DDoS attack is a hacker attack on a website, the main task of which is to lead to a denial of service, in which the interaction of users with services and sites will be difficult or impossible. It differs from a DoS attack in that it is carried out from multiple devices and addresses at once. For DDoS attacks, hackers collect botnets from malware-infected zombie computers.
The purpose of a DDoS attack is to extort money to stop it and restore access to the website. Most often, cybercriminals attack online e-commerce resources, online banks, booking systems, bookmakers, information services, the media and other organizations doing business on the Internet.
There are special malicious programs (bots) that allow the creation of botnets. For example, the Mirai Internet worm infected more than 500,000 devices connected to the Internet, from which a botnet of the same name was formed for the then record-breaking DDoS attacks.
DDoS attacks gained their first popularity in 1999, when cybercriminals attacked the websites of the largest companies (Yahoo, eBay, Amazon, E-Trade, CNN and many others). A year after the attacks on large corporations, the need to take urgent measures to combat the emerging problem was realized.
DDoS attack classification
The main methods of DDoS attacks:
1. HTTP flood. The most common method, whose main idea is to send such a packet to the server, the response to which will be a packet of a much larger size. In a specially crafted request to the server, the attacker replaces his IP address with the network identifier of a machine inside the victim's network.
3. ICMP flood. In this type of DDoS attack, the hacker sends an ICMP packet (often using the ping utility) to the amplifying network. In this case, the attacker's IP address is also replaced with the target one, and the response to the command arrives at the victim server, increased by as many times as the number of machines contained in the reinforcing network. Also, such an attack can occur using UDP packets.
3. SYN flood. To exchange data, computer systems need to establish a connection, and at the same time, computer resources are also allocated to the connection itself - which this type of attack is aimed at. By sending false requests, you can use all the resources of the computer system that are reserved for establishing connections.
4. "Heavy packages". To implement this attack method, an attacker uses a botnet to send hard-to-process data packets to the server that do not overwhelm the communication channel, but consume processor resources, which can lead to overheating or overloading.
Object of influence
The goal of a DDoS attack is to disable or make a website unavailable. However, it so happens that the target of DDoS turns out to be a DNS server (for example, in 2012, the Anonymous group planned to disable 13 root DNS servers of the world in this way, which would deprive the entire population of the Earth of the Internet). A vulnerable web application can also be targeted. Some DDoS attacks are organized for entertainment or as a sign of political protest (for example, the 2007 action in honor of the monument to the Liberator Soldier in Estonia). DDoS is often carried out for blackmail or extortion. A huge number of companies and individuals suffer from this every year, because due to attacks, their sites become inaccessible to customers and do not generate income. Network resources of government agencies, media sites, online stores and online banks, portals of commercial and non-profit organizations are all potential targets for DDoS attacks.
There was some lull in the mid-2010s, but according to a report from Qrator Labs, in 2016, DDoS attacks began again harassing corporate users. Despite the fact that it is easy for many providers to neutralize attacks with a capacity of up to 300 Gbps, problems still remain. In particular, cybercriminals started using infected video recording servers, webcams, and IoT devices that have vulnerabilities. Due to the prevalence of such devices, attacks have become even more widespread.
According to Qrator Labs, technicians need to re-focus on DDoS protection. If previously there was a linear increase in the capacity of the latter, then in 2016 the situation changed dramatically. Today attacks can reach such proportions that they can cover entire regions of the globe, and this directly threatens the functioning of the work of large providers.
Cybercriminals paid the most attention to the following industries:
Source of DDoS attacks
There are many sources of denial of service attacks: competitors, ill-wishers, hacktivists, etc. According to Kaspersky Lab data, in 2015 every sixth Russian company was subjected to a DDoS attack. In 2015, about 120,000 attacks were carried out on 68,000 different resources around the world. At the same time, the stream power reached 450 Gbit / s. Most often, DDoS attacks are targeted at large businesses (20%).
Risk analysis
Resisting DDoS attacks is challenging, with requests to the site coming from many directions. You can protect yourself from weak DDoS attacks: for example, setting a connection limit will help against HTTP flooding, from ICMP flooding - disabling responses to all ECHO requests or a properly configured WAF, from UDP flooding - disconnecting UDP services from the Internet and setting a call limit to the DNS server. However, against most attacks organized by professional cybercriminals and aimed at the maximum possible amount of traffic, setting up a web server will do nothing, since the communication channel itself will be "clogged". In this case, only special protection services can help.
The purpose of a DDoS attack is to extort money to stop it and restore access to the website. Most often, cybercriminals attack online e-commerce resources, online banks, booking systems, bookmakers, information services, the media and other organizations doing business on the Internet.
There are special malicious programs (bots) that allow the creation of botnets. For example, the Mirai Internet worm infected more than 500,000 devices connected to the Internet, from which a botnet of the same name was formed for the then record-breaking DDoS attacks.
DDoS attacks gained their first popularity in 1999, when cybercriminals attacked the websites of the largest companies (Yahoo, eBay, Amazon, E-Trade, CNN and many others). A year after the attacks on large corporations, the need to take urgent measures to combat the emerging problem was realized.
DDoS attack classification
The main methods of DDoS attacks:
1. HTTP flood. The most common method, whose main idea is to send such a packet to the server, the response to which will be a packet of a much larger size. In a specially crafted request to the server, the attacker replaces his IP address with the network identifier of a machine inside the victim's network.
3. ICMP flood. In this type of DDoS attack, the hacker sends an ICMP packet (often using the ping utility) to the amplifying network. In this case, the attacker's IP address is also replaced with the target one, and the response to the command arrives at the victim server, increased by as many times as the number of machines contained in the reinforcing network. Also, such an attack can occur using UDP packets.
3. SYN flood. To exchange data, computer systems need to establish a connection, and at the same time, computer resources are also allocated to the connection itself - which this type of attack is aimed at. By sending false requests, you can use all the resources of the computer system that are reserved for establishing connections.
4. "Heavy packages". To implement this attack method, an attacker uses a botnet to send hard-to-process data packets to the server that do not overwhelm the communication channel, but consume processor resources, which can lead to overheating or overloading.
Object of influence
The goal of a DDoS attack is to disable or make a website unavailable. However, it so happens that the target of DDoS turns out to be a DNS server (for example, in 2012, the Anonymous group planned to disable 13 root DNS servers of the world in this way, which would deprive the entire population of the Earth of the Internet). A vulnerable web application can also be targeted. Some DDoS attacks are organized for entertainment or as a sign of political protest (for example, the 2007 action in honor of the monument to the Liberator Soldier in Estonia). DDoS is often carried out for blackmail or extortion. A huge number of companies and individuals suffer from this every year, because due to attacks, their sites become inaccessible to customers and do not generate income. Network resources of government agencies, media sites, online stores and online banks, portals of commercial and non-profit organizations are all potential targets for DDoS attacks.
There was some lull in the mid-2010s, but according to a report from Qrator Labs, in 2016, DDoS attacks began again harassing corporate users. Despite the fact that it is easy for many providers to neutralize attacks with a capacity of up to 300 Gbps, problems still remain. In particular, cybercriminals started using infected video recording servers, webcams, and IoT devices that have vulnerabilities. Due to the prevalence of such devices, attacks have become even more widespread.
According to Qrator Labs, technicians need to re-focus on DDoS protection. If previously there was a linear increase in the capacity of the latter, then in 2016 the situation changed dramatically. Today attacks can reach such proportions that they can cover entire regions of the globe, and this directly threatens the functioning of the work of large providers.
Cybercriminals paid the most attention to the following industries:
- coupon services,
- payment systems,
- information aggregators,
- e-commerce,
- games and playgrounds.
Source of DDoS attacks
There are many sources of denial of service attacks: competitors, ill-wishers, hacktivists, etc. According to Kaspersky Lab data, in 2015 every sixth Russian company was subjected to a DDoS attack. In 2015, about 120,000 attacks were carried out on 68,000 different resources around the world. At the same time, the stream power reached 450 Gbit / s. Most often, DDoS attacks are targeted at large businesses (20%).
Risk analysis
Resisting DDoS attacks is challenging, with requests to the site coming from many directions. You can protect yourself from weak DDoS attacks: for example, setting a connection limit will help against HTTP flooding, from ICMP flooding - disabling responses to all ECHO requests or a properly configured WAF, from UDP flooding - disconnecting UDP services from the Internet and setting a call limit to the DNS server. However, against most attacks organized by professional cybercriminals and aimed at the maximum possible amount of traffic, setting up a web server will do nothing, since the communication channel itself will be "clogged". In this case, only special protection services can help.