A denial-of-service (DoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. Distributed denial-of-service (DDoS) attacks amplify this disruption by using multiple compromised computer systems as sources of attack traffic.

Etymology

The term "denial-of-service" comes from the basic function of the attack: to deny legitimate users access to a service. The prefix "distributed" in DDoS refers to the distributed nature of the attack sources.

Types of DDoS attacks

Volume-based attacks

  • Description: Focus on overwhelming the bandwidth of the target site. These include ICMP floods, UDP floods, and other spoofed-packet floods.
  • Example: Sending a high volume of requests to a network, consuming all available bandwidth and preventing legitimate requests from being processed.

Protocol attacks

  • Description: Exploit weaknesses in network protocols to consume the resources of the targeted servers or network infrastructure devices. Examples include SYN floods, fragmented packet attacks, and the ping of death.
  • Example: A SYN flood sends a succession of SYN requests to a target's system to consume enough server resources to make the system unresponsive to legitimate traffic.

Application layer attacks

  • Description: Target the application layer (Layer 7 in the OSI model), which handles direct user interaction. These are the most sophisticated and complex types of attacks.
  • Example: HTTP floods where the attacker sends seemingly legitimate HTTP GET or POST requests to attack a web server or application.

Common tools and techniques

Botnets are a prevalent tool in DDoS attacks, where networks of compromised computers (known as bots) are controlled remotely by the attacker to launch coordinated assaults. Another technique is amplification attacks, which exploit publicly accessible UDP servers to flood a target system with amplified responses, thereby overwhelming it with a massive amount of traffic. Reflection attacks are also commonly used, where the attacker sends forged requests to numerous devices, which then reply to the target system, effectively redirecting the flood of responses to the victim. These methods leverage the distributed nature of modern internet infrastructure to multiply the impact of the attack, making it more difficult to mitigate and manage.

Impact and consequences

  • Service outages: This can cause websites and online services to be unavailable.
  • Financial losses: Lost revenue due to downtime, cost of mitigation, and recovery.
  • Reputational damage: Loss of customer trust and potential damage to brand reputation.
  • Legal and compliance issues: Potential legal ramifications and non-compliance with industry standards.

Mitigation strategies

1. Network infrastructure

    • Rate limiting: Controlling the rate of traffic sent or received by a network interface.
    • Blackholing and sinkholing: Redirecting traffic to a null route or a designated server for analysis.

    2. Security services

    • Content delivery networks (CDNs): Distributing content through multiple servers to reduce the impact of DDoS.
    • DDoS protection services: Specialized services from providers like Cloudflare, Akamai, and others.

    3. Hardware and software solutions

    • Firewalls and routers: Configuring to detect and mitigate attack traffic.
    • Intrusion detection systems (IDS) and intrusion prevention systems (IPS): Monitoring and automatic response systems.

    Examples in history

    The GitHub attack in 2018 was the largest recorded DDoS attack at the time, reaching a peak of 1.35 Tbps. This attack utilized a memcached reflection technique, which involves sending a small query to a vulnerable server that then responds with a much larger amount of data directed at the target. This overwhelming influx of data significantly disrupted GitHub's services, but robust defense mechanisms quickly mitigated the impact.

    The Dyn attack in 2016 had widespread effects, causing major internet platforms and services to be unavailable across Europe and North America. This attack leveraged a large botnet, composed primarily of Internet of Things (IoT) devices infected with the Mirai malware. By flooding Dyn, a major DNS provider, with traffic, the attack disrupted the resolution of domain names, making it impossible for users to access many popular websites and online services during the attack period.

    • Illegality: Launching a DDoS attack is illegal in many jurisdictions and can result in severe penalties.
    • Ethical issues: Beyond legal consequences, DDoS attacks raise significant ethical concerns regarding cyber warfare, activism, and the balance of free expression versus disruption.