The usual purpose of cybercrime is either to make money or defame a business; none is acceptable. But DDoS attacks are often executed to make a statement, harm a competitor, or in some cases, shut down operations while installing malware or ransomware.
The number of DDoS attacks is on the rise lately; thus, companies must educate their employees to identify and prevent them. DDoS attackers usually target servers, websites, and other network resources of reputed public and private organizations.
So, keep reading to understand how a DDoS and DDos botnet attack works, the tools used, industries targeted, attack duration, and attack types.You’ll also learn how to spot DDoS attacks, best response practices, and infamous incidents.
Ready to dive in? Let’s get started.
What is a DDoS Attack?
Knowing what a DDoS attack is means you can prevent it using the right security practices. In a DDoS or Distributed Denial-of-Service attack, threat actors overwhelm a server with fake traffic causing it to shut down. A server is flooded using several compromised systems as a traffic source to prevent users from visiting the website or using the online service.
In February 2021, attackers disrupted the operation of the UK’s crypto exchange EXMO for almost five hours by attempting a DDoS attack. The officials shared that their volume fell by 4.9% post the incident. Statistics like this make it even more crucial for businesses to educate their employees about what a DDoS attack is and how it works.
How Does a DDoS Attack Work?
DDoS attacks are attempted by exploiting networks of devices (like computers and IoT devices) with active internet connections. They’re infected with malware like viruses and Trojans to help hackers gain remote access. These contaminated devices are called bots, and a cluster of bots is called botnets.
The primary motive is to install a foothold of a botnet so that attackers can send instructions to each bot to commit different types of DDoS attacks. Once established, hackers instruct botnets to flood the targeted server with malicious traffic and clog its functioning, causing it to shut down.
A DDoS attack is successful because bots are legitimate devices, and it’s challenging to filter them from normal traffic.
DDoS vs. DoS Attacks: What’s the Difference?
People often use the terms DDoS or DoS attacks interchangeably, however they aren’t the same. A DDoS attack is a subcategory of a DoS attack (Denial-of-Service).
In the ‘what is a DDoS attack’ section, we’ve already discussed how cyberactors use multiple infected devices or botnets to hit a server in a DDoS attack. However, in a DoS attack, only a single machine is used to overwhelm traffic with fake requests or misuse a system vulnerability. Generally, the aim is to exhaust server resources like RAM and CPU.
They also differ in the manner of execution as a DoS attack is performed using homebrewed scripts or DoS tools while a DDoS attack is attempted using botnets.
What’s The Motivation Behind DDoS Attacks?
You must know the intent of cyberactors and what motivates DDoS attacks to prevent them in the first place. It’s evident that most DDoS attacks turn into ransomware ploys, where hackers gain access to a network and encrypt data or code files. They demand heavy ransoms in exchange for a decryption key and threaten to erase or modify data if not paid.
However, a DDoS attack can also be launched for political or religious purposes. Hackers might attempt to confuse martial or civilians during political disputes.
DDoS attacks are common in the business world. Rival brands often use tactics to tarnish each other’s public image. Hacktivists use off-the-shelf tools to express their disapproval of almost everything from government decisions to religious beliefs, business announcements, and whatnot.
Tools Used During a DDoS Attack
Cyberactors use various tools during a DDoS attack, including:
- Network devices
- IoT devices
- The exploitation of Legacy Equipment
What Industries Do DDoS Attackers Target?
Now that you know what a DDoS attack is and how it works, it’s time to find out what industries DDoS attacks target the most.
Any organization related to gaming is vulnerable to DDoS attacks by players wanting to get a competitive advantage maliciously. They may also attempt to obtain confidential details about rival players, using them to cause emotional or financial damage. 22% of all gaming attacks between 2020 and 2021 were targeted at the gaming industry.
Software and Technology
Companies involved in SaaS and cloud-based technologies are usually under the radar of DDoS attack experts. Almost 9% of DDoS attacks between 2020 and 2021 were aimed at harming the software and technology industry using DNS and NTP reflection techniques.
Media and Entertainment
Despite a little dip in the numbers of media and entertainment targeted by DDoS attacks, it still remains one of the most vulnerable industries. Such attacks give more visibility to hackers due to media covering campaigns and expanding their reach.
Bad actors have always been eyeing banks, crypto trading platforms, and other financial organizations, thus nearly 6% of all DDoS attacks are aimed at this industry.
In March 2012, a wave of DDoS attacks hit Bank of America, JPMorgan Chase, U.S. Bank, Citigroup, Wells Fargo, and PNC Bank. The hacktivist group Izz ad-Din al-Qassam Cyber Fighters allegedly attempted the attack and generated more than 60 GB of traffic per second.
Internet and Telecom
DDoS attacks on the internet and telecom industry are primarily due to business rivalry. use tactics to overwhelm traffic on their competitor’s network, causing it to shut down temporarily. This creates a negative image amongst users persuading them to shift to a different service provider.
How Long Do DDoS Attacks Last?
There isn’t a specific time range for a DDoS attack, as it depends on the objective and technique used. A long-term episode takes a period of hours or days, whereas a short-term DDoS attack only lasts for a few minutes or seconds.
DDoS Attack Types
Different hackers hit different elements of a network according to their objectives. It’s important to know that the International Organization of Standardization creates seven layers in the Open System Interconnection (OSI) model.
It’s basically a framework explaining the networking system’s tasks and responsibilities, allowing various computers to communicate with each other.
So, let’s look at DDoS attack types and methods of execution.
Application Layer Attacks
In an application layer attack, the DDoS perpetrator forces the victim’s server to allow more than the usual traffic. It’s also called a Layer 7 DDoS attack, targeting the seventh layer where HTTP responses occur. The targeted website collapses as a result of too many HTTPS requests.
A protocol attack is a resource-consumption method that occupies the capacity of web servers. It also exposes vulnerabilities in Layer 3 and Layer 4 of the OSI protocol to render the target inaccessible.
Volumetric attack clogs a network by consuming all available bandwidth via extensive requests sent using botnets. Its best example is DNS amplification, where hackers spoof a victim’s address and push a DNS name lookup request. The DNS server’s response is then sent to the target’s server, amplifying the attacker’s initial request.
How to Identify a DDoS Attack?
Let’s focus on learning how to identify a DDoS attack to mitigate the repercussions. It’s difficult to spot a DDoS attack since the symptoms mimic typical occurrences like sluggish performance or a spike in network traffic.
So, unless you receive too many user complaints, you’ll be none the wiser. Nonetheless, here are some indications of a DDoS attack:
- Receiving too many requests from an IP address or IP range.
- Users reporting error 503 indicate a server isn’t ready to handle the request.
- TTL (Time to Live) Times Out. TTL is the time that a packet,or data should exist on a computer or network before being discarded.
DDoS Attack Response Best Practices
Automated resources are the only way to detect such attacks as manually checking logs every hour is cumbersome. Automated solutions allow your security team to monitor all vulnerable fields efficiently. Here are a few more preventive measures:
- Policy creation or alteration: Draft policies and implement penalties for breaching them. If you’re still running on an older policy version, it’s time to revise it.
- Identify critical services: Critical services are those that can disrupt business operations, including databases and websites. Identifying these services can help in making informed response decisions.
- CDN information backup: A CDN or content delivery network is a cluster of geographically distributed servers responsible for increasing the delivery speed of web content. Saving business-critical data and a CDN reduces response and recovery time.
- Multiple ISP connections: Multiple ISPs will keep you prepared if one of them gets overwhelmed with traffic or fails to provide an essential filtering service timeously.
- Server and endpoint backup: Back up server resources, workstations, and other devices for the holistic security of your business data.
- Risk analysis: Create a DDoS preparation scheme to spot vulnerabilities if hackers compromise any resource.
- Identify and assign responsibility: Assign responsibilities for DDoS response during or after an attack.
- Practice: Educate your employees about the ways to prevent and mitigate the risks of a DDoS attack. Regular training sessions can help them gain awareness about how to respond to a real-life attack.
What are DDoS Botnets?
Abotnet refers to a group of computers, mobile devices, or IoT devices infected with malware and hijacked by attackers. The malware lets them remotely access and disrupt computers’ functioning without users’ knowledge and consent.
Botnets help malicious actors attempt DDoS attacks, inject malware, intercept and export crucial data, perform ransomware attacks, spam, etc. They aren’t always visible or traceable, and neither directly impact systems.
How Do Botnet DDoS Attacks Work?
A bot herder or botmaster controls DDoS botnets using intermediate machines called Command and Control or C&C servers. They connect and exchange messages using HTTP websites, IRC protocols, and renowned internet services like Facebook and Instagram. This is called a peer-to-peer or P2P botnet.
As several people can access and control a P2P network, a DDoS attack can originate from anywhere and by anyone. These botnets can be easily purchased at online black markets for as little as $5.
Famous DDoS Botnets
Here are some known DDoS botnets that continue to grow and harm systems:
- Mirai: The Mirai malware targets devices like home routers and smart IP cameras as part of a zombie network of bots used to execute massive DDoS attacks.
- Billgates: A botnet attributed to cyberattacker ChinaZ targeting Windows and Linux systems.
- Nitol: A botnet created by pre-loading malware on PCs built in China with many variants and sharing the same code as other China-based bot networks.
- IMDDOS andAVzhan: IMDDOS is a commercial DDoS attack service for sale on a Chinese-hosted website. AVzhan is a related malware family with similar characteristics
- The Storm Botnet: A massive botnet created in 2007 using the Storm Worm, a trojan virus spread via email. It was observed defending with DDoS counter-attacks
- MrBlack: A botnet spanning 109 countries that targets Linux OS. It expands via Linux Spike trojan malware loaded on home routers (especially those with default login credentials).
- The Cutwail Botnet: A botnet available to rent and use for malicious spam email campaigns. It infects machines running Windows via a trojan called Pushdo. Cutwail is estimated to contain up to 2 million zombie PCs, capable of sending 74 billion spam messages a day.
The Most Notorious DDoS Attacks in History
DDoS attacks are a global threat. Here are the most notorious DDoS attacks reported.
The Google Attack, September 2017
On October 16th, 2020, Google’s Threat Analysis Group updated users about hackers altering their tactics for political reasons. Google also reported that it suffered a record-breaking UD amplification attack using multiple Chinese ISPs. The attack occurred back in September 2017, lasted six months, and hit thousands of Google IP addresses using various networks to spoof 2.5Tbps in traffic.
The Estonia Attack, April 27, 2007
This series of attacks occurred in response to the removal of a Soviet War monument. Attackers used various techniques like ping floods and spam distribution to show disagreement with the Estonian government. It targeted public and private organizations, including parliament, defense ministries, banks, broadcasters, etc.
Konstantin Goloskokov, a commissar of the Nashi pro-Kremlin youth movement in Moldova and Transnistria took responsibility for taking part in the three-week long attacks. One of the members called it a ruthless way to express dissent.
The Mirai IoT Botnet Attacks, 2016
Brian Krebs, a cybersecurity expert, became a victim of a DDoS attack in 2016.. His blog site was attacked by a Mirai botnet comprising 600,000 exploited IoT devices. His blog site has been attacked multiple times in the past, but this had a triple impact due to its unprecedented nature.
The Mirai botnet also hit OVH, the largest hosting provider in Europe. It was targeted towards just one of their users using 145,000 botnets producing requests with a speed of 1.1 terabits per second. The internet performance management company, Dyn, also suffered from the attack, which overwhelmed its major sites like Netflix, PayPal, and Amazon in the process.
The Republic of Georgia, July 20, 2008
Weeks before Russia’s invasion, the Republic of Georgia became the target of a DDoS attack aimed at the Georgian president. Multiple websites were temporarily shut down in an attempt to disrupt communication with Georgian sympathizers.
A successful DDoS attack can jeopardize a business with a lasting impact. Threat actors flood networks, websites, and online services causing them to shut down and become inaccessible. The usual aims are to gain financial profits, extort organizations, make political statements, etc.
Implement mitigation techniques and response best practices to prevent DDoS attacks and recover from them quickly and efficiently.
The post What is a DDoS Attack? appeared first on EasyDMARC.
*** This is a Security Bloggers Network syndicated blog from EasyDMARC authored by EasyDmarc. Read the original post at: https://easydmarc.com/blog/what-is-a-ddos-attack/