Distributed Denial-of-Service (DDoS) attacks are not the most sophisticated attacks to launch, but they certainly can be costly. They cause outages, force businesses to take down their websites, and frustrate both e-commerce customers and businesses.
A favorite weapon of hacktivists, DDoS is an effective tool for anyone looking to disrupt an organization’s operations, whether they are disgruntled former employees or simply competitors. In fact, in Armor’s recent Black Market Report, we discovered that the prices for hiring DDoS services were relatively cheap, with prices varying according to factors such as the length and difficulty of the attack. In one case, the prices were $70 for a day-long attack on sites and servers without anti-DDoS protection, but it could reach as high as $300 for a day-long attack on servers that have anti-DDoS protection.
How DDoS Works
Having a plan for dealing with DDoS attacks is a crucial part of any organization’s network security strategy. However, defending against these attacks is not always as easy as it sounds.
Some of the most common types of DDoS attacks include:
- DNS amplification attacks: This is when an attacker abuses publicly-accessible DNS systems to overwhelm a target with large amounts of UDP packets, which are then inflated in size using various techniques.
- SYN flooding: This type of DDoS occurs when an attacker sends SYN requests to a target to tie up enough server resources that it drops legitimate traffic.
- UDP flooding: In a UDP flood attack, the threat actor bombards random ports on the targeted system with IP packets containing UDP datagrams.
In many cases, DDoS attacks also occur at the application layer. In that scenario, the attack would focus on a specific feature of a website to disable the functionality or just overwhelm the server with GET and POST requests. These can be even harder to thwart than other DDoS attacks because each request from an infected bot may seem like normal traffic.
Decades ago, DDoS attacks were not all that complicated. Rather than malware like BASHLITE, attackers would utilize the so-called “ping of death,” which occurred when they sent an IP packet to a target that was larger than 65,536 bytes, causing the network adapter to crash. As these attacks became more prevalent, it was used as a means of taking control of non-registered IRC (Internet Relay Chat) channels by forcing all other users to log out of a channel. This would result with the attacker gaining administrative privileges as the sole user.
Antagonizing other web users is only one motive by DDoS attacks. The Anonymous collective gained widespread attention using tools such as Low Orbit Ion Cannon to launch attacks against several sites.
High Profile DDoS Attacks
The explosive growth in home routers and IoT devices has only made massive DDoS attacks easier to conduct. Some of the biggest DDoS attacks in recent years can be traced to the Mirai malware. Mirai targets Linux devices, turning each compromised system into a weapon in its army of infected bots. The Mirai botnet impacts IoT devices, such as IP cameras and home routers, and has been linked to some of the largest known DDoS attacks in history, such as the attacks on DNS provider Dyn (now part of Oracle) and the cybersecurity news website KrebsOnSecurity.
Multiple variants of Mirai have been spotted since it first emerged in 2016, in part because its source code was released publicly. Over the years, it has utilized several exploits to compromise devices. But it first made its mark through brute-force attacks on devices using default passwords. During the 1990s and early 2000s, it was not uncommon for devices like routers to have hardcoded passwords. Anyone who did not change those passwords was vulnerable to these types of attacks. Interestingly, Mirai’s growth is not due to a nation state or some international hacking group.
Instead, it can be linked to online video gaming. With the money that could be made hosting Minecraft servers, the creators of Mirai wanted to use its capabilities to knock rivals offline and make them seem unsecure, so they could sell their own hosting services to gamers. This led them to attack the hosting company OVH, with a massive DDoS that hit the firm with 1 Terabit (or 125 GB) of attack traffic.
Financial motivations such as these can make DDoS-for-hire a big business in the cyber-underground. In April, authorities in multiple countries took down members of the crime group behind webstresser.org and seized its servers. According to the National Crime Agency in London, cybercriminals across the world used webstresser.org — which could be rented for as little as $14.99 — to launch more than 4 million DDoS attacks.
The mere threat of an attack of that size is enough to give many companies pause, which has led to some criminal groups using the threat of DDoS to extort money. Any company that relies on maintaining constant availability — gaming companies, hosting services, etc. — can be a juicy target for unscrupulous business rivals. In addition, more advanced attackers sometimes use DDoS as a diversion to take attention away from attempts to penetrate a network and steal data.
Preparing for a DDoS Attack
Getting ahead of the threat means preparing before an outage. We recommend the following:
- Start by establishing a baseline for normal network to ascertain when something is amiss.
- Rather than rely on manual DDoS mitigation, partner with content delivery network services that can withstand modern DDoS attacks and learn about the DDoS mitigation capacity of your current provider.
- Investing in the right technology and developing partnerships that deliver the right capabilities and expertise, security defenders can stop DDoS attacks from impacting your business.
As costly as buying anti-DDoS services and technology can be, the price of failing to mitigate a DDoS attack can be much higher, making defending against them a key priority.