The number and severity of promising distributed denial-of-service attacks are increasing every year. At the same time, in addition to long downtimes, they trigger an overall economic loss in the billions. Against this background, implementing suitable IT security measures to ward off distributed denial of service attacks is more important than ever today. In the following chapters, you will learn how a distributed denial-of-service attack works, why it must not be misunderstood and which IT protection measures you can use to protect yourself and your company intelligently, quickly and efficiently.
Whether big data, the Internet of Things, cloud computing, artificial intelligence or virtual and augmented reality: digital technologies have become indispensable in business life. They change existing forms of work, design value-added processes and unleash incredible growth potential. The use of digital technologies is now increasingly determining the competitiveness, robustness, and future viability of a company.
Nevertheless, digital technologies help companies fly high – but cyber criminals also benefit from the diverse options of increasingly advanced attack methods.
In recent years, the trend toward distributed denial of service attacks, in particular, has exploded here. A distributed denial-of-service attack is a unique type of attack that derives from the traditional denial-of-service attack and tracks the outcome, web properties, web servers, corporate networks, and other network resources of a large enterprise number of simultaneous connection requests or incorrect packets and thus slow it down or even wholly paralyze it. The threat actors often use compromised computers and end devices for this purpose, which they combine into such a botnet by remote control and then direct them to a target system and its services. Here, the multiplication of the attack source, i.e. the dimension of the botnet,
Types of DDoS Attacks
In general, distributed denial of service attacks [DDoS] can target any of the seven layers of the OSI model for network connections. The three fundamental types are:
Network-centric or volume-based distributed denial-of-service attacks: Network-centric or volume-based distributed denial-of-service attacks are the most common form of distributed denial-of-service attacks. With this type of attack, the existing range is overloaded with packet floods with the help of a botnet. This prevents legitimate connection requests from arriving. The faction includes, for example, UDP flood attacks.
UDP Flood Attacks: In a UDP flood attack, attackers send massive numbers of User Datagram Protocol (UDP) packets to target server ports, overloading them until they respond.
Application-based distributed denial-of-service attacks: Application-based denial-of-service attacks aim to overload and consume the target system’s resources and memory with meaningless or invalid connection requests. The most common in this context are so-called HTTP flood attacks.
HTTP Flood Attacks: In the lightest variant of a DDoS resource overload attack, threat actors flood a target system’s web server with many HTTP requests. For this purpose, it only has to call up any pages of the target project until the webserver breaks down under a load of requests.
Protocol-based distributed denial-of-service attack: Protocol-based denial-of-service attacks target network or transport layer protocols and exploit vulnerabilities to overwhelm the target system with incomplete or malformed connection requests. The most common protocol-based distributed denial-of-service attacks include:
ICMP Flood Attack: In an ICMP (Internet Control Message Protocol) flood attack, threat actors flood the webserver with countless ICMP requests. This attack attempts to hamper the web server’s ability to respond to requests, thereby blocking valid requests.
The SYN Flood Attack: In this attack pattern, threat actors attempt to overwhelm all available ports on a target server computer by repeatedly sending synchronization packets, or SYN packets, causing the target device to respond silently or not at all to legitimate data traffic. SYN flood attacks succeed by exploiting the handshake process of the TCP connection.
Multi-Vector Attacks: multi-vector attacks combine different attack methods, such as protocol-based distributed denial-of-service attacks with application-based distributed denial-of-service attacks to completely overwhelm a target system and its services and crash it to force. Combined multi-vector attacks are complicated to defend against and require a well-thought-out and versatile defence strategy.
How To Prevent Distributed Denial of Service Attacks!
Since distributed denial of service attacks are very complex, companies should implement IT defense measures differently.
Promising approaches usually contain the following aspects:
- Identification of critical IP addresses and closing of known security gaps
- Web application firewalls: In contrast to conventional firewalls, web application firewalls, or WAFs for short, examine the application-specific interaction and are therefore in a position to detect attacks at the application level
- IP blocklists: IP blocklists enable critical IP addresses to be identified and data packets discarded straight away. This security measure can be implemented manually or automated via the firewall using flexibly generated blocklists.
- Filtering: Intending to filter out dangerous data packets, it is feasible to set limit values for data volumes in the given period. However, it should be noted that proxies sometimes lead to many clients with the same IP address registering with the webserver and possibly being blocked without reason.
- SYN cookies: SYN cookies focus on security gaps in TCP connection establishment. If this security measure is used, data via SYN packets are no longer exclusively saved on the webserver but sent to the client in crypto cookies. However, SYN flood attacks require computing capacity but do not load the target system’s memory.
- Load balancing: An efficient countermeasure against overexertion is load balancing across multiple systems, as is made possible by load balancing. The hardware utilization of provided services is distributed across multiple physical devices as part of this. In this way, distributed denial of service attacks can be caught to a certain extent.