What is a DDoS Attack?
For a lot of us without a deep understanding of network security, it is easy to think about DDoS attacks as a single “thing” companies can simply solve. But the term DDoS covers a large class of malicious attacks on network or internet infrastructure, so while some defenses may be simple, others are not so easily constructed.
The range of DDoS attacks includes those that flood servers with traffic to bring them down, but also a selection of them that known as application denial-of-service attacks. Most common DDoS attacks work at a network layer, blasting senseless traffic at target systems, hoping to overwhelm them and exhaust all available bandwidth—this is the common understanding of what a DDoS represents for most people. However, other denial-of-service attacks can include locking other users out, through multiple failed password reset attempts and other such actions, or wiping databases and disrupting services in more specific ways.
Identifying your attacker against a backdrop of legitimate users to your online service can be quite an art.
Most of the malicious attacks on the internet, in terms of volume, are reflection and amplification DDoS attacks. These attacks can range from anywhere from a few tens of gigabits per second — which is already quite large — up to the largest attacks that have been confirmed so far at about 400 gigabits per second.
When troubleshooting and anticipating how to defend against attacks, there are a couple of considerations to take into account. The first consideration is that they tend to fill up the last kilometer link between an ISP from whom a service provider is buying transit and that provider's internet data center. Another consideration is that the attacks which get into the dozens or hundreds of gigabits per second, can actually fill up the peering and the core links of all the ISPs in the path. And so they absolutely can consume the network capacity in multiple intervening networks between the reflectors/amplifiers used in the attack, and the actual target.
In other words, companies trying to protect themselves from ongoing or future DDoS attacks have several components of the network to monitor. Traffic can overwhelm the part of the pipeline between the ISP and the service, or it can flood the connections between the various ISPs and some big companies who’ve agreed to use each other’s network to channel traffic. Those waging the attack do so by sending requests to innocent computers while posing as the target; when those “reflectors” send a response, they direct them to the site or service that’s the intended victim.
Combined with amplifiers, or types of protocols used in conjunction with reflected attacks, the data being transmitted can be magnified by up to 179 times more. The servers used in the amplification attack ultimately flood the target site and the network it’s on with a huge amount of responses, meaning attackers don’t need a lot of network capacity themselves to increase the original amount of traffic by 6,000 to 9,000 times.
The end result: the attacking traffic ends up causing a shutdown of the overloaded target server(s), and/or squeezing out legitimate traffic to and from the target.
Why are DDoS Attacks so Difficult to Defend Against?
The mix of distributed attacking traffic and legitimate traffic during a DDoS attack is precisely why they’re so hard to defend against. Identifying your attacker against a backdrop of legitimate users to your online service can be quite an art, and when you have only one attacker (i.e. a traditional DoS attack), blocking them is quite easy. But, when you’re being simultaneously bombarded by hundreds or thousands of attackers it takes valuable time that you don’t have—and often battling against dwindling bandwidth and access to stop the attack.
Many companies to choose to view DDoS attacks as an occasional inconvenience.
Defending against a DDoS attack is also difficult because of the cost involved. Companies must “over-invest” in bandwidth, applications, or infrastructure for a possibility that might happen rarely. This causes many companies to choose to view DDoS attacks as an occasional inconvenience.
However, the seriousness of DDoS attacks should not be underestimated. Sometimes a DDoS attack can cause unintended consequences that may expose new vulnerabilities under load, or create opportunities for unauthorised access leading to other breaches.
Why do DDoS Attacks Keep Happening?
Given that it’s in a company’s best interest to protect its customers, why would one keep allowing DDoS attacks to happen? Simply put, that stems from a juggling act that enables the very circumstances that permit DDoS attacks to be common.
When you’re running a publicly accessible service online, you need to allow the public to have access—and that means you’re never sure when you have to close the front doors to your virtual space to stop people coming in. Also, DDoS attacks from a technical perspective are about the simplest and easiest form of online attack available.
In other words, DDoS attacks are familiar events because companies want everyone to be able to access their service, and executing one requires almost no technical knowledge—just the right tools.
What are Companies Doing Wrong?
However, while the volume of attacks presents some unique challenges for companies, they can be overcome.
Many online operators continue to suffer because they opt out of participating in the global operational security community. These are closed, vetted communities where operators involved not only marshal their own resources when under attack, but can reach out and ask other operators to assist them
Others have not implemented the most current defenses to protect their network infrastructure - their routers and Layer-3 switches - from attack. In many cases, the attackers will try to attack the routers and switches rather than servers directly because network operators may not have implemented the best current practices required to enable these devices to defend themselves.