A Distributed Denial of Service (DDoS) attack is a cyberattack, sourced from a distributed network, that aims to deny responses from your services. A DDoS attack aims to render your services unresponsive by overwhelming your systems with illegitimate requests.
More and more businesses and site owners are asking themselves, what is DDoS? They’ve seen other companies fall prey to a cyberattack and want to know how to prevent it from happening to them.
In February 2020, Amazon Web Services was hit by a massive DDoS attack that lasted almost three days, also impacting countless other publishers and site owners that rely on AWS. The targeted IP address saw an increase of 56-70 times the amount of data normally sent.
In 2018, GitHub was hit with the largest DDoS attack recorded at that time. Despite flooding GitHub’s servers with 1.3 terabytes per second (Tbps) of data and 126.9 packets per second (Pps), the attack only took GitHub offline for 20 minutes due to Github’s strong DDoS protection measures.
This highly variable level of efficacy and risk shows that companies must prioritize mitigating damage from potential DDoS attacks. These cyberattacks are only growing as more traffic comes online and sensitive data and services continue to hold value.
In this post, we’ll cover the following areas along the lines of what is DDoS:
- What is DDoSing?
- How can you detect an attack?
- What are some examples of DDoS attacks?
- What are the different types of attacks?
- How do I protect against these attacks?
Perhaps the most important aspect of protection against DDoS is early detection. If your organization can identify the DDoS attack early on, you can take steps to mitigate the damage, limit traffic, and improve security going forward.
How to Detect a DDoS Attack
So, what is DDoSing, and how can you detect it?
A DDoS is what happens when your servers, website, applications, infrastructure, or other assets are flooded with requests from malicious actors attempting to bring down or take your services offline. While security measures vary across hosting solutions, even the most hardened dedicated server hosting may still be vulnerable to a DDoS attack.
It can be difficult to determine when a DDoS attack is occurring as opposed to a legitimate failure of service. DDoS attacks can often appear as legitimate traffic or downed servers. In order to identify an attack with certainty, further investigation with analytics tools can help spot some of the signs of DDoS:
- A suspicious spike in requests to a single page.
- Downed applications or servers without a history of compromise.
- Large amounts of traffic from one single IP address or a range of IP addresses.
- Traffic coming from users with similar characteristics.
- Spikes in traffic patterns at odd hours or otherwise non-typical traffic patterns for your business or site.
Detecting DDoS is also about awareness and making sure you’re familiar with some examples of attacks. Let’s break down several types of DDoS attacks to show how DDoS protection does work.
Examples of DDoS Attacks
What is DDoS in the real world? We already mentioned some of the high-profile attacks on Amazon and GitHub. These real-world examples can give us a better idea of what’s trending amongst cybercriminals and how we can bolster DDoS protection in the future.
One of the first recorded DDoS attacks occurred in 2000 when a teenage hacker by the pseudonym “MafiaBoy” was able to flood a number of universities and businesses with overwhelming traffic. It’s fair to say that DDoS has evolved exponentially since that time, and it’s still affecting major industries today.
Only months after the February 2020 cyberattack against AWS, Google revealed details of a DDoS attack targeting their services and registering even higher at 2.6 Tbps. Companies of all sizes are at risk from this growing cyber threat.
DDoS attacks can be categorized into three main groups based on what layer of service they target: volumetric attacks, protocol attacks, and application attacks. Let’s examine each one and understand how they might affect a site with VPS DDoS protection.
Volumetric attacks are perpetrated when massive quantities of illegitimate traffic overwhelm your server, website, or other resources. Also known as volume-based attacks, volumetric attacks are measured in bits per second (BPS). Several types of volumetric attacks include User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and junk flood attacks.
So simply put, what is a DDoS attack when it is volume-based? Volumetric attacks are like a traffic jam. Imagine going to work and pulling onto the on-ramp only to see that every lane on the highway is bumper-to-bumper with cars. You’re stuck and can’t get access to the road. Unlike a traffic jam, however, traffic doesn’t just wait in line. Users will see the dreaded “No Connection Error,” or the load times will slow to the point of causing frustration, causing users to abandon their original request.
Protocol attacks occur when your infrastructure, or parts of your infrastructure, is flooded with excessive numbers of packets. Also known as network-layer attacks, protocol DDoS attacks are measured in packets per second (Pps). Different types of protocol attacks include Smurf DDoS, TCP Connection Attacks, or TCP SYN Floods.
SYN Floods (also known as TCP Connection Attacks) target what’s called a three-way handshake connection. This common TCP connection point is the vulnerability the attack exploits.
During an SYN Flood, a “handshake” request is sent to a targeted server, but it’s never completed. The targeted port is then unavailable to respond to any requests. The attack spreads from there as more and more requests are sent until servers go down.
An answer to – What is DDoS? – wouldn’t be complete without a look at the attacks’ effects on applications. Application-layer attacks overwhelm applications with malicious requests, affecting the layer of service where web pages are generated, and HTTP requests are made. These application DDoS attacks are measured in requests per second (RPS).
Application-layer attacks tend to advance in a slower fashion than traditional volumetric attacks. This slower rate allows the requests to appear legitimate until they have sufficiently overwhelmed an application.
It’s important to remember that these different types of attacks often work in tandem with each other. It’s rare that a cybercriminal will focus all their efforts on one endpoint. For example, an initial application-layer attack may be followed by a volumetric attack. Site owners must play defense on all endpoints to ensure the detection of each type of DDoS attack.
How to Protect Against a DDoS Attack
So far, we’ve answered – what is a DDoS Attack? And we’ve looked at different types of attacks and detection. But how does DDoS protection work?
When it comes to protecting your server from a potential DDoS attack, it’s important to be vigilant from a proactive perspective. Some useful concepts to consider in the realm of DDoS protection include:
- Learn Your Traffic Patterns: With help from network and server monitoring tools, you need to get a sense of your typical inbound traffic. When it spikes sharply or is clocking way above the normal range, you can take the appropriate measures. It’s worth mentioning that you should also monitor activity during an attack to help decipher the reasoning behind the attack.
- Better to Be Safe than Sorry: In addition to mitigation tools and over-provisioning bandwidth, consider using an Intrusion Detection System (IDS) and an Intrusion Protection System (IPS) for early attack detection, filters to block packets from the usual suspects, dropping all malformed/spoofed packets, and lowering your thresholds for your SYN, ICMP, and UDP Flood drops.
- DDoS Mitigation Tools Are a Must: For large or particularly complex DDoS attacks, mitigation platforms and appliances are often equipped with a powerful infrastructure and advanced detection and monitoring technology. You’ll make things much easier on yourself and be thankful you did when a hypothetical attack becomes real.