A denial of service attack or DoS, occurs when a hacker sends out service

People in the business world who provide services to their customers know even a slight disruption in service — such as one lasting less than an hour — could result in a lot of angry people and a lack of trust in the company, among other issues.

Hackers are also aware of this reality, and that’s why they carry out plans that make internet-based services temporarily unusable.

DoS Attacks vs. DDoS Attacks

A denial-of-service (DoS) attack occurs when a system or machine maliciously gets flooded with traffic or information that makes it crash or be otherwise inaccessible to users. The most common method is a buffer overflow attack, which sends more traffic to a network address than it can handle.

Hackers also try other tactics, such as using fake data packets that send content to every machine on a network instead of only one, or by carrying out a SYN flood. The latter sends a server connection request, but doesn’t complete the handshake. This kind of attack targets every open port so there are none left for legitimate customers to use. Another technique exploits existing vulnerabilities in the system, rather than increasing traffic, to cause it to crash.

Distributed denial-of-service (DDoS) attacks are increasingly common in today’s cyber-landscape. They’re similar to other types of DoS attacks in the effects they have, but the primary difference is the traffic shutting down a victim’s servers or systems originates from many sources rather than one. Distributing the attack across multiple sources increases the damage that can be done and makes it more difficult to shut down; it is also harder to identify the malicious party behind the attack.

The IoT Facilitates DDoS Attacks

DDoS attacks work when those various sources act in sync with one another, often through a botnet. A botnet is a combined network of hijacked internet-connected systems or devices that are remotely controlled as group. Hackers often use them to send spam or phishing emails or expose banking details. However, they’re an instrumental part of DDoS attacks, too. Some hackers even offer botnets for hire, allowing even unskilled cybercriminals to do damage.

One worrisome reality is that the Internet of Things (IoT) brought countless internet-connected devices to the marketplace, making DDoS attacks easier to achieve than in the past. These devices, such as cameras and routers, are prime candidates for botnets because they often rely on poor authentication practices, including shipping with weak default passwords. Hackers can use basic dictionary-based attacks to guess the admin credentials and take over the device. 

One memorable example of this is the Mirai botnet, believed to be made up of over 600,000 zombie IoT devices. Mirai was notoriously used a few years ago for DDoS attacks targeting several key service providers, which caused many popular websites, such as Amazon and Twitter, to be unavailable to users. 

These Attacks Are Typically Extremely Well-Timed

Victims could easily argue there’s no good time to get hit with any attack from cyber-criminals. Remember the WannaCry ransomware attack that took down servers storing health information in the United Kingdom and forced the targets to pay exorbitant fees in cryptocurrencies?

One problem with DoS and DDoS attacks is that the people behind them often figure out how to cause the most damage to their targets through impeccable timing. A few years ago, Xbox and PlayStation were targeted and disabled on Christmas Day, putting a damper on the holiday spirit of everyone who had just received the game systems for gifts. Other instances further prove hackers had timing in mind when planning attacks.

In January 2016, a DDoS affected customers of HSBC Bank in the United Kingdom, and they couldn’t access their online accounts.

That’s bad enough, but it’s even worse, considering it all happened only a couple of days before the United Kingdom’s tax deadline. Research also indicates the financial sector is the most likely industry hit by DDoS attacks, with 57 percent of incidents targeting it.

Earlier, in July 2015, New York Magazine found itself shut down just after publishing 35 interviews alleging Bill Cosby of sexual assault. The likely reason was a DDoS attack. The information possessed by the news outlet contained exclusive details that people want to read, but the timeliness of the attack meant they were not able to immediately.

Some Incidents Affect Multiple Countries

Multiple DDoS incidents occurring in August 2018 also demonstrated how hackers sometimes bring down various websites associated with one industry, even if they’re in different countries. Poker websites in the United States and Canada discovered users unable to access services through attacks that didn’t coincide, but were close to each other.

The US-based America’s Card Room experienced a lapse in service due to a DDoS attack on Aug. 5, right before the start of a substantial online tournament series offering guaranteed wins of $10 million, and had to cancel several of the tournaments as a result. The site’s managing director confirmed the attacks lasted for several hours and that America’s Card Room was working with a DDoS mitigation service to prevent future issues.

A week later, PokerStars, a Canadian site, experienced similar woes when its users started complaining about connectivity problems. Again, these issues kicked off on a day of important tournaments. It’s important to note that these attacks don’t just affect users in the company’s base country either. Despite being based in Canada, PokerStars serves customers in Europe and India. People in those places also could not use the website once the problems cropped up.

How to Avoid Being Affected

Any amount of downtime could make customers begin assuming service providers don’t have adequate infrastructure. A problem that’s severe enough could cause them to complain on social media channels or decide to take their patronage elsewhere.

DoS protection services are available to monitor traffic levels and give alerts of strange activity. More recently, some researchers made prototypes of such systems that use machine learning to detect potential attacks. Conclusions show that although those take time to build, their performance is superior to previously available kinds of DoS screening tools.

Besides depending on methods of finding out about DoS attacks before they affect the majority of users, it’s crucial for businesses to create crisis response plans incorporating DoS and DDoS attacks.

Knowing what to do once one happens doesn’t prevent it entirely, but responding promptly could minimize the extent of the damage. Plus, being upfront about what happened could calm the strong emotions that inevitably flare up when people discover the websites and services they often use and rely upon are suddenly rendered useless.

These Attacks Are Not Going Away

DoS attacks do more than damage reputations and cause frustration. They cost up to $40,000 per hour for victims and less than $40 per hour to orchestrate. A look at news headlines over the past couple of years shows these types of attacks are on the rise and progressively more extensive.

Business owners and others who could potentially find their services brought down by these kinds of attacks must realize they can’t ignore them.

It’s essential to understand the threat of these attacks, learn how to prevent or at least identify them before they can wreak too much havoc, and have disaster recovery processes in place to get systems running again in the unfortunate event you are targeted.

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign

A distributed denial of service (DDoS) attack is a malicious attempt to make an online service unavailable to users, usually by temporarily interrupting or suspending the services of its hosting server.

A DDoS attack is launched from numerous compromised devices, often distributed globally in what is referred to as a botnet. It is distinct from other denial of service (DoS) attacks, in that it uses a single Internet-connected device (one network connection) to flood a target with malicious traffic. This nuance is the main reason for the existence of these two, somewhat different, definitions.

“And that concludes our DDoS party: Escapist Magazine, Eve Online, Minecraft, League of Legends + 8 phone requests.” Tweeted by LulzSec – June 14, 2011, 11:07PM

Broadly speaking, DoS and DDoS attacks can be divided into three types:

Volume Based Attacks
Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).

Protocol Attacks 
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second (Pps).

Application Layer Attacks 
Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second (Rps).

Common DDoS attacks types

Some of the most commonly used DDoS attack types include:

UDP Flood

A UDP flood, by definition, is any DDoS attack that floods a target with User Datagram Protocol (UDP) packets. The goal of the attack is to flood random ports on a remote host. This causes the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP ‘Destination Unreachable’ packet. This process saps host resources, which can ultimately lead to inaccessibility.

ICMP (Ping) Flood

Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies. This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will often attempt to respond with ICMP Echo Reply packets, resulting a significant overall system slowdown.

SYN Flood

A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.

Ping of Death

A ping of death (“POD”) attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size – for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.

Slowloris

Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network. Slowloris does this by holding as many connections to the target web server open for as long as possible. It accomplishes this by creating connections to the target server, but sending only a partial request. Slowloris constantly sends more HTTP headers, but never completes a request. The targeted server keeps each of these false connections open. This eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.

NTP Amplification

In NTP amplification attacks, the perpetrator exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm a targeted server with UDP traffic. The attack is defined as an amplification assault because the query-to-response ratio in such scenarios is anywhere between 1:20 and 1:200 or more. This means that any attacker that obtains a list of open NTP servers (e.g., by a using tool like Metasploit or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-volume DDoS attack.

HTTP Flood

In an HTTP flood DDoS attack, the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server. The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to every single request.

Imperva mitigates a massive HTTP flood: 690,000,000 DDoS requests from 180,000 botnets IPs.

Zero-day DDoS Attacks

The “Zero-day” definition encompasses all unknown or new attacks, exploiting vulnerabilities for which no patch has yet been released. The term is well-known amongst the members of the hacker community, where the practice of trading zero-day vulnerabilities has become a popular activity.

Motivation behind DDoS attacks

DDoS attacks are quickly becoming the most prevalent type of cyber threat, growing rapidly in the past year in both number and volume according to recent market research. The trend is towards shorter attack duration, but bigger packet-per-second attack volume.

Attackers are primarily motivated by:

• Ideology – So called “hacktivists” use DDoS attacks as a means of targeting websites they disagree with ideologically.
• Business feuds – Businesses can use DDoS attacks to strategically take down competitor websites, e.g., to keep them from participating in a significant event, such as Cyber Monday.
• Boredom – Cyber vandals, a.k.a., “script-kiddies” use prewritten scripts to launch DDoS attacks. The perpetrators of these attacks are typically bored, would-be hackers looking for an adrenaline rush.
• Extortion – Perpetrators use DDoS attacks, or the threat of DDoS attacks as a means of extorting money from their targets.
• Cyber warfare – Government authorized DDoS attacks can be used to both cripple opposition websites and an enemy country’s infrastructure.
  
  LOIC (Low Orbit Ion Cannon): an “entry-level” DoS attack tool used for cyber vandalism

Imperva solutions mitigate DDoS damage

Imperva seamlessly and comprehensively protects websites against all three types of DDoS attacks, addressing each with a unique toolset and defense strategy:

Volume Based Attacks
Imperva counters these attacks by absorbing them with a global network of scrubbing centers that scale, on demand, to counter multi-gigabyte DDoS attacks.

Protocol Attacks
Imperva mitigates this type of attack by blocking “bad” traffic before it even reaches the site, leveraging visitor identification technology that differentiates between legitimate website visitors (humans, search engines etc.) and automated or malicious clients.

Application Layer Attacks
Imperva mitigates Application Layer attacks by monitoring visitor behavior, blocking known bad bots, and challenging suspicious or unrecognized entities with JS test, Cookie challenge, and even CAPTCHAs.

Imperva mitigates a 250GBps DDoS attack—one of Internet’s largest.

In all these scenarios, Imperva applies its DDoS protection solutions outside of your network, meaning that only filtered traffic reaches your hosts. Moreover, Imperva maintains an extensive DDoS threat knowledge base, which includes new and emerging attack methods. This constantly-updated information is aggregated across our entire network – identifying new threats as they emerge, detecting known malicious users, and applying remedies in real-time across all Imperva-protected websites.