Distributed Denial of Service: Anatomy and Impact of DDoS Attacks
A distributed denial of service (DDoS) attack is a brute-force attempt to slow down or completely crash a server. Although still a serious threat to businesses, increasing corporate awareness coupled with Internet security software enhancements has helped reduce the sheer number of attacks. Nonetheless, any denial of service represents a serious risk — but how exactly do these attacks work, and what kind of damage can they really do?
The financial damage to businesses can be severe. A recent study by Kaspersky Lab revealed that a DDoS attack can cost a company over $1.6 million – a staggering sum for any company. A DDoS attack can almost be meant as a “smokescreen”, diverting your staff’s attention away while another attack, like data theft, is taking place. This reinforces the importance of guarding against DDoS attacks at all costs and taking the necessary security procedures to avoid catastrophic financial losses.
Anatomy of DDoS
The goal of a DDoS attack is to cut off users from a server or network resource by overwhelming it with requests for service. While a simple denial of service involves one "attack" computer and one victim, distributed denials of service rely on armies of infected or "bot" computers able to carry out tasks simultaneously.
This "botnet" is built by a hacker who exploits a vulnerable system, turning it into a botmaster. The botmaster seeks out other vulnerable systems and infects them using malware — most often, a Trojan virus. When enough devices are infected the hacker orders them to attack; each system begins sending a flood of requests to the target server or network, overloading it to cause slowdowns or complete failure.
There are several common types of DDoS attacks, such as volume based, protocol and application layer. Volume based attacks include UDP, ICMP and any other spoof-packet floods that attempt to consume bandwidth; the higher bits-per-second (Bps) rate this kind of attack generates, the more effective it is. Protocol attacks go after server resources directly and include the Smurf DDoS, Ping of Death and SYN floods. If a large enough packets-per-second rate is achieved, the server will crash.
Finally, application layer attacks like Zero-day DDoS or Slowloris target apps by making what appear to be legitimate requests but at a very high volume. If there are enough requests in a short enough time period, the victim's web server shuts down.
Impact of DDoS Attacks
Money, time, clients and even reputation can be lost in the event of a DDoS attack. Depending on the severity of an attack, resources could be offline for 24 hours, multiple days or even a week. In fact, a survey by Kaspersky Lab revealed that one in five DDoS attacks can last for days or even weeks, attesting their sophistication and serious threat posed to all businesses.
During an attack, no employees are able to access network resources, and in the case of Web servers running eCommerce sites, no consumers will be able to purchase products or receive assistance. The dollar figure varies, but companies can lose $20,000 per hour in the event of a successful attack.
It's also important to consider the impact for "bot" computers used in the attack. While these are often thought of as willing culprits, they are in fact bystanders who get caught in the crossfire because of vulnerabilities in their systems. In some cases, inherent security issues may allow a Trojan virus to slip onto a company network and infect computers, while in others, employees are the cause when they open unknown email attachments or download unverified files. During a DDoS event, these secondary victim devices also run slowly and may crash if the drain on their own resources becomes too great. Even if they remain operational, the systems will not respond well to legitimate requests for service.
Defending Against DDoS
There are multiple ways to defend against DDoS attacks. According to the Carnegie Mellon Software Engineering Institute, one of the most common is to limit the number of login attempts any user can make before being "locked out" of an account. In the case of a DDoS event, however, this technique can be used against a company, effectively keeping users locked out of their own computers for long periods of time. An emergency access point should always be built into a system for this eventuality.
There always should be additional reliable anti-DDoS solutions in place. To make the work of this solution even more effective, companies can do the following:
- tolerate a web-server configuration against DDoS attacks
- alter an ISP firewall to allow only the traffic complimenting to the services on the company side
- tweak a firewall to fight SYN flood attacks
- migrate public resources to another IP address
- relocate all business critical applications to the cloud or move to the separate public subnet
Additionally, companies should disable any unneeded or unfamiliar network services that could be used as a DDoS infiltration point. Data quota and disk partition functions are also an option to help limit the impact of an attack.
It's also critical to establish a baseline for network performance and server traffic. Extremely high rates of consumption with no apparent cause often point to an attacker attempting to gauge the strength of a company's defenses.
Alongside this kind of monitoring, companies should invest in a special anti-DDoS service that features automatic scanning to detect the most common types of DDoS attacks. This software should be regularly updated to provide maximum protection.
DDoS: Protect Yourself
Distributed denial of service attacks can cause server outages and monetary loss and place excessive stress on IT professionals trying to bring resources back online. The right detection and prevention methods can help stop a DDoS event before it gains enough momentum to topple company networks.