Distributed Denial of Service (DDoS)
What Is a DDoS Attack?
A distributed denial of service, or DDoS attack, is a form of overload attack that makes a service (e.g., a website) unavailable to its users. The attacker uses a botnet – a network consisting of a large number of devices that are all used to carry out a targeted and coordinated attack on the target. DDoS attacks are carried out by simultaneous calls in high volume; without adequate protection, the service becomes unavailable to legitimate users.
A DDoS attack can take different forms, depending on which layer of internet communication the attacker is trying to overload. A simple form of DDoS attack, a so-called volumetric attack, involves a botnet bombarding the website with connection attempts. There are several other, more sophisticated forms of DDoS attacks, and just because a solution can neutralize one type of DDoS attack doesn’t mean it will stop all of them.
Who Conducts DDoS Attacks?
Cybercriminals conduct large campaigns to distribute malware that turns various internet devices into large botnets controlled by criminals, which can be used to launch DDoS attacks. These criminals then usually rent the use of their botnet to criminals and hacktivists who chose the targets for the attacks.
Some hacktivists are hackers who control their own smaller botnets, but they have been overshadowed by extortion criminals and state-sponsored actors who have the funds to pay these cybercriminal botnet owners for their services.
What Are the Motives Behind DDoS Attacks?
Most actors responsible for DDoS attacks are motivated either by political or criminal motives. The majority of DDoS attacks are conducted by criminals who use them for extortion purposes. A typical attack consists of an hour-long overload of a site, followed by an extortion mail, in which the criminals threaten to continuously make the service unavailable unless the victim pays them a large sum of money.
These cybercriminals often target businesses that rely heavily on their websites for their business with clients, like online financial services or online shopping sites. If the victims refuse to pay, they will typically attempt to continue to block the website with hour-long attacks for up to a couple of weeks time at the most until they give up and move on if they don’t believe the chance of receiving the extortion money justifies the investment in renting DDoS power.
A rising number of so-called “hacktivists” conduct DDoS attacks motivated by a mixture of reasons – politics, money, and attention seeking. Today, many aren’t activists at all; they are paid by government actors and use the mantle of hacktivism to conduct proxy attacks on adversaries as a form of hybrid warfare. “Hacktivism” is a form of cyber vandalism, and the actors usually do everything to maximize the publicity of their attacks. Instead of saying that they have temporarily made a website unavailable, they will pretend that they have hacked and taken down entire networks.
Always be skeptical of such inflated claims. DDoS attacks can be disruptive, especially if the attacker is paid by a government and can afford substantial power, but the attacker seldom continues for days, like extortion criminals. They only want the service down long enough to appear to support their narrative before moving on to the next victim.
How Do You Protect Your Organization Against DDoS Attacks?
Truesec recommends publicly sharing information if a DDoS attack has impacted your business, especially if it’s for political reasons. Avoiding doing so means handing over the information space to the threat actors, who will do their utmost to create headlines with their own narrative about their attack.
We urge all businesses to prepare a plan for reacting to a possible DDoS attack, which should include a media communication plan.
In addition to a reactive plan to deal with an ongoing attack, there are both preparatory and preventive safeguards to take to significantly lower the business impact of being exposed to a DDoS attack.
11 Actions To Minimize the Risk of DDoS Attacks
- Be sure to map your IT environment regularly and inventory your mission-critical applications and systems, especially those exposed to the internet.
- Protect mission-critical websites, applications, and systems with DDoS Protection.
- Keep your internet service provider (ISP) contact lists up to date and ask for regular reporting on what they see.
- Ask your internet service provider (ISP) to filter out traffic from any regions you don’t do business with.
- Ask your internet service provider (ISP) to implement Quality of Service (QoS) to prioritize business-critical services.
- If you own your IP address space (ISP independent), make sure you use connections from different ISPs, and that redundancy works, at least for business-critical applications.
- Protect links and networks between the local devices and outgoing links (e.g., disable ping, traceroute, etc.) Ask your upstream ISP to do the same for the routers on their side facing you (often called CPE or PE).
- Monitor CPU and traffic volume on front-end firewalls, load balancers, WAFs, and exposed servers. Configure alarms with threshold values for a predefined period; for example, usage above 80% last 10 minutes.
- Apply all patches for systems exposed to the internet.
- Ensure that exposed systems log and that these logs are easily accessible.
- Ensure that all public IPv6 links are configured with the /126 or /127 prefix
- Truesec urges every business to analyze available data and logs if the organization sees events consistent with a DDoS attack to understand attack patterns, time windows, affected targets, etc. Interpret data coming from ISPs, DDoS protection, or other equipment, but do not rely on it as a single denominator – if a DDoS attack is confirmed, notify your national CERT.