A Distributed Denial of Service (DDoS) is a type of DoS attack in which multiple compromised systems are used to target a single system. These types of attacks can cause significant, widespread damage because they usually impact the entire infrastructure and create disruptive, expensive downtimes.
DDoS vs. DoS
As mentioned above, a DDoS attack is a type of DoS attack. The primary way to identify a DDoS attack compared to another type of DoS attack is to look at how the attack is being executed. In a DDoS attack, the incoming traffic flooding the victim originates from many different sources potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
How DDoS attacks work
DDoS attacks are often accomplished by a Trojan Horse, a type of malware that’s disguised as an innocuous file or program. Once the attackers have compromised multiple devices and created a botnet, they then use a Command and Control (C2) server to attack the targeted system until it overloads and ultimately fails. The specific method of attack can vary.
Types of DDoS attacks include:
- Volumetric attacks: Volumetric attacks usually consume bandwidth resources by creating a huge volume of traffic, which prevents legitimate users from accessing the target system. Types of volumetric attacks include DNS amplification, in which the attacker uses the target’s IP address when initiating a request for a large amount of data. This means the server is simultaneously sending and receiving the same data and subsequently becomes overwhelmed.
- Protocol attacks: Protocol attacks target the network resources by overwhelming the firewall or load balancer, which is why they’re also sometimes called state-exhaustion attacks. Types of protocol attacks include SYN flooding, in which the attacker manipulates the 3-step handshake of a TCP connection until the network resources are consumed and no additional devices can establish a new connection.
- Application layer attacks: Application layer attacks are used to deplete resources in the application layer. In these types of attacks, bots send several million complicated application requests simultaneously so the system gets overwhelmed very quickly. Types of application layer attacks include HTTP flooding, which is effectively similar to refreshing a browser repeatedly from numerous devices.
There are a number of measures users can put in place to prevent or mitigate the repercussions of a DDoS attack. Developing and regularly reevaluating a response plan and implementing multi-level threat management systems are valuable tactics that can prevent expensive downtimes as the result of a DDoS attack. It’s also important to monitor the network for any warning signs. Symptoms of an imminent DDoS attack include high volumes of traffic that:
- Come from one IP address or range of IP addresses
- Go to a single webpage
- Come from a single common user characteristic (such as geolocation)
- Occur at at unexpected times of day