Distributed Denial of Service attacks are nothing new, but they’re becoming more and more common, from politically motivated attacks on financial and government institutions to recent attacks on data centers like Digital Ocean. DDoS attacks are when hackers use hijacked computers to flood servers with incoming requests and essentially shut down services by clogging network traffic or sending mass quantities of junk data. They are increasingly difficult to defend against as they grow in scale, and because they are distributed among various infected machines, it can be difficult to block traffic based on IP address.
Public institutions, financial industries, eCommerce sites, and hosting providers are among the most popular targets, but anyone can be a victim—and if your IT infrastructure is hosted in a data center, you need that facility to provide strong DDoS mitigation to avoid service interruptions of your own.
These days, SYN or HTTP GET flood attacks are very common ways to overload firewalls or IPS systems and make the servers behind them unresponsive. Network switches and servers do not have the resources to respond to every incoming request and therefore begin to drop network packets from any incoming source. The DDoS source traffic can come from either volunteered computers (scoundrels!), a single computer masquerading as many IP addresses, or, as is most common, a botnet of hijacked computers.
A SYN flood attack uses SYN packets, which are the first packet sent to a server to request a connection. This is part of the standard “handshake,” and the server would normally respond with a SYN-ACK message. With a SYN flood, the connecting client does not respond with ACK, causing the server to wait for a response. SYN floods are a type of Bulk Volumetric attack.
Other Bulk Volumetric attacks include ICMP packet floods, which send “PING” commands, TCP/UDP floods, which send to open network ports like TCP 81, fragment floods, which send fragmented packets, anomalous packet floods, which send error scripts within network packets, and DNS amplification, which uses DNS EDNS0 protocol to amplify the attack. This last example, uses public Domain Name Service servers to send DNS lookups to a DNS server while pretending to be the target server, so the DNS server replies to the target.
HTTP GET is an Application Layer attack, which is smaller and more targeted, going after the Layer 7 of the OSI model, which is the top layer of network traffic, rather than Layer 3 Network traffic targeted in Bulk Volumetric attacks. HTTP GET exploits the process of a web browser or other HTTP client asking an application or server for an HTTP request, which is either GET or POST. Attackers must have some knowledge of their target, as they will usually request the most resource-intensive process. They are hard to defend against because the use standard URL requests, rather than broken scripts or huge volumes.
ISPs have DDoS protection at Layer 3 and Layer 4 (network traffic), but that ignores the more targeted Layer 7 attacks, and total coverage is not guaranteed.
DDoS service providers exist. Usually they will reroute your incoming traffic through their own systems and “scrub” it against known attack vectors. They might scan for suspicious traffic from uncommon sources or geolocations, or reroute your legitimate traffic away from botnet sources.
Most modern firewalls and Intrusion Protection Systems (IPS) offer DDoS defense abilities as well. These can take the form of a single device scanning all incoming traffic, or distributed devices or software at the server level. Dedicated DDoS appliances are also available and may offer better protection against Layer 7 attacks.
Network scanning and traffic monitoring with alerts can also help you catch a DDoS attack early and take action to avoid total service loss.
Once you have a DDoS protection system in place, you’ll want to test it before it comes under fire. The first step to take is to identify attack vectors and key applications. What ports are open? What bandwidth do you have available to you? Where are likely network bottlenecks? What critical systems need additional protection?
Note areas of your infrastructure that are vulnerable based on their reliance on other systems—like a central database that could take down functionality for several applications if it is overloaded.
There are a variety of open source software tools you can use to test DDoS mitigation, as well as hardware options that can reach multi-Gigabit traffic levels. However, hardware options are expensive. A professional white hat security firm may be able to offer testing as a service.
DDoS attacks are certainly an annoyance, but with some preparation, you can be ready to intercept or respond to them quickly and avoid service interruptions for your users.