In September 2021, Russian tech giant Yandex reported that its servers had been hit with the internet’s largest-ever flood of junk traffic—a DDoS attack of nearly 22 million requests per second. It was meant to overwhelm and take down its systems. Yandex, thankfully, was able to repel the attack, but the incident proved to its experts—and to internet users around the world—the scale of what is now possible.
Although not all DDoS attacks are as large as the strike on Yandex, they’re increasingly common, and a key concern for internet security experts. Netscout reports a record-breaking 5.4 million attacks in the first half of 2021—an 11 percent increase year over year—while hundreds of thousands of others go undocumented.
What is a DDoS attack?
A distributed denial of service (DDoS) attack is a malicious attempt to take down a target server, application, or website by directing a barrage of unwanted internet traffic to it in order to overwhelm its server resources and thwart its online operations—to force what’s called a denial of service. Think of this type of attack as a road traffic jam, where a flood of out-of-town vehicles suddenly brings your local freeway to a standstill, disrupting your commute, perhaps preventing you from getting to your destination altogether.
Similar to a highway, which can only handle so many cars, network resources—like routers, switches, and web servers—can only service a certain number of requests at a time, and their connection channels to the web have a limited capacity, i.e. limited bandwidth. A DDoS attack takes advantage of these limits by sending more connection requests than a network can handle. Because of the overload, network response slows—or, in some cases, requests are outright denied—impairing, or halting, the website’s functions.
How do DDoS attacks work?
To create the surplus of internet traffic involved in a DDoS attack, attackers use a network of compromised devices, called a botnet.
An attack starts with a single device: An attacker exploits a computer system’s vulnerabilities to infect it with malware, malicious software designed to harm or exploit a programmable device, often by taking partial control of its operations. Once under the attacker’s control, the compromised device, known as the botmaster, infects other vulnerable devices by spreading malware through emails, websites, and social media. This eventually creates a botnet, which is a group of infected computers, smartphones and other internet-of-things (IoT) devices working together for the attacker.
Attackers can then remotely command the botnet to send a glut of requests to a victim’s server. Sound like a scene from a zombie movie? The concept is similar—which is why botnets are commonly referred to as zombie networks, or zombie armies. These armies are sometimes millions of devices strong, and because each bot in a botnet is a normal internet device, differentiating normal traffic from threatening traffic can be tricky.
Police investigations and other countermeasures help thwart attacks, but recent advancements are also making DDoS attacks more sophisticated and harder to detect. To exact maximum damage, attackers combine DDoS with other cyber attacks and malware, including ransomware. Worse, artificial intelligence (AI) and machine learning have entered the attacker’s toolbox. Botnets now apply machine learning methods to conduct network connection reconnaissance, and use AI to reconfigure to avoid detection and formulate different attack schemes.
Types of DDoS attacks
DDoS attacks can be split into categories, with different types of attacks targeting different parts of a network connection. Here are the three main kinds, as well as DDoS attack examples:
Application layer attacks
Application layer attacks—a.k.a. Layer 7 attacks, in reference to the 7th layer of the OSI model—are the most common type of DDoS attack. They target applications, i.e. the software that provides a service, such as cloud services. Application layer attacks try to overwhelm the part on the server where websites are generated and delivered. These attacks can be difficult to defend against, even with a low traffic rate.
An HTTP flood is an application layer attack. Using a botnet, an attacker makes a large number of HTTP requests to flood a server, as if someone was continuously refreshing a website from many, many devices at the same time.
Protocol attacks, also called state-exhaustion attacks, are the second most common kind of DDoS attack. They cause a denial of service by overusing critical server resources, or by over-consuming network device resources, like firewalls or a server’s operating system.
A SYN flood attack, also known as a half-open attack, is a type of protocol attack. This attack exploits the sequence of communications by which two devices initiate a network connection, known as a TCP handshake, or TCP request. A SYN flood swamps a server with TCP requests without responding to its acknowledgements, leaving the request ‘half-open’, exhausting the victim’s resources and crowding out legitimate traffic in the process.
The goal of volumetric attacks is to cause congestion by consuming all available bandwidth within the target network, or between the network and the rest of the internet. To do so, large amounts of data are sent to the victim using botnets, or another form of traffic amplification.
A DNS amplification attack, for instance, is a kind of volumetric attack that happens when an attacker sends forged DNS queries to many open DNS servers using the victim’s IP address, prompting an overwhelming simultaneous number of responses to the victim’s address.
Most common targets for DDoS attacks
DDoS attacks are usually carried out by groups, and tend to target high-profile servers. In many cases, attacks are attempts to discredit or incapacitate a target’s normal functioning, sometimes for significant periods. Perpetrators sometimes demand a payment to put a stop to an attack. Often, attackers target:
Unfortunately, even if you run a small, independent site you aren’t immune to DDoS attacks. Smaller sites are particularly at risk because it only takes a relatively small amount of traffic to take them offline, and those operating them typically lack the resources to defend themselves.
How can you recognize a DDoS attack?
Pattern recognition goes a long way when trying to differentiate between legitimate traffic and a DDoS attack. Look for the following warning signs, and if you can, use traffic analytics tools:
- Unusually slow network performance when opening files or accessing websites, and/or a long-term loss of connection or web access.
- Reports or logs showing an abnormal spike in traffic, notably from a single device type, geolocation, or web browser version.
- Suspicious amounts of traffic within a short period or at odd hours of the day, especially from a specific IP address or IP range, or to a single website or endpoint.
- Customers reporting slow or unavailable service, or employees experiencing similar issues.
- Unavailable website or a 503 service error, despite no maintenance being performed.
- A large uptick in spam emails.
4 possible solutions for DDoS attacks
Mitigation strategies work best when used together. Here are a few ways to ward off DDoS attacks:
- A blackhole route, sometimes called a null route, funnels fake requests and floods of traffic into a data sink (i.e. a blackhole) unless it meets specific criteria, essentially dropping the traffic from the network, where it can’t do any harm. Unfortunately, differentiating between different kinds of traffic can be difficult. As a defense, this solution can send some of your site’s legitimate traffic into a blackhole, rendering your network inaccessible to ordinary users, ultimately giving your attacker what they want.
- Rate limiting restricts the number of requests sent or received by a server within a specified period, stopping floods of traffic at the gate, so to speak. Rate limiting tracks where requests are coming from, and tracks the time between each request. If certain users are making requests at a rapid rate, the application slows them down. Alone, this method is likely insufficient for handling complex DDoS attacks.
- A web application firewall (WAF) can help mitigate application layer attacks. These firewalls monitor traffic and, using a set of rules, filter requests to identify threatening signs. In other words, a WAF sits between the internet and the web application server to protect you from malicious traffic. These firewalls are commonly included with cloud-based services, and are most effective when used in conjunction with other measures.
- An Anycast network mitigates against DDoS attacks by scattering traffic across a network of distributed data centers and servers, allowing a distributed remote network to absorb and process the inundation. An Anycast network diffuses a DDoS attack’s capabilities. This works when a network of devices and servers in multiple locations share a single destination IP address.
Ready to protect yourself from online scammers and advertisers? Neeva is the world’s first private, ad-free search engine, committed to showing you the best results for every search. We will never sell or share your data with anyone, especially advertisers. Try Neeva for yourself, at neeva.com.