Distributed Denial of Service (DDoS) attacks aren’t anything new. In 2000, a Canadian hacker targeted e-commerce giants like Amazon and eBay. Some even claim to have seen a small-scale DoS attempt as far back as 1974.
But despite the long history of DDoS, most organisations remain unprepared for the possibility of an attack. Worse, as attack methods get more sophisticated and setting up a large-scale DDoS gets easier, the risk has never been higher.
Robust protection is essential. And that protection begins with a solid understanding of what DDoS attacks are, how they work, and why you may be targeted.
A definition of DDoS attacks
First, it makes sense to begin with a definition of Denial of Service, or DoS. As the name implies, it’s an attack with the purpose of denying service to legitimate users. In the case of your web server, it’s an attack that will prevent actual prospects and customers from using your website, either slowing server performance to a crawl or taking the entire server off line.
Distributed Denial of Service attacks are the natural evolution of DoS – the result of technology that’s always on-line and seamlessly connected to numerous different systems. Tens, hundreds, or even thousands of computers – a network of attack bots, or ‘bot net’ – work together to target and overwhelm a server on a huge scale.
For the most part, this bot net is made up of compromised PCs infected with malware. But in an alarming new trend, it’s not just PCs but also the mobile devices people carry with them everywhere they go. There is more computing power than ever out there in the world. And that gives attackers new opportunities to attack on an unforeseen scale.
What today’s DDoS attacks look like
Historically, there are three main types of DDoS attack:
- Volumetric attacks like UDP and ICMP floods, which flood the bandwidth of a server and bring legitimate traffic to crawl
- Protocol attacks (layer 4) like SYN floods, which attack resources on the server itself (for example, application memory)
- Application layer attacks (layer 7) like Slowloris, which are made up of seemingly legitimate requests to applications and services – but in quantities designed to overwhelm the server
Today, all of these attack types are worse than ever. Attacks that depend on the sheer quantity of requests alone are bigger – in 2014, an unnamed internet service provider faced an attack that peaked at 400Gbps. In 2012, the average attack was just 5.53Gbps. Meanwhile, attackers increasingly target the application layer and, when you consider how much work a server has to do to serve a single file, the scale of each request is amplified significantly. Some groups even boast capabilities of up to 1Tbps and, while this threat remains unproven, calling their bluff is a big risk to take.
DDoS attacks have changed – and the way businesses think about DDoS attacks needs to change too. Where it was once true that DDoS was a concern for larger enterprises, the ease of launching an attack means that every business is now a potential target. Where attacks were once about disruption for its own sake, modern attacks use DDoS traffic and log entries as a ‘fog of war’, distracting your attention from the real reason of attack; defacement, data manipulation, or data theft.
And where DDoS attacks were once something you could defend against entirely, today they’re an inevitability you can’t avoid.
DDoS detection and protection
The uncomfortable truth is that there’s no stopping DDoS attacks – not unless you want to block all traffic, good and bad, from connecting to your server. However, there are ways to mitigate an attack in progress and detect malicious traffic before it’s too late.
Corero’s SmartWall appliances are compact, cost-effective devices for analysing your traffic, spotting the signs of a DDoS attack, and ensuring that you can maintain service to your legitimate users. Working together, the appliances can scale to match your infrastructure – and the size of the attack you’re facing.