I was recently asked to weigh in on distributed denial of service (DDoS) attacks to help small business owners understand these types of attacks and how to prevent them. A DDoS is a cyber attack on a server, service, website or network in which the target is flooded with traffic or data to the point that all resources available are exhausted. Once the traffic overwhelms the target and all resources are used, the server, service, website or network is rendered inoperable as all legitimate requests will go unhandled.
DDoS attacks can come in short bursts or repeat assaults, but either way the impact on a website or business can last for days, weeks and even months, as the organization tries to recover. This can make DDoS extremely destructive to any online organization.
What are the common types of DDoS attacks?
Luckily, DDoS is usually easy to identify and diagnose. The most notable symptom would be the target service, site or network is unavailable or has slowed down significantly. With a DDoS attack, you will notice a jump in resource utilization by the targeted servers which likely corresponds to an unusually high number of requests or requests that are malformed. Some of the most common types of DDoS attacks include:
- HTTP Request Flood: Attackers will gather tens of thousands of bots and have them all request the same resources at the same time. Every webserver has a limit to the number of requests they can serve at any moment so the bad actor’s goal in this type of attack is to create more requests than the server can handle. It is often as simple as requesting the primary webpage (a request to www.yourwebsite.com), however some websites like Google are practically impervious to DDoS attacks in this form as they can handle a large number of requests.
- SYN Flood: In order to establish a TCP connection, two computers need to perform a ‘handshake’ where they introduce themselves to each other. The first step in that handshake process is sending a SYN packet and waiting for a response. In order to respond, the other computer needs to allocate resources like memory and processing space to handle that request. If too many SYNs arrive at the same time, the target computer will no longer have resources to allocate to legitimate connections causing a denial of services.
- UDP Flood: UDP is a protocol that can transfer data without requiring a handshake like TCP. It sends data and forgets so there is no verification that the data arrived. Since it has less overhead, this is often used in applications like streaming video content where it’s not that important if some data is missing. If an attacker can send enough data, the target could be overwhelmed, resulting in denial of service.
How can an organization protect against a DDoS attack?
While you will not be able to completely protect from DDoS attacks, organizations can make it harder for actors to achieve. Our top tips for protecting against a DDoS include:
- Disable any services that are not needed for your organization’s website. If you are simply running a website, disable anything other than HTTP(s) traffic so you are not susceptible to many of the protocol based DDoS from the start.
- Implement protections from your service provider. Many service providers, like Comcast or Verizon, offer some intelligent DDoS protection. They can detect a large number of requests or unusual requests and intelligently drop those requests so they do not have to be handled by your website.
- Increase resources available to handle requests. If your website has a lot of traffic already, consider increasing the resources available to handle those requests. This will improve the speed and reliability of your site AND make DDoS harder to accomplish as attackers will need more bots to succeed. This could come in many forms, including better routing of traffic (load balancing), increasing the number of servers that handle requests and increasing the processing and memory capabilities of each server.
While DDoS attacks can be extremely disruptive, they are relatively easy to detect and diagnose. There are some preventive measures you can take as detailed above and it is important to strengthen the overall security posture of your devices. If you think you have experienced an attack, reach out to our Incident Response team at 888-385-1720 and we can help you diagnose and resolve the incident.
Want to learn more about the best ways to protect your organization from cyber attacks? Check out our whitepaper: The Domain Controller…An Achilles Heel