You have probably heard reports, or even experienced firsthand, a DDoS attack, which stands for Distributed Denial of Service. Recently the Sony Playstation Network, the Hong Kong Stock Exchange, PayPal, WordPress, Russian government, and even the CIA have been the victims of recent DDoS attacks. But what exactly is a DDoS attack, and can it be prevented?
Explain Like I’m 5: What is a DDoS Attack?
If you are familiar with the message board Reddit, you likely know the acronym ELI5, which stands for Explain Like I’m 5. Tough topics like the multiverse and string theory are explained by Redditors in simplistic terms. Here is my attempt at explaining a DDoS attack that even a 5 year old would understand.
Eating Taco Bell breakfast is a risky decision, but you are intrigued by the Waffle Taco and must find out what it tastes like. On a normal day, you can just go inside, and order your meal with the cashier. But this is no normal day. Imagine 100 troublemakers in line ahead of you. They are all loitering, and most don’t even have their wallet. This causes massive congestion. People can’t even get into the parking lot. These troublemakers are a DDoS. Being outnumbered, there’s not much a user can do about the situation until the troublemakers leave.
Explain DDoS Attacks like I’m an Adult
A DDoS is an overwhelming amount of traffic that makes a website inaccessible. Websites can only handle a certain amount of connections at one time. With so many requests, the server can’t handle it and the site will likely appear down for everyone. There’s two ways this could happen, simple and malicious.
The simple, “friendly” way is when a lot of people are interested in a website at the same time, and the large traffic crashes the server. For instance, if your website appears of Drudge Report, hundreds of thousands of people could be at your site at once. This problem will go away quicker than a malicious DDoS.
A malicious DDoS is when a person or persons gain access to hundreds, maybe even thousands of computers, and then directs them to exceed the bandwidth available to a certain IP address. This person maliciously creates tons of requests to a website, which leaves no space for legitimate users.
DDoS Attack Classification
There are two main types of Denial of Service attacks commonly seen in our industry: application based attacks, and volumetric based attacks. The best way to think of this, using the fast food analogy above, would be how the business is prevented from being able to serve multiple customers.
An application level attack would be the equivalent of a large amount of individuals ordering food, changing their mind, ordering too much food, paying in pennies, and pretending to be unable to read the menu. The cashier would have policies preventing them from being able to just tell them to go away until they hit a certain breaking point or they have given the customer (who is ALWAYS right, btw 🙂 ) adequate time to establish their true intention. You would only need as many attackers as there would be cash registers. They are leveraging their knowledge of the rules of the business in order to maximize the amount of resources they can consume and you can do so with minimal resources yourself.
A volumetric based attack would be a large amount of people flooding the lobby with malicious users so there’s no room to operate, effectively shutting down the business from reaching legitimate customers. The amount of people in the business makes it look popular and it would be difficult to determine from the outside or inside if they people in the lobby were honest customers or malicious individuals. These attacks can be difficult to pull off because you need a lot of participation (either unknowingly or knowingly) but we are finding them more and more prevalent as attackers leverage ‘reflection’ attacks to force innocent third party computers/networks to participate in their malicious operation.
While both tactics are different in approach, they produce the same end result. Your application is no longer accessible, and you now have to find ways to fight the attack if you wish your site or app to be available to the public.
DoS & DDoS Prevention and Countermeasures
There isn’t a solid solution to prevent the bottleneck problem caused by a DDoS attack because a large scale operation would attack the ISP itself, rather than the server(s). ISP’s don’t have much control over a botnet attacking IPs, because it’s likely malware on somewhere’s computer. Trying to stop that would affect normal web traffic.
The only effective way to counteract a denial of service attack is to filter the traffic before it reaches the equipment or bottleneck that will cause the issue. For application layer attacks, you would need to inspect all the packets destined for the target, apply the same knowledge of the proper operation of the application to look for traffic that could be malicious in nature and filter it out. This is sometimes referred to as deep packet inspection, and can be found on DDoS appliances or IPS devices. Some firewalls can protect against these kinds of attacks, but they are not really designed to handle them and tend to fall over once over run with traffic to inspect or connect states to track.
Volumetric attacks follow the same approach except you have more work to do and you need to catch the traffic before it reaches the bottlenecks in the network. Thus, you will need to filter at the widest points that all of the traffic traverses into your network, and ensure your traffic filtering capabilities can scale to the size of the attack. This can often be done at the network edge or provider network edge, depending on the size of the attack
In order to reduce the likelihood that volumetric attacks impact you, increasing your available transit bandwidth AND utilizing packet filtering equipment scalable to the size of the attack are the only viable solutions. Many transit provider networks offer this service on their own backbone (which can be adequate in capacity to handle these attacks, but it depends on the carrier).
In addition, there are a number of businesses that have filled the void of protecting networks from these large scale attacks by purchasing transit in bulk from multiple carriers and force the routing of the target traffic through their backbone where they scrub and filter before sending along to the true destination.
When you realize an attack is in progress, contact your host immediately for help and suggestions.
Stay tuned for a special partnership announcement from HostDime that will decrease the chance of your HostDime hosted website being affected by a DDoS attack.
[divider]
This article was written by Jared Smith, HostDime’s Content and SEO Strategist, and Ray F., HostDime’s Vice President of Network Security.