What is a DDoS Attack (Distributed Denial of Service Attack)?

DDoS Attack Definition

A Distributed Denial of Service attack, otherwise called a DDoS attack, is an assault on an online service that is, unfortunately, remarkably easy to mount and, if your cybersecurity team doesn’t have effective DDoS protection tools, these attacks are hard to counter.

DDoS attacks are, at least in concept, simple: By sending specially crafted requests from a network of compromised devices controlled by hackers (called a “botnet”), the target device (for example, a web server) becomes overwhelmed and connections from normal traffic get slowed down or even excluded while the computing resources of the target (processor cycles, network interfaces, memory used for communications processing) become exhausted. At best a small Distributed Denial of Service attack will cause a significant slowdown in the service’s response to valid clients while a large-scale attack can effectively take an online service out completely.

How easy is it to mount a DDoS attack? Not only are there tools that are so easy to find and deploy that a child could do it, there are hackers out on the Dark Web who will launch a DDoS attack—what’s called “DDoS as a Service”—for as little as $7 per hour.

Over the last few years the number of botnets used for launching DDoS attacks has increased dramatically as has their size. The Mirai botnet, which primarily targets online consumer devices such as IP cameras and home routers, was released as open source code in 2016 and used that same year to knock security journalist Brian Krebs’ website offline with an estimated 620 gigabits of traffic per second. At the time this was the biggest DDoS attack ever seen but it was dwarfed by a subsequent attack on Internet DNS service provider Dyn. This attack was driven by something between 800,000 and 2.5 million infected devices that generated a load that ranged between 700 to 800 gigabits per second and occasionally rose to over 1 terabit per second. While Mirai appears to be the largest botnet discovered to date, a variant called Mirai Okiru has the potential to coopt a staggering 1.5 billion IoT devices.

Types of Distributed Denial of Service Attacks

There are many types of DDoS attacks that can be broken down into three major cyberattack groups, Volumetric, Protocol, and Application Layer Attacks with some attacks combining features of more than one group.

Volumetric DDoS Attacks

The most common group of DDoS attacks are Volumetric Attacks, also known as “flood attacks.” The goal is to overwhelm the target by sending huge amounts of traffic so that wanted traffic is excluded; in other words, volumetric attacks “clog up the pipes.” A traffic increase that lasts over a long period is usually an indicator that a Volumetric Attack is in progress.

Protocol-based DDoS Attacks

In a Protocol Attack, network protocols at OSI Layers 3 and 4 are exploited in an attempt to deny service. Some of these attacks rely on normal protocol behavior and simply exhaust resources while others leverage weaknesses that are inherent in the communications architecture. The first indications of a Network Protocol Attack are unusually high processor utilization and specific computing resources running low.

Application Layer DDoS Attacks

Rather than overwhelming networking resources, Application Layer Attacks (OSI Layer 7) exploit weaknesses in things such as web servers and web applications and their platforms (these are also called “web application vulnerability attacks”). By interacting with specific code targets with known vulnerabilities, aberrant behavior (reduced performance or outright crashing) is invoked. Detecting these attacks can be very difficult because they usually don’t involve large traffic volumes so finding the problem’s source can be difficult.

Old vs. New DDoS Attacks

To illustrate how DDoS attacks work, we’ll look at two specific examples: The SYN Flood Attack which is arguably the oldest and one of the simplest, and NXNSAttack, one of the newest and more technically complicated.

SYN Flood Attack, a Classic Distributed Denial of Service Threat

One of the oldest denial of service attacks is called a SYN Flood Attack and is a combination of a Volumetric Attack and a Protocol Attack. In a SYN Flood a particular type of TCP data packet, a SYN packet, is sent to the target requesting a connection usually with a fake sender’s address (also called a “spoofed” address). The target replies by sending an acknowledgement back to the requestor (what’s called a SYN-ACK) to the given sender’s address.

With a normal connection request, the requestor would then reply with an ACK but in a SYN Flood there’s no response either because there’s no device at the given address or, if a device is there, it knows it never sent a SYN request to the target and so doesn’t respond. When there are a few of these fake SYN requests hitting a target it’s unlikely to be noticed but at some higher level, the target’s performance becomes degraded while when there’s a large-scale attack the target is usually completely overwhelmed. While a SYN Flood launched from a single computer is easily filtered out, a distributed SYN Flood generated by hundreds of thousands or even millions of machines coopted into a botnet is far more difficult to mitigate.

NXNSAttack, a New DNS DDoS Attack

New exploits and vulnerabilities in computer systems and networks are found with monotonous regularity and become the basis for new attack vectors. In late May, 2020, cybersecurity researchers in Israel disclosed a vulnerability called NXNSAttack relies on a vulnerability in the Domain Name System (DNS) where recursive DNS servers pass DNS queries to upstream “authoritative” servers. These servers can delegate queries for domains they can’t resolve to other DNS servers controlled by the bad guys and it is this delegation process that can be abused to launch DDoS attacks. The result is a simple DNS query can be amplified up to 1,620 times crashing the DNS servers that are authoritative for a target and thereby preventing the target from being resolved.

Learn more about what’s so bad about the NXNSAttack DNS Amplification Attack

Who Will Become a DDoS Target?

As the Internet becomes more complex and the devices and botnets on it more numerous, it’s guaranteed that DDoS attacks will become more aggressive and more frequent and DDoS protection become a crucial component of business cybersecurity strategies. The cost to businesses will escalate and it’s not just big businesses that will suffer; SMBs are already hot targets for attacks. Over the years there’s been a rise in cases where companies have been threatened with DDoS attacks unless a ransom is paid (these are called RDoS attacks) and experts predict this trend will continue and becoming increasingly common.

Now is the time for your cybersecurity team to start making plans to protect your organization from what could well be a very expensive DDoS assault … or rather, a very expensive and endless series of assaults.

How Can A10 Help?

Even though new types of DDoS attacks appear frequently, A10’s Thunder Threat Protection System (TPS) employs advanced defense strategies that protect against all kinds of cyberattack including new, novel DDoS attacks that could bring down your DNS services. Visit A10’s DDoS Protection solution page to learn more.

For additional insight, including the top IoT port searches and reflector searches performed by attackers, download the complete A10 Networks report, The State of DDoS Weapons, and the accompanying infographic, DDoS Weapons & Attack Vectors.


July 14, 2020

About A10 Staff