If you’ve been reading up on cybersecurity, you have probably heard of a DDOS attack. You’ve probably heard of them because they are an increasingly common annoyance. Even though the harm done by these attacks is often limited to malicious disruption of a network, that can have very expensive consequences for business organizations. A large business organization can potentially lose thousands or even millions of dollars for a single day of network downtime.
When trying to guard against any sort of attack, it is helpful to understand it as thoroughly as possible. The basic concept of a DDOS attack is actually pretty simple, so you won’t need a computer science degree to make sense of all this stuff.
What Is A DDOS Attack?
DDOS stands for “Distributed Denial-Of-Service Attack.” The name doesn’t really tell you much, but it does give an accurate description. DDOS attacks work by overwhelming a particular network or server with more traffic than it can handle.
Whenever you attempt to load a particular website, your device is sending out a request to connect, which is then accepted, allowing you to connect. No matter how beefy a server or network might be, it can only handle a certain amount of these requests at one time. When too many are sent, the overload causes the entire system to shut down. Thankfully, these shutdowns tend to be temporary in nature.
How Do People Carry Out DDOS Attacks?
If you are unfamiliar with these matters, you might be asking yourself: “Doesn’t this tactic require a large network of people?” The answer is no. Although DDOS attacks are sometimes done by large groups of people who share a common goal, most of it is done through the use of something called a botnet. Those who do it the old-fashioned way are generally “hacktivists” rather than truly dangerous criminals, so the botnet is the biggest threat by far. The “hacktivist” crowd may be involved in criminal activity, but they are definitely not the most dangerous hackers out there.
What Is A Botnet And How Does It Work?
So, that brings us to the next topic: A proper understanding of botnets and how they work. If the hacker does not have a unified group of people behind them, they will take control of other devices in a covert manner. Your device could be part of a botnet right now, and you probably wouldn’t know. The only real indication would be an occasional slowdown. One of the reasons that they can do this is the fact that they don’t require any special permissions. Once they get into the target system, all they have to do is connect to a certain website at a certain time. That doesn’t usually require admin privileges or passwords, etc.
The number of connection requests can be multiplied even further through the use of virtualization. By creating a system within a system, you can send multiple requests from the same device at the same time. That is a little harder, but a dedicated attacker will likely do something like this. Virtualization works by segmenting a certain portion of the hard drive and the RAM, using that space to then create a virtual system. Some people use these to run multiple operating systems on the same computer, but criminals (unfortunately) use them to get even more requests out of their botnets.
The Mirai Botnet
One notable example would be the Mirai botnet, which caused quite a lot of trouble in 2016. This botnet was originally created by a university student named Paras Jha, who was looking to get a job in the IT department. Using an early version of the Mirai botnet, he was able to compromise the system and bring it down at key points (registration days and other important dates). Then, he attempted to use that as a way to get a job. As he later explained (when caught), Jha was attempting to figure out a way to profit from DDOS attacks, and the Mirai botnet is the result.
One of the funniest things about this story is the fact that this botnet was primarily used to gain advantages and make money in a video game called Minecraft. People can make real money by hosting a lot of people on their servers, and that means the competition for players is fierce. To deal with that competition, many unscrupulous players will DDOS each other’s servers, and Jha apparently picked up the idea from there. The scariest thing about the Mirai botnet is that it’s still out there and has been tweaked and updated to be more dangerous than ever.
Types Of DDOS Attacks
As with many other simple concepts, people have found many ways to exploit the basic idea of a DDOS attack. The first thing to understand is that all internet traffic consists of data packets. By separating all that data into pre-separated units (which are assembled once received), the network can transfer a lot of data without having to overload itself. There are many different kinds of packets, and that is reflected in the diversity of attack methods that we have seen.
UDP Flood Method
This attack works by flooding the server or network with UDP (User Datagram Protocol) packets. Any network will have a number of ports, and these are simply communication endpoints. These types of attacks can flood random ports, meaning that it can attack in many places at the same time. As the system checks all those ports to see where the requests are coming from, it has to send out reply packets that tell the user that the connection failed. Obviously, it requires a certain amount of network resources to do this, and large numbers of UDP connection requests can exceed them.
ICMP Flood AKA The Ping Method
It is also very common for DDOS attacks to be carried out using ICMP (Internet Control Message Protocol) echo request packets. If you’ve ever heard someone talking about “pinging” a website, this is what they meant. It is basically just a way of testing your connection to a certain website and is often used by computer techs to test various configurations. When a host receives a ping, they respond with a similar packet known as an ICMP echo reply packet. As you can see, this attack works very similarly to the UDP attack. The system can only respond to so many requests at one time.
SYN Flood Method
This one works by utilizing the TCP (Transmission Control Protocol) process to flood the network with requests. TCP is basically a set of rules by which all those packets are reassembled after being sent over the network. It works together with the IP protocol, which sends things to their intended destination. TCP protocol makes sure that the data is assembled correctly once it arrives. It is used by a huge variety of servers, applications, and websites.
When you are trying to establish a TCP connection, an SYN packet is sent. This is just a connection request from one port to another. Incidentally, the name is short for “synchronization” since that is basically what these packets attempt to do. The server will normally respond with an SYN/ACK packet, which is basically just an acknowledgment that the SYN packet was received. The client receives this SYN/ACK packet and responds with an ACK packet of its own, completing what is usually termed the “three-way handshake.”
This one is a little more complicated, as you can see. The SYN flood method works by sending a whole bunch of SYN packets at once. When the system responds with SYN/ACK packets, the attacker simply doesn’t respond with the ACK packet. This causes the server or network to wait for that receipt, tying up system resources for even longer. In the end, the result is exactly what you would expect: The network is overwhelmed and goes down.
Ping Of Death
This colorfully-named method is a pretty ingenious one, unfortunately. This one uses what you might call “poisoned packets” to overload a network at many points simultaneously. Every packet of network data has a limit of 65,535 bytes. When you realize just how small that is, you realize why so many of them are needed. In any case, networks are simply not able to handle packets that are larger than 65,535 bytes. There is a certain amount of buffer space available for each packet, and that must not be exceeded.
“Ping of death” attacks work by taking an oversized packet and spreading it across multiple packets. This allows it to get past the normal size restrictions that are imposed in transit. Once received, these packets are assembled into an abnormally large packet, and that means legitimate packets are temporarily blocked from that port. Do this enough, and the network goes down.
This is a very precise method that is meant to target one particular server. Basically, instead of sending full connection requests, they just send a huge number of blank HTTP headers. The targeted server will wait to receive the rest of the data, keeping that connection open until it completes or times out. When the server eventually opens more connections than it can handle at one time, the whole thing goes down.
There Are Other Methods
These are just some of the more common examples, as we do not have space to fully explain all of them. Still, this gives you a good idea of how many ways in which hackers can flood a network with requests and force a shutdown. Essentially, all of these methods revolve around that same basic concept.
How To Protect Against DDOS Attacks
Unfortunately, there aren’t a whole lot of ways in which you can prevent these attacks without third-party help. There are many companies that offer DDOS mitigation services, and these basically work by giving you some overflow space. If your server begins to get overloaded with excessive numbers of connection requests, some of those requests can be “outsourced” to other servers. If you really don’t want to employ the services of a third-party company, you can set up some backup servers. These can be configured to handle overflow traffic, making your network or site a lot harder to DDOS.
Most of the better DDOS mitigation services make use of the cloud as an overflow buffer. As we explained earlier, virtualization can be used to magnify the resources of a given device. Just as hackers can use it as a tool to multiply their botnets, we can also use it as a “trash dump” into which that malicious traffic can be re-routed.
Network monitoring is another way to deal with DDOS attacks. Network monitoring programs allow you to watch the flow of packets over the network and to automate the process to a certain extent. Suspicious traffic will usually precede a DDOS attack as the hacker prepares to strike. When that first round of connections floods into the server, your network can be configured to shut the door on that particular IP or range of IP. If you are vigilant, you might very well be able to catch the attack before it shuts you down completely.
No matter what kind of methods you choose, you definitely need to have a comprehensive DDOS response plan in place. When something like this happens, the response must be quick and effective. Your IT staff and network administrators need to know what is expected of them if a crisis like this occurs.
We hope that this article has answered all of your questions and shown you exactly how this sort of thing works. We have attempted to give you a thorough and complete understanding, and hopefully, it has not been too technical or confusing. However, those of you who have additional questions can always call PCH Technologies at (856) 754-7500.