A tool favored by many threat actors, distributed denial-of-service (DDoS) attacks seek to make a targeted machine or network resource unavailable to its users—using overwhelming amounts of traffic, such as incoming messages, connections requests, and malformed packets—to substantially slow the system, or force it to crash.
In this article, we explore how DDoS attacks work, types of DDoS attacks, and their damaging impact. Also we provide tips on how to prepare for, prevent, and respond to a DDoS attack.
How distributed denial of service attacks work
To accomplish this, a distributed denial-of-service attack uses a botnet. A botnet is a network of computers controlled by malware that sends requests to the target’s IP address. The use of botnets distinguishes DDoS attacks from DoS (Denial-of-Service) attacks. In a DoS attack, overloading traffic is sent from only one attacking machine. Botnets make attacks appear to come from multiple devices and locations which makes it difficult to defend against.
DDoS activity is seeing a major uptick, with sources stating that over six million attacks were observed in 2022 H1. Organizations should also be aware that this trend will likely continue since botnets are becoming more publicly available via crimeware. This allows an individual to rent DDoS capabilities via illicit marketplaces, enabling low-skilled individuals or groups to perform more complex attacks.
Types of DDoS attacks
In general, there are three types of DDoS attacks: application layer attacks, network layer attacks, and volumetric attacks. However, organizations should be aware that DDoS attacks can also be achieved by exploiting the vulnerabilities affecting their IT resources. Modern attacks use a variety of DDoS tools, like booters or stressors, and tactics can be used alone, or combined for more complex, multi-vector attacks.
Application layer attacks
The application layer of a network connection is where a server creates a response to a request. For example, loading a webpage in response to a user entering a HTTP request in their browser. Application layer attacks make repeated requests to overwhelm the server.
Network layer attacks
Network layer attacks focus on an earlier stage in a network connection, exhausting server resources like firewalls or routing engines. For example, an attacker may overwhelm a target server with SYN packets, which are used to initiate a secure connection between two computers.
Volumetric attacks overwhelm the target server’s bandwidth. Usually by making repeated queries to an open domain name system (DNS) resolver using the target’s own IP address. In other words, the attacker makes multiple requests to DNS resolvers making it look like they’re coming from the target server.
The impact of DDoS attacks
Any business or industry can be at-risk of a DDoS attack since most organizations have internet-facing websites or assets. Furthermore, DDoS attacks can cause lengthy shutdowns and downtime, which can result in major financial losses, customer dissatisfaction, and reputational loss. According to Imperva, the average attack can cost victims around $500,000 total or $40,000 per hour of downtime.
DDoS attacks can also cause data loss and mask other cybercriminal activities that could breach the target’s security. More serious attacks, like those leveraged by advanced persistent threat (APT) groups, can prompt civil unrest or be considered a type of warfare—an example being the Russian-Ukraine War, where Russian hackers DDoS’d Ukrainian government portals and banking websites days before the invasion. According to Kaspersky, DDoS attack volumes have increased 4.5 times since the conflict first began.
“In Q1 2022 we witnessed an all-time high number of DDoS attacks. The upward trend was largely affected by the geopolitical situation…Some of the attacks we observed lasted for days and even weeks, suggesting that they might have been conducted by ideologically motivated cyberactivists. We’ve also seen that many organizations were not prepared to combat such threats.”ALEXANDER GUTNIKOV, KASPERSKY
In addition, it is reported that the sophisticated and powerful DDoS tools developed for the war are being adopted by other threat actors worldwide.
Steps to prevent DDoS attacks
One out of five companies with over 50 employees have been a victim of at least one DDoS attack. The proliferation of DDoS means that attempts against your organization may occur—but there are still some strategies you can use to proactively identify, or prevent and minimize damage from an attack:
- Monitor network traffic for abnormal activities. This includes unexpected traffic influxes, traffic originating from suspicious locations, slow servers, or even an increase in spam emails—signs that an attack could be imminent.
- Plan an attack response proactively. This could involve simulation testing or establishing procedures for IT personnel and other impacted stakeholders in the event of an attack.
- Filter legitimate traffic from DDoS traffic by using mitigation strategies like black hole routing, rate limiting, or a web application firewall.
- Identify exploitable vulnerabilities using tools like Flashpoint’s VulnDB. In addition to disrupting traffic, attacks may also leverage vulnerabilities within an organization’s applications. Having comprehensive vulnerability intelligence allows organizations to patch vulnerabilities before they’re exploited.
- Track publicly-available websites, like paste bins, social media, or forums, for conversations that may indicate a potential attack. Specialized open source intelligence tools like Echosec allows users to uncover hidden threats on a variety of sources, like the dark web.
Stay prepared with Flashpoint
Industry research shows that DDoS attacks are not only on the rise, but their approaches are becoming more sophisticated. While the Russia-Ukraine war is primarily responsible for this, nevertheless, these types of attacks will continue to plague organizations. However, organizations do have tools and strategies that can help them mitigate the risk that DDoS attacks can introduce. Sign up for a free trial to gain visibility into threat actor channels and activity.