What is a DDoS?
April 19, 2023
DDoS is an abbreviation for “distributed denial of service”. This definition explains a lot about the essence of this situation. First, however, the reasons, as well as ways of avoidance, must be presented. So, first of all, let’s talk about how it works - it will give you the hints to protect the website from any DDoS attacks.
Distributed denial of service happens when the server receives so many requests that it cannot process them. The server may lack RAM or CPU, but the effect will be the same - web pages will not be opened with the following error numbers:
|500||something is wrong with the server, without more precise specification;|
|502||invalid response from the server;|
|503||server is temporarily unavailable to handle a request;|
|504||time for server response is exceeded;|
|509||host receives more traffic than the site can handle;|
|520||server returns an unknown error;|
|521||original website server is not available for the intermediary server (usually Cloudflare);|
|522||connection timed out;|
|523||intermediary server (same Cloudflare) is not able to connect to your host server;|
|524||connection through the Cloudflare server is timed out.|
How to do a DDoS-attack?
Overloading the server is not easy, especially if we talk about large companies' pages or online services. More than a dozen Google services, Netflix, Amazon, and Microsoft - receive hundreds of thousands of requests per minute - and their servers keep going without any trouble. Proper setting of the response routing and renting or building more servers will make your service available for more customers, besides being more sustainable to any overload.
Cybercriminals who commit DDoS attacks are not inventing anything new. The essence of this sort of cyberattack is creating an enormous amount of requests that overload the server. These attacks are usually conducted with the help of botnets - groups of computers infected with a virus which makes them “zombies”. These machines (some of the uncovered botnets were bigger than 100k computers) are controlled from a single command center. Crooks can tell them to send requests to any site - even to google.com. Having the botnet, which is large enough, you may shut down or make it troublesome to connect even to large and well-known resources.
Sometimes, people make unintentional DDoS attacks when the crowd sends many requests to the same server. For example, you may have witnessed such a situation during the 2020 election in the USA, when folks massively opened the fec.gov site (where the official results were posted), causing certain troubles because of server overload.
Types of DDoS attacks
Although all DDoS attacks are based on botnets and committed with the only final target, they differ in creating excessive traffic. The server handles tens of different processes related to a single request simultaneously. Malformed one of them, which will cause an increased load, is one of the most popular methods. However, the power of DDoS is not only in the modified parameters of a request but also in the number of those requests.
So what makes the regular request so hard to handle? Cybercriminals who commit DDoS attacks have a wide range of tools. Experts divide these methods into volume-based attacks, application-layer attacks, and protocol attacks. The first ones clearly state how they are performed; these attacks are the most simple. However, the efficiency per single attacking system for volume-based attacks is pretty low. These attacks usually need much bigger botnets or users to perform.
App layer attacks
Application layer attacks suppose the use of vulnerabilities in the server’s system or application software on this server. In particular, one of the most often used breaches is the HTTP GET or POST requests. Creating the flow of these requests capable of overloading the system takes much fewer resources than other methods. Moreover, you don’t even need to malform the packages - the default HTTP methods are good enough. However, they are quite hard to prepare since the attack must be targeted on a certain server configuration.
Protocol attacks seem to be the average between the app layer attacks and volume-based ones. Relatively high efficiency is combined with ease of use and a wide variety of methods. Pings of deaths, fragmented packet attacks, SYN spam - that is only the surface. Each of these ways has a dozen subtypes that make it possible to find the security breach in any system.
How Long Do DDoS Attacks Last?
Two possible timelines may cease the DDoS attack process. The first is reaching the target of the attack (read below), and the second is applying the emergency anti-DDoS measures by the server maintainers, or even both. For example, the latest worldwide-known chain of attacks related to the war in Ukraine lasted for almost a week since the beginning of warfare. A dozen Russian and Ukrainian governmental resources, media agency sites, and banks were unreachable. Attackers reached their target but likely intended to keep the sites down as long as possible. Meanwhile, during this week, the website maintainers managed to deal with the surplus traffic - through connection bans or traffic filtering. Both sides did their job - attackers successfully wrecked the sites, and system administrators mirrored the attack.
Nonetheless, the real success of defendants is only when the attack does not affect the website. Of course, you can do nothing, and low-skilled script kiddies will still fail to shake your website. But the real attack, orchestrated by skilled hackers, requires some real technologies to counteract.
How are websites protected from DDoS attacks?
The First DDoS attack happened during the week of 7th February 2000. This attack was committed by a 15-year-old boy who made a series of attacks against e-commerce services, including Amazon and eBay. Since then, system administrators have discovered many possible ways of DDoS prevention. One of the most popular and best-known ones is captcha solving. When you make many clicks, just like a computer from a botnet that attempts to overload the server with requests, a unique system asks you to solve the captcha.
Another widespread way to decrease the potential server load is to prevent any requests from the bot. Such services as Cloudflare take the request to your website first and offer the “visitor” to solve the same captcha. This method is much more effective than the previously mentioned captcha solving since bots cannot reach the endpoint of the attack.
Of course, an essential element is back-end optimization. The poorly designed back-end may cause problems even when no one attacks your site. However, by optimizing the code, you will increase the upper limit of requests for the period and save a significant amount of money you would spend on server upgrades.
DoS and DDoS attacks - what is the difference?
There is a brother-in-law of DDoS attacks, which is less known, but still met in the real world. Denial of Service attacks mean creating the choking amount of traffic targeted on the certain machine or small network. Flooding the network or the machine will take much less effort than a well-done site with distributed servers and anti-DDoS protection. Such attacks may be applied to suspend the work of a small company or just to mischief a certain user.
DoS attacks don’t require specific software since most of the targets of this type of attack are not protected at all. System administrators may apply some restrictive measures, but it is too expensive to save a tiny network with serious full-fledged anti-DDoS stuff. That’s why those attacks are generally successful. Fortunately, because of the low profitability of these attacks, they are not so popular.
The best demonstration of how it works and how to counteract it is to review the past or ongoing cases of attack. Fortunately for scientific clarity, there were a lot of attacks in the past several years to review. The first and the latest one is the chain above of DDoS attacks on Russian governmental sites and web pages of commercial banks. The peculiar thing about this attack is that volunteers entirely conducted it. Users intended to offer their computers and mobile phones to threat actors creating the traffic flow using special scripts. This attack took about 9.8 Tbps of bandwidth, which is about an average rate in 2023.
Another example is about the record but is also related to a Russian company. Yandex, the all-in-one internet company nicknamed a Russian Google, reported a world-recording DDoS attack. Due to the company’s notice, they suffered a flow of 22 million requests per second. Even Cloudflare - the company dealing with excessive traffic as its bread and butter - said they had witnessed only a 17.2 million RPS attack. That attack was measured in requests per second because it was committed on volume-based methods. Threat actors tried to disrupt the website accessibility by performing too many requests, and they failed - Yandex did not experience any problems.
Latest DDoS attacks:
- Wise Remote Trojan: Infostealer, RAT, DDoS Bot, and Ransomware
- Russian Hacker Project DDoSIA Grew by Multiple Times
- Condi Malware Builds a Botnet from TP-Link Routers
- Goose Goose Duck Game Servers Are DDoS-Attacked Every Day
- Mirai Botnet RapperBot Conducts DDoS Attacks on Game Servers
- Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies
- The LockBit Group Is Taking on DDoS Attacks
- NetSupport and RaccoonStealer malware spreads masked as Cloudflare warnings