In this report, you will find out what DDoS (pronounced “Dee-Doss”) means, how different types of attacks occur, who carries out these attacks, and why. You will also read about DDoS mitigation services, which can help you or your company block DDoS attacks.
What is a DDoS Attack?
When two computers communicate over the internet, they first have to establish a connection. A DoS attack provokes a “denial of service,” which means that the computer that initiates contact can’t get through to the second computer. The reason it can’t get through is that the server that is waiting for connections from the outside world can only process so many requests simultaneously. Some servers implement a queue to hold potential requests until a slot is available to receive them. However, when the queue is full, any more requests just get ignored.
In order to jam up a server and prevent it from responding to legitimate connection requests, the DoS attacker sends a large flood of messages, which overwhelms the system. Those messages do not have to be actual connection requests that are likely to be fulfilled – the attacker is not really interested in getting into the server, he just wants to prevent everyone else from getting in.
The messages sent to the server do not need to be actionable. Network devices send out administrative messages to each other all the time. Two of these standard messages are “SYN” and “ACK.” A SYN message is used to open a connection and an ACK then follows to confirm the request. Hackers send out a flood of SYN messages to keep servers waiting until they time out. Each SYN prevents the server from responding to a legitimate request.
Hackers send out a stream of hundreds of thousands of these short messages to clog up routers and servers in a DoS attack. A DDoS attack is a “distributed denial of service” attack. This means that the superfluous messages are sent from a number of different sources, which are located all around the world.
Fighting a DDoS Attack
The advantage that hackers get from a DDoS attack over a DoS attack is that the variety of sources of messages makes it harder to fight than a DoS attack. The managers of servers can’t just turn the computer off – they need to continue to receive legitimate connection requests. They just have to filter out the attacking messages.
If a sudden rush of messages turned up in the queue from the same source IP address, the network manager could just drop these messages from the queue. Better still, he could send out a message to all the routers that connected to his network not to forward messages from that address. If the malicious messages are sent out from hundreds of thousands of different sources, with each computer sending out messages very infrequently, it is extremely difficult and time consuming to build up a blacklist of Internet Protocol (IP) addresses.
What is a Botnet?
DDoS attacks would be very expensive and difficult to set up, if the hacker had to make arrangements with computer owners all over the world to participate. Unfortunately, the sources of all of these malicious messages are the computers of ordinary people. You may not know it, but your own computer may well be part of a botnet.
A botnet is a group of computers that have specific malware installed on them. That malware is a small program that will send out a message to a given address on command. Thus, the hacker sends out an initialization message to all of her programs resident on infected computers around the world, and those computers respond by sending out a message to the target IP address.
Given that the DDoS attacker doesn’t require a response to her messages, there is no need to put the correct source IP address in the messages that goes out on the attack. Faking IP addresses is called spoofing. It means that even if the attacked computer records the IP addresses of the attacking messages, it would just be building up a list of fake addresses.
There is little point in tracing the computers that send out the DDoS messages and telling their owners to stop. They would take too long to trace, and the owners probably aren’t aware that those messages were sent by their computers. If spoofing occurred, then there is a strong possibility that there is no actual computer at that address, or that the real owner of that address doesn’t have the malware on it that sent the attack. Reflector attacks make matters even worse.
What Are DDoS Reflector Attacks?
Spoofing can be used to refine a DDoS attack even further. The hacker sends out a large number of connection requests, or SYN messages, with the intention of provoking a reply. However, she puts the IP address of the computer under attack in the source IP address field in the message. Thus, all of the contacted computers reply to the same computer all at once, and that computer’s queue gets flooded.
So, if you receive a sudden rush of messages that prevents everyone else from connecting to you, those messages are probably just replies. The original requestor can’t be traced, because there is no IP address to follow.
Paid DDoS Attack Services
You don’t have to assemble a botnet in order to launch a DDoS attack. Hacker services can provide that for you. “Booters” offer DDoS attacks for $5 per hour. The average length of a DDoS attack nowadays is 19 hours. However, these off-the-shelf attack kits usually only run for 20 minutes or an hour, so you may find that you are attacked in waves, with breaks of a few minutes while a new attack pack is run. However, other attack services offer day-long attacks for $50. A typical botnet rental will include a pack of about 10,000 zombie computers. The average website only has the capacity to handle a raised demand of 50 requests per second, so just about everyone is vulnerable to attack.
What is Hybrid Warfare?
Russia is particularly keen on using DDoS attacks as part of its warfare strategy. The nation uses these attacks to cripple infrastructure in a target nation as a prelude to an invasion. On some occasions, the DDoS attack is the invasion – for example if Russia wants to block a specific organization from performing actions that it doesn’t like, if it wants to influence an election, or if it just wants to worry a neighboring government into compliance.
The disruption caused during the Bulgarian local elections in October 2016 is an example of the scale of some of Russia’s DDoS attacks. The electoral commission’s website received 530 million visits in a 10 hour period, even though the nation only has a total population of 7.2 million.
Estonia suffered a month of DDoS attacks by Russia on its government, banks, and infrastructure in 2007. The invasion of Georgia by Russia in 2008 was presaged by DDoS attacks on government, media and infrastructure. Military and communication networks were overwhelmed for the duration of the successful acquisition of South Ossetia. Rebels in the Donbas region were assisted in their takeover of government and key infrastructure buildings, by crippling DDoS attacks on the information networks of those organizations.
Russian DDoS attacks have started to rise again in the Baltic States and in the Ukraine. This gives military analysts an indication that Russia is planning an invasion in those locations. This is why NATO has started to build up forces in those countries. This time, authorities in the Baltics expect a firestorm of DDoS attacks that will shut down all of the media sites, infrastructure, banks, and even small businesses in their countries.
The simple solution to preventing your site or business from being overwhelmed by a DDoS attack is the overprovision of bandwidth. However, if you are just running your own site, you stand little chance of fighting off an attack by thousands of computers.
You may be able to get this service as an add-on from your Internet Service Provider (ISP). If not, you will need to contract in a specialist service yourself. Some ISPs make the situation worse by bailing on you as soon as they detect an attack – they don’t want to have to cope with the extra traffic. They simply notify all the routers in the world that your IP address is no longer hosted on their server. That shuts you down completely, and the “null routing” command takes only a couple of minutes to implement.
Mitigation services offer a subscription plan. This is a little like an insurance policy, so you pay less per month on the off chance that you might get attacked. If you wait until an attack happens, you can still contact a mitigation service, but emergency response costs a lot more than you would pay over a whole year on a plan.
A mitigation service will move your IP to its server. This action involves a standard message under the Border Gateway Protocol, which all routers use regularly. Like the null routing message that your ISP might send out to get you off its books, the reassignment of your address to a new server takes just a few minutes.
You will receive a new, secret IP address that the mitigation service will acquire for you. The registration of all IP addresses is publicly accessible, so if someone is targeting you, they will be able to access the register to find out your new address and attack that. The mitigation service won’t put your name on the register for that address. Your ISP should be willing to let you back on their system with this new address and the mitigation service will set up a Virtual Private Network (VPN) to channel all of your legitimate traffic over to your new IP address.
Essentially, from this point on, the mitigation service is the queue to your server. Customers will have to wait a little longer before your website loads in their browser, but that is better than their connection timing out and giving them a browser message saying that your site is not available.
The mitigation service has a massive infrastructure, which is able to accept a large number of connection requests. It puts those messages through a “scrubber,” which drops suspicious requests. Legitimate requests are forwarded on to your server over the VPN. Some malicious packets may get through, but their danger lies in their quantity, not in their content. Your server should be able to cope with one or two time wasters while continuing to serve your customers.
DDoS Attacks on Individuals
Although it may seem difficult to comprehend, one of the rising sectors of DDoS targets is private individuals. Jealousy and rivalry in love may be some motivators behind these attacks, but there is one specific group of people who are routinely attacked – gamers.
According to a 2016 report by DDoS mitigation company, Akamai, 57% of all DDoS attacks are aimed at gaming sites. The vicious competitiveness of some players drives them to crash a game when they are losing, rather than let a rival win. Star players are also targeted and bitter rivals have managed to discover the IP addresses of those frequent winners and direct attacks at their consoles. A well-timed lock out of the leading player gives a second-placed attacker a chance to be number one.
IP discovery seems to be possible through weak game admin security, and also by cross-referencing Skype addresses or processing social media mentions. DDoS mitigation services aim their protection packages at businesses. So, what help is there for individuals who need protection from DDoS attacks?
VPNs with DDoS Protection
VPNs can help an attacked individual with specialist DDoS protection servers. Regular VPN services help protect individuals from DDoS attacks because they mediate all traffic. Admin signals like SYN messages wouldn’t be passed on to the customer’s computer. The ability to hide your IP address with a substitute address provided by the VPN also helps. If attackers discover your address, you just need to log out and log in again to get assigned a new address.
Timed attacks in the middle of an online battle, however, can’t be resolved by switching addresses. At the peak of a game, every second counts and the delay involved in re-establishing a connection to the server can lose you the winning medal. Therefore, it is important to look out for VPNs that specifically offer DDoS protection. Often this is a paid add-on to the standard service. However, if you are a prime target for DDoS attacks, it is worth paying out a little extra money.
DDoS Mitigation: Conclusion
DDoS attacks are on the rise because it has become absurdly easy for anyone to order one through the web – it’s as easy as signing up for Netflix. Fortunately, contracting in a DDoS mitigation service can be performed just as easily online.
Luck favors the prepared and, if you subscribe to a mitigation service, you are less likely to experience any outages. A long-term contract is also a lot less expensive than the cost of emergency defense.
For those who live in countries that are under threat, such as South Korea, or any nation that used to be part of the Russian Empire, it is your patriotic duty to get a malware cleaning program to make sure you are not unknowingly contributing to a botnet. For everyone else in the world, it also makes sense to keep you computer malware free.
Individuals need to be aware that anyone they annoy can now order a DDoS attack in revenge. Gamers particularly need DDoS protection. Small businesses and individuals don’t need to go to the expense of hiring a specialist DDoS mitigation service, because a VPN with DDoS protection will do the job.