurity, cloud services, and web applications in order to build a high-quality anti-DDoS solution. A team like that can be hard to assemble in-house, but you can always look for third parties such as Apriorit for assistance.
Preventing DDoS attacks
Even though you can’t prevent a DDoS attack from happening, it’s in your power to make it much harder for attackers to take your website or application down. This is where DDoS prevention techniques come into action. There are two groups of DDoS prevention mechanisms that you can use: general preventive measures and filtering techniques.
General DDoS prevention mechanisms are common measures that can help you make your web application or server more resilient to DDoS attacks. These measures include:
- Using firewalls – While firewalls won’t protect your app or server from complex DDoS attacks, they can still effectively handle simple ones.
- Installing the latest security patches – Most attacks target specific software or hardware vulnerabilities, so deploying all patches on time can help you lessen the risk of attack.
- Disabling unused services – The fewer applications and services hackers can possibly attack the better. Make sure to disable all unneeded and unused services and applications to improve the security of your network.
Filtering mechanisms use different approaches for filtering traffic and blocking potentially dangerous requests. These mechanisms include ingress/egress filtering, history-based IP filtering, and router-based packet filtering.
Best practices for protecting your web app from DDoS
In addition to specific DDoS prevention mechanisms, there are several practices that can help you ensure additional DDoS protection for your web application:
Limit the number of weaknesses – Don’t expose your application and resources unless it’s truly necessary. This way you can limit the number of weak spots in your infrastructure that can be targeted by attackers. You can also prohibit direct internet traffic to database servers and other critical parts of your infrastructure.
Scale the load – Consider using load balancers and a content distribution network (CDN) to mitigate the effects of an attack by balancing the resource load so you can stay online even during the attack.
Choose your cloud provider carefully – Look for a trustworthy cloud service provider with their own DDoS mitigation strategy. Make sure their strategy ensures detection and mitigation of protocol-based, volume-based, and application-level attacks. For instance, some cloud providers use anycasting networks for dividing large volumes of requests among several machines with the same IP address.
Employ third-party DDoS mitigation services – Consider delegating the protection of your web application to a third-party vendor. DDoS mitigation services can remove problematic traffic even before it reaches a victim’s networks. You can look for a DNS-based service that redirects problematic traffic from your network or a Border Gateway Protocol-based solution for handling sustained attacks.
Hackers keep using and improving DDoS attacks to disrupt the work of particular services, small businesses, large enterprises, and even public and nonprofit organizations. The main goal of these attacks is to exhaust the victim’s resources and, as a result, crash their services, applications, or websites.
While there’s no way to prevent a DDoS attack from happening altogether, there are effective DDoS attack protection techniques and methods that can be used for strengthening your infrastructure against DDoS attacks and lessening their consequences. At Apriorit, we have a team of professionals with a high level of expertise in developing DDoS-resistant web applications.