TOLL FREE 888-808-6111
On Oct. 21, 2016, internet users across the U.S. noticed many major websites and web-connected applications were suddenly unavailable. Spotify, Reddit, Twitter, and GitHub – to name just a few – wouldn't load for hours that day. All of them shared a domain name service (DNS) provider that had become the target of a massive distributed denial-of-service (DDoS) attack.
Normally, that provider's DNS service would function like a phonebook or a contacts list, i.e., as the go-to resource for discovering how to connect to specific party – in this case, websites. Proper DNS ensures each web address you enter (like airbnb.com) resolves into a corresponding IP address that reaches the right web servers.
However, under the pressure of the DDoS attack the underlying lookup process broke, as meaningless traffic overwhelmed the DNS provider's ability to process any requests. The DDoS attack type in this incident is known as DNS flood, which true to its name inundates its target and causes widespread damage.
The DNS flood isn't the only type of DDoS attack, but it paints a representative picture of how these campaigns work in general and why they're so challenging even for experienced firms to mitigate. DDoS attacks thrive on the asymmetry between attacker and target; the latter must devote considerable resources to counteract what the former can do with so little.
Let's dive deeper to look at the origins of DDoS attacks and the common forms they take, so you can plan mitigation solutions and other protection services.
The first DDoS attacks were small-scale. They exploited flaws in pioneering web services like Internet Relay Chat to disrupt access for multiple users. Since that time, they've become much larger in scale by harnessing powerful infrastructure such as botnets. A typical modern DDoS attack might use literally thousands of bot-driven endpoints to jam its target with junk requests.
While DDoS attacks uniformly cause disruption, there's considerable variation in how they actually work, with three main differentiating criteria: the Open Systems Interconnection (OSI) model layers targeted, the web protocols and services they exploit (i.e., their attack vectors) and the motivations of their perpetrators.
Typically, DDoS attacks target the network, transport and/or application layers, also known as Layers 3, 4 and 7, respectively, in the OSI hierarchy. A lower-layer attack interferes with the network's basic resources for processing traffic, while an application layer disrupts the higher-level web servers, protocols (like HTTP) and application programming interfaces (APIs) that handle requests from clients.
Application layer attacks are the fastest growing type of DDoS. A 2017 Imperva report found they increased 23 percent, in terms of the number of weekly attacks, from Q4 2016 to Q1 2017. The growth of Layer 7 DDoS speaks to its efficacy. Sometimes, an action as simple as channeling a botnet toward an API can render the target unavailable. Application layer DDoS often creates havoc for both web servers and network resources.
The attack's layer will influence the protocols and services it goes after. Many DDoS attacks are multi-vector, meaning they target a combination of applications and network resources to cause maximum chaos. Some of the major attack vectors of modern DDoS include:
This is just a small sampling of specific DDoS vectors and techniques. Others include low-and-slow attacks that avoid calling attention to their exploitation of HTTP and zero-day DDoS campaigns that use novel approaches.
A successful DDoS attack is embarrassing for the target, which has to deal with the effects of its site being unavailable. The reasons for launching a DDoS attack and achieving this effect vary from extortion to hacktivism.
One motivation that organizations should definitely be aware of is smokescreening. This term refers to the use of DDoS as a distraction from another cyberattack. While IT diverts its attention to getting the site back online, attackers may be exploiting unattended vulnerabilities across the network to steal sensitive data.
Fending off DDoS attacks requires a multi-pronged approach. The optimal recourse will depend on the attack type. For example, a web application firewall is useful against HTTP floods, as are captchas and computational challenges against some bot-initiated attacks.
A DDoS-protected core for managed and hosted services also lowers the risk of debilitating attacks. Telesystem includes DDoS protection solutions in its network infrastructure, providing a front line of defense against the bots, botnets and malicious traffic that drive today's DDoS campaigns. Built on industry-leading threat intelligence, the Telesystem core delivers proactive defense at no extra charge to customers.
Ultimately, staying ahead of DDoS attacks requires eliminating the vast disparity we mentioned earlier, between the ease of initiating an attack and the difficulty of responding to one. Partnering with an experienced provider of hosted and managed network services is the first critical step in getting on to a level playing field with DDoS cyber attackers. Learn more by visiting our security page or contacting our team.