The IT industry has recently seen a steady increase in distributed denial of service (DDoS) attacks. Years ago, DDoS attacks were perceived as minor nuisances perpetrated by novice attackers who did it for fun and it was relatively easy to mitigate them. Unfortunately, that situation is no more. DDoS attacks are now a sophisticated activity, and in many cases, big business.
InfoSecurity Magazine reported 2.9 million DDoS attacks in Q1 of 2021, an increase of 31% over the same period in 2020.
In recent years, we have seen an exponential increase in DDoS attacks that have incapacitated businesses for significant amounts of time.
- In February of 2020, Amazon Web Services (AWS) suffered a DDoS attack sophisticated enough to keep its incident response teams occupied for several days also affecting customers worldwide.
- In February of 2021, the EXMO Cryptocurrency exchange fell victim to a DDoS attack that rendered the organization inoperable for almost five hours.
- Recently, Australia experienced a significant, sustained, state-sponsored DDoS attack.
- Belgium also became a victim of a DDoS attack that targeted the country’s parliament, police services, and universities.
Hundreds of thousands of unnamed, undocumented, yet successful DDoS attacks continue daily. It is these attacks that are the most effective and costly. The DDoS upward trend promises to continue, putting IT pros with mitigation skills in high demand.
What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.
From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.
How does it work?
Sophisticated DDoS attacks don’t necessarily have to take advantage of default settings or open relays. They exploit normal behavior and take advantage of how the protocols that run on today’s devices were designed to run in the first place. In the same way that a social engineer manipulates the default workings of human communication, a DDoS attacker manipulates the normal workings of the network services we all rely upon and trust.
When a DDoS attack takes place, the targeted organization experiences a crippling interruption in one or more of its services because the attack has flooded its resources with HTTP requests and traffic, denying access to legitimate users. DDoS attacks are ranked as one of the top four cybersecurity threats of our time, amongst social engineering, ransomware, and supply chain attacks.
How to identify a DDoS attack
The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. But since several causes — such as a legitimate spike in traffic — can create similar performance issues, further investigation is usually required. Traffic analytics tools can help you spot some of these telltale signs of a DDoS attack:
- Suspicious amounts of traffic originating from a single IP address or IP range
- A flood of traffic from users who share a single behavioral profile, such as device type, geolocation, or web browser version
- An unexplained surge in requests to a single page or endpoint
- Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g. a spike every 10 minutes)
- There are other, more specific signs of DDoS attacks that can vary depending on the type of attack.
The most common type of DDoS attack
Distributed attacks are a category of DDoS attacks, but their popularity means there is a wide variety of types of attacks. It’s only gotten worse now that DDoS attacks are monetized as an affordable service for hire.
Here are the main three categories:
Also known as flood attacks, volumetric attacks are the classic DDoS attack. Many other types of attacks share some characteristics, but a volumetric attack’s core features are distributed origins and torrents of illegitimate traffic. This prevents visitors from navigating your website or using web resources.
Protocol attacks are a bit more sophisticated. They target particular network layers, disrupting operations by interfering with server operations. In particular, protocol attacks interfere with layer 3 and 4 communications, which are related to critical features like your firewall and security. SYN flood attacks are an example of a protocol attack.
Also known as application-layer attacks, application attacks are the most complex and often the most dangerous. They consume memory and disk space by triggering and closing a variety of processes, making it virtually impossible for legitimate users to interact with the affected application. A prominent example is the HTTP flood, which effectively masks most of its activity.
How to fix a DDoS attack
If you’re knowledgeable about servers and software, or if you have an IT team who is, there are several DIY approaches to managing DDoS attacks. Rate limiting is a popular method that automatically handles low-level attacks by capping how often the attacker can repeat certain actions. And since DDoS attacks are persistent, the difference between legitimate and illegitimate traffic is easy to spot.
For those who don’t know how to manage or limit network traffic, there are some good (and straightforward) rules of thumb to follow.
Contact your ISP or digital security provider
Contact your ISP or third-party security partner first. If you can access external security support, chances are they can solve your problem quickly. If you don’t have security support, you can still contact your ISP for immediate help.
Your options will vary based on your provider, but most offer support features to handle the growing scale of DDoS attacks.
Notify staff or employees
During an attack, you may be tempted to try and get a grip on things before sounding the alarm. However, this risks delaying a solution and interfering with workflow, because more than one person may end up troubleshooting the same problems – or even the wrong problems. That’s why you should notify IT and any other potentially affected employees as soon as possible.
Manage security software and settings
It’s never been more important to update your security software and take advantage of any relevant functionality. Most software options provide monitoring systems to identify and monitor suspicious activity.
Similarly, make sure to maintain your web server’s security. Simply updating software and drivers helps fight against attacks, but you may also have access to more specialized solutions like a web application firewall (WAF). Installing a WAF can help reduce the impact of the most severe, application-style DDoS attacks.
Consider basic steps for mitigation
There are several easy ways to boost your security after an attack and even to contain some of the most damaging consequences.
The first step is often as simple as disconnecting your internet connection to interrupt an attack. This is especially true if you’re experiencing a DDoS attack on a gaming console.
For some devices, however, it’s impossible to just pull the plug. Instead of disconnecting, load up your security software to see if you can start blocking IP addresses on your own.
At this point in the process, it’s common to want to know how to fix a router after a DDoS attack. Fortunately, an attack does no actual damage to your router, but you will want to reset it just to be safe. You can do this by unplugging the router’s power cable for 15 to 30 seconds, then rebooting.
Always have a DDoS plan in place
The most important DDoS advice is to be prepared. Whether you work by yourself or manage a big team, it’s important to understand your vulnerabilities and your resources. If you don’t have the personal know-how, shop around for a host or security consultant who can resolve DDoS issues