Disrupting traffic on a server can have major consequences. With a DDoS attack, cybercriminals force websites offline and make them inaccessible. By sending artificially inflated traffic, they may block apps and even shut down major news sites. So how does a DDoS attack work, and can it be prevented?
In a Distributed Denial of Service (DDoS) attack, the perpetrator tries to cause so much disruption on a site or app that its intended users are unable to access it. This can be done by exploiting system weak spots and overwhelming servers with massive amounts of traffic.
Most DDoS attacks involve creating a sort of an impassable online traffic jam. That overloads the site’s capacity to handle new and legitimate requests.
From cybercriminals targeting corporations to governments sabotaging protesters’ messaging apps, there are many ways to launch this kind of attack. For instance, they may exploit coding bugs or route traffic through a botnet. However, the goal is always to disrupt and damage a server’s performance.
What is a botnet?
One of the easiest DDoS strategies to understand is a volumetric attack — a method that relies on a botnet. These are networks of devices that can be used to send tens or even hundreds of thousands of requests to a server.
To build a botnet, the perpetrator will force malware onto multiple devices. In most cases, the users won’t even realize that their phones and laptops are being infected. This can be done through malvertising, phishing emails, and other illicit methods.
Once someone has downloaded the attacker’s malware, their device is ready to become part of a botnet. The hacker can leave this malicious software on their device undetected until the eventual DDoS attack.
When the time is right, and enough devices are carrying the malware, the attacker can launch their assault on a server.
To prevent your phone or laptop becoming part of a botnet, here are some basic principles to follow:
Be vigilant around suspicious emails that contain links.
Avoid clicking on internet ads, even when hosted on reputable sites.
Use a service like CyberSec to screen for high-risk content.
Update your software whenever you can.
Different kinds of DDoS attack
Although the end result is usually the same, there are many different ways to stage a DDoS attack.
SYN flood, or TCP connection attack
This form of attack exploits the TCP handshake connection. In a normal “handshake“, a user’s device sends a request to a server, and it responds by preparing the requested page elements. Next, the server sends a message back to the user’s device, confirming that it’s ready. Crucially, a third communication must then travel to the server to complete the process and load the page.
In a DDoS attack, however, this third step is omitted. The server uses its resources to prepare the page elements, but the essential final message never arrives to complete the process. Instead, another TCP handshake is initiated, and then another, and another. Eventually, the server expends all its resources on readying page elements that are never presented to the user. And then it grinds to a standstill.
Application layer attack
Application layer attacks, also known as layer 7 attacks, don’t hit an entire network or server. Instead, they target specific functions or page elements on a site. By overworking certain features on a page, the attacker can make parts of an application crash or malfunction.
As well as having a damaging impact on a site’s performance, this method has been used in the past as a distraction technique. It forces site owners and technicians to focus on the targeted feature while another, more serious breach is taking place elsewhere on the server.
This is where a botnet comes into play. The attacker will trigger the malware that they’ve spread across multiple devices and route a stream of traffic through each one. Then, they will assault the target with waves of simultaneous requests.
As the name suggests, this attack is all about the sheer volume of artificial users trying to access a site. By taking up all the server’s available bandwidth, the attacker can stop any legitimate users from reaching the site, making it unusable.
Fragmentation (or teardrop) attack
When information travels between websites and servers, it’s usually broken down into smaller pieces, sent in “packets“, and then reassembled by the receiver. This can create an opportunity for a fragmentation attack, also called teardrop.
Attackers deliberately send overstuffed data packets that are too large to be reassembled properly. This takes advantage of a bug in the IP reassembly code in certain systems and can quickly result in a denial of service state.
How to prevent DDoS attacks
As is often the case in cybersecurity, there is no magic bullet for stopping these attacks altogether, but there is still plenty you can do. With best practice, careful preparation, and a robust security strategy, you can lower the risks and mitigate the damage.
Create overflow channels
Start with prevention. Ensure that you have alternative servers on standby to deal with overflow, reducing the risk of one of them crashing. Building these extra channels means that, if unnaturally high levels of traffic flood the servers, the flow can be redirected. This will allow operations on the main server to continue so that genuine users can still access the service.
Stay up to date with security updates and patches
DDoS attacks often take advantage of out-of-date systems and a lack of consistent security patching. On an individual level, the more people update their own devices, the less likely they are to be used in a botnet. That’s because the malware for these operations often relies on outdated software as the entry point.
Put a cap on request numbers
Limit the number of requests a server accepts at a time. With a hard limit on the number of requests that a server will process, it can block the attack before it becomes incapacitated. While this will still result in a temporary denial of service, it will be much easier to bring your site or application back online.