1. Home
  2. /
  3. Blog
  4. /
  5. DDOS (or Denial of...
Cybersecurity

DDOS (or Denial of Service) attack: what it is and how to defend against it

 

We are hearing more and more often about institutional sites being knocked out by DDoS attacks, a particular type of attack used to overload the victim’s systems and make them inaccessible by legitimate users, in the case of citizens using services provided by the public administration.
We have mentioned one possible example, admittedly quite frequent in the news, but DDoS attacks today are no longer something so distant from the imagination of corporate cybersecurity, as they can affect public and private organizations in various, increasingly sophisticated ways.
This scenario makes a specific approach in preventing DDOS attacks necessary and, above all, not to be postponed, as well as knowing how to respond effectively in the early stages of a potential attack, before it is too late.
Phenomena such as the proliferation of IoT systems and the increase in remote work, along with the gradual increase in average devices connected to a network, have created a very fertile ground for infections of a wide range of malware types.
Malicious software to deploy and control a botnet, through which DDoS attacks are launched, is certainly no exception.
These are the reasons why, even in the case of DDoS attacks, it is no longer possible to think only in reactive terms, but it is necessary to take a proactive attitude, which is useful to combine prevention, protection and mitigation of attacks: after all, nothing so different from what happens with other threats from the network.
Let’s take a look at what a DDoS attack is, what the most common types are, and how to effectively defend IT systems against such a cybersecurity threat.

What is a DDoS or Denial of Service attack

A denial of service (DOS) attack aims to prevent legitimate users from accessing IT resources by overloading them through such a high number of simultaneous requests that they cannot be handled in any way, effectively rendering the affected target unusable.
The systems most frequently knocked out by DDoS attacks are e-mail services, Web sites, banking and financial services, government services, and, in general, any other form of service that is made available thanks to servers through a network.
It is evident how organizations affected by a denial of service, the term itself says it, suffer damage the very moment they find themselves in a condition of “denial of service,” that is, unable to properly and efficiently deliver an IT service, either internally or by referring to those intended for end customers.

What is the purpose of a DDOS attack?

The motivations that lead various types of cybercriminals to launch their DDoS attacks are quite varied.
Most frequently, they are carried out by currents and collectives related to hacktivism, whose whistleblowing actions aim to hit a target deemed ideologically unsupportive, in order to resoundingly convey an alternative message, often using the victim’s own channels.
There is no shortage of attacks conducted for profit, for the purpose of extortion, or on the commission of an organization to target a rival, or even in the nation-state sphere, where some states finance cybercriminal organizations under the table to strike at important strategic and functional targets of opposing nations, as in the case of utilities and critical infrastructure, causing them obvious harm.
In other cases, in ways similar to hacktivism, there are individual actors acting out of virtuosity, seeking to expose the vulnerabilities of the victim’s systems, often with simple demonstrative intent.

The different types of DDOS attacks

Although they share the same goal, there are many types of DDoS attacks, which differ both in terms of the system they intend to target and the technologies and methodology involved.
In general terms, three main types of DDoS attacks can be identified: volumetric, at protocols, and at the application level.
However, let’s look at a broader overview that is useful for a comprehensive understanding of the logic behind DDoS attacks and the behavior of cyber criminals.

Volumetric DDoS attack

This is the most notorious DDoS attack, which has the characteristic of trying to render a network unusable due to a huge amount of data traffic, which goes to congest the bandwidth effectively making it impossible for legitimate users to use it.
Services per se work, but cannot be reached because of network bandwidth saturation.
The most common volumetric attacks include reflection attacks and amplification attacks.
The inconveniences caused by a volumetric DDoS attack are those typical of a disruption of service, and can cause economic damage, if the victim were an e-commerce system that finds itself losing orders; damage to citizens, unable to access the services of public institutions, such as social and health services; and damage to companies and professionals excluded from their online banking account, with the real risk of not being able to carry out the planned transactions within the useful time.
Just to mention some of the most common cases.
Such attacks, as we will see specifically in the case of the operation of a DDoS attack, are conducted by exploiting botnets, networks of individual devices, called zombies, unaware that they are being controlled by cyber criminals, from which individual requests against the victim’s network depart, whose bandwidth is easily saturated, with the effects mentioned above.

Application-level DDoS attack

An application-level DDoS attack is easily recognized by the fact that it targets only one or more specific applications, without necessarily involving the network useful for accessing them.
They are otherwise definitive Level 7 DDoS attacks, referring to the seventh level of the ISO/OSI model, which precisely affects applications.
Difficult to prevent, far from easy to mitigate, application-level DDoS attacks are also among the most widespread and simple to carry out, partly because they can require fewer botnet-level resources on average than volumetric attacks.
They can therefore last a long time and be exceedingly complex to recover from.

DDoS attack on protocols

Another variant of DDoS attack is capable of specifically targeting protocols in an attempt to compromise the processing capacity of resources that make up the network infrastructure, such as servers and firewalls, again rendering the victim’s system inaccessible.
The magnitude of these attacks is measured in packets per second (pps) or bits per second (bps).
Common DDoS attacks on protocols include SYN flood and Smurf DDoS.

DDoS SYN flood attack

During the attack, clients controlled by cyber criminals send large amounts of SYN (synchronization) packets without the SYN-ACK (synchronization acknowledgement) packet, which is essential to complete the Transmission Control Protocol (TCP) handshake.
This dynamic easily crashes the system, as the server remains waiting for a response that does not arrive on purpose, and fails to close TCP connections, which exhausts the capacity to accept new communication requests.

DDoS attack on protocols

Another variant of DDoS attack is capable of specifically targeting protocols in an attempt to compromise the processing capacity of resources that make up the network infrastructure, such as servers and firewalls, again rendering the victim’s system inaccessible.
The magnitude of these attacks is measured in packets per second (pps) or bits per second (bps).
Common DDoS attacks on protocols include SYN flood and Smurf DDoS.

Smurf DDoS Attack

The Smurf DDoS attack involves sending large amounts of ICMP (Internet Control Message Protocol) packets into the network with a maliciously forged source IDP that matches that of the intended victim.
All devices reached between such communication are obviously unaware of the malicious intent and respond to the source IP, progressively saturating its processing capabilities.

DDoS UDP flood attack

UPD flood DDoS attacks are used to target networks with particularly high bandwidth by sending forged IP packets containing stateless UDP protocols that send the victim host into a crisis, which automatically returns a “destination unreachable” message.
Beyond a certain threshold, the victim’s system can no longer respond to requests, whether legitimate or not, consequently making even services provided to legitimate users inaccessible.

DDoS attack on DNS

This particular type of DDoS attack is characterized by a reflection attack on the DNS (Domain Name System), whereby cyber criminals spoof the victim’s IP address to send huge amounts of requests to DNS servers, which cause the sender system to be overloaded with their responses.

How a DDOS attack works

As we have examined from various perspectives, a DDoS attack employs various methods and vectors to overload the IT resources of a target system in order to make its services inaccessible to legitimate users.
But what are these vectors?
How do they send such large amounts of data, to the point of disrupting even the most robust infrastructure, if not properly protected?
To launch a DDoS attack, cyber criminals make use of a botnet, a network of devices, referred to as bots or zombies, due to the fact that they are controlled remotely through malware.
The logic through which a botnet is built appears to be quite simple, however its management is far from elementary.
Cyber criminals exploit vulnerabilities in devices connected to the network to install malware, which remains active in the system with the aim of not being detected by any active anti-malware.
The malicious presence of a botnet, if it is limited to this purpose only, does not in itself cause performance damage, as it operates in the background most of the time, with a low priority process layer.
This aspect makes botnet agents not easy to detect.
Once the botnet is created, cyber criminals can use zombies to target DDoS attacks, due to the firepower provided by many thousands of devices that can be activated in a limited time concentration, consistent with the goal of surprising the victim and leaving them as little time as possible to react, before their systems fail due to the excessive workload to handle the huge number of requests received.
Botnets allow cybercriminal organizations to structure new business models, based on service-based models, by also making them available to third parties or acting on commission to achieve certain goals, such as attacking specific victims.

Identifying an attack

In the initial stages, DDoS attacks do not manifest symptoms that are so different from those attributable to technical issues, such as a certain slowness in using the network, at the level of general traffic or in opening files.
In other cases, it is possible to encounter a difficulty in accessing Web sites, up to and including obvious problems in navigating the Internet.
In the most extreme cases, the attack makes it impossible to carry out virtually any activity in a condition attributable to normalcy.
In order to detect and identify a DDoS attack before its effects are well advanced, it is necessary to implement a system for monitoring and analyzing network traffic, for example, by directing it to a next generation firewall, which is equipped with artificial intelligence-based functions that allow it to automatically recognize abnormal patterns, such as a high number of accesses from different IPs than the routine condition.
If a traditional firewall is in place, it is in any case advisable to have an intrusion detection system (ISP) active on the network, capable of performing a similar function.
Administrators can set more or less restrictive rules, to avoid the incidence of false alarms, but without underestimating the risks of a possible DDoS attack.
Monitoring systems, such as modern SIEMs, are genuine tool platforms that work in concert to detect and identify possible threats from the network through behavioral analysis, which is based on various activities, including:

  • An IP range that makes many requests in a short period of time;
  • Demands from certain types of devices, operating systems, browsers, or geographic location, especially if the latter does not coincide with one’s target audience;
  • Communication problems with servers, or error messages due to overload or maintenance
  • Sudden increases in network bandwidth utilization and particular, as well as unexpected, spikes in traffic, especially when directed to a single active resource on a specific server, as in the case of a website.

Through behavioral analysis, a monitoring system is able to identify a suspected attack in its type, and automatically activate the necessary procedures to ensure the security of the systems under attack.
In other words, these are operations that it is now impossible to think of performing manually.
Preventing a DDoS attack requires specific systems capable of analyzing logs and automating tasks in high numbers, with real-time visibility into what is happening on IT systems.
These are also operations that should always be associated with regular supervision by cybersecurity experts, whose experience is crucial in the selection and configuration of the technologies used.

How to defend against a DDOS attack

Defense against a DDoS attack is largely based on its prevention, precisely because of the fact that its silent nature makes it very complex to detect in its early stages, when it is still possible to successfully activate a containment measure.
This is the case with the redirection of requests to virtual server IPs that are different from that of the actual target, preventing the overload that the attacker intends to bring to bear to render available resources useless.
The technical variety and ever-evolving behavior of cyber criminals makes defending against DDoS attacks a decidedly compelling challenge for corporate cybersecurity professionals, who are called upon to ensure the very survival of organizations.
Best practices for defending against DDoS attacks include considering risk assessment, traffic differentiation, black hole routing, bandwidth limitation and, more generally, the use of firewall technologies capable of analyzing data packets, considering all 7 layers of the ISO/OSI model.
This aspect appears to be of vital importance, as now a great deal of cybersecurity attacks, not only Denial-of-Service attacks, are conducted at the application layer (ISO/OSI layer 7), while traditional firewalls, provide effective protection only against the first 4 ISO/OSI layers, as they mainly deal with closing ports and blocking IPs, without interpreting the content of network traffic in real time.
Among the most suitable firewall technologies against DDoS attacks are NGFW (Next Generation FireWall) and WAF (Web Application Firewall).
WAFs act as reverse proxies between the Internet network and the servers to be protected and are equipped with intelligent technologies to monitor traffic in real time, identifying its possible suspicious nature.
With regard to mitigation, as already stated, one of the most effective methods is to reroute requests to multiple virtual servers in order to preserve the real target from the overload action that would otherwise be lethal.
If you want to be guided by us, find out about our services