Have you ever tried to access a website only to be met with an unusually slow response or even an error message that it's unavailable? While site outages can happen for various reasons, such as server issues or maintenance updates, one cause that can be a significant headache is a DDoS attack.

DDoS or distributed denial-of-service attacks overload a site's server with fake requests, causing it to crash. The sheer volume makes it impossible for legitimate customers to get to the site, causing bad experiences or lost sales.

These attacks have taken down companies like Netflix, OpenAI, Spotify, and government sites. The impact ranges from inconvenient to costly, depending on the target and duration. This article will cover what motivates these DDoS attacks, how they work, and what companies can do to fight back.

What is a DoS attack?

A denial-of-service attack (DoS) is a malicious attack designed to overwhelm a targeted server, service, or network with traffic and render its online services inaccessible. The disruption overwhelms the target with a flood of meaningless requests, exceeding the target's capacity and resulting in slowed or wholly halted services.

DoS (denial-of-service) vs. DDoS (distributed denial-of-service) attacks

A distributed denial-of-service attack (DDoS) occurs when malicious requests come from many different sources. In a DDoS attack, these sources are usually a network of bots or compromised machines controlled by a bad actor. By having potentially thousands of infected devices orchestrate the attack, the attack gets amplified, and it is even more challenging to identify and block the malicious requests.

How does a DDoS attack work?

Generally, launching a DDoS attack comprises three main steps:

1. Build a Botnet: Bad actors infect numerous devices with malware to create a botnet. These devices, often personal computers or Internet of Things (IoT) devices, are controlled remotely without the owners' knowledge.
2. Launch the Attack: The attacker then commands this botnet to send a deluge of requests to the target's IP address, creating overwhelming traffic volume.
3. Disrupt the Service: The target, unable to cope with such a high volume of requests, either experiences severe slowdowns or crashes entirely, denying service to legitimate traffic.

Types of DDoS attacks

While the general goal of DDoS attacks is to overwhelm the target, all DDoS attacks are not the same. Depending on the methods and resources targeted, there are three primary categories of DDoS attacks:

Volumetric Attacks

The goal of volumetric attacks is to consume all available network bandwidth of a target. These attacks are akin to creating a traffic jam, where the sheer traffic volume clogs the network, making it impossible for legitimate data to pass through. Volumetric attacks target broad network interfaces and services, such as company websites or DNS servers, and are usually measured in gigabits per second. Some examples of volumetric attacks include:

UDP Flood

This attack overwhelms a network with User Datagram Protocol (UDP) packets to random ports on a target system. UDP is a connectionless, one-way protocol where the sender does not wait for a response from the receiver.

While great for high-speed use cases, it also means bad actors can send massive amounts of packets without establishing a connection. This attack causes the host to repeatedly check if applications are listening at that port, trying to establish a connection, thus consuming resources.

ICMP Flood

The internet control message protocol (ICMP) manages error and diagnostic functions and is used for pinging services to check connectivity. When an attacker sends an ICMP Echo Request message (a ping), unlike UDP, the target wants to respond with an Echo Reply to show its reachability status. ICMP or Ping floods take advantage of this and overwhelm the target with pings without waiting for replies, clogging the network.

DNS Amplification

Accessing a website means requesting a public Domain Name System (DNS) to translate the domain name into an IP address and send you the information you need to connect. However, bad actors can craft requests that spoof the source IP address to be that of their targets and ask for large amounts of DNS records and information from small queries. This difference in size between the request and response is the amplification effect of this attack. The DNS sends the response to the spoofed IP, and the target gets inundated with DNS response traffic.

Protocol Attacks

Another kind of attack is those that exploit the protocol stack, like the Transmission Control Protocol/Internet Protocol (TCP/IP) model. These attacks consume server resources of network equipment like firewalls and load balancers and focus on exploiting protocol characteristics and process weaknesses.

Usually measured in packets per second, bad actors aim to create bottlenecks and service disruptions, impacting the network's ability to manage traffic and connections. Here are some types of protocol attacks:

SYN Flood

These attacks exploit the three-way TCP mechanism to establish client and server connections. The bad actor client starts a connection by sending a SYN (synchronize) packet to the target server. The server responds with a SYN-ACK (acknowledge) packet and waits for the final ACK step of the handshake.

However, the client never responds, leaving half-open connections that the server spends time keeping track of. This unanswered request exhausts the server's resources. It fills up the SYN queue limit, preventing it from processing legitimate connection requests.

Ping of Death

While not as prevalent today, the ping of death is another example of a DDoS attack that exploits ICMP functions. Instead of sending a barrage of messages, the ping of death attack involves sending malformed or oversized packets to the target. Reassembling these oversized packets on the receiving end can cause processing issues, leading to system crashes, reboots, or instability.

Fragmentation Attack

When a packet of data is too large to be sent over a network with a smaller maximum transmission unit (MTU) size, the packet is broken down into smaller pieces or fragments. The receiving system can then reassemble the fragments into the original packet. Bad actors will take advantage of this system by sending packets that will fragment in ways that are challenging to reassemble.

For instance, they may create overlapping fragments, omit some, or send excessively small fragments. The target struggles to try and reassemble the fragments, using up resources and causing slowdowns, crashes, and unexpected behavior.

Application Layer Attacks

Application layer attacks tend to be more subtle and targeted than the others. They aim to exhaust the resources of specific applications, such as a web server. These attacks commonly target high-traffic websites or online transaction platforms where overloading a particular application can cause significant functional disruption.

Unlike volumetric attacks, similar to flooding the entire highway, application layer attacks are more like overwhelming a critical junction. They're usually measured in requests per second, less about bandwidth and more about incapacitating specific functionalities. Some examples of these attacks include:

HTTP Flood

In this attack, bad actors send the target many HTTP requests (such as GET and POST). Each request requires processing from the web server. Bad actors target process-heavy endpoints such as search or large database operations that will tie up resources.

Therefore, these attacks disrupt the service of the web application or server, making it slow to respond or entirely unavailable for legitimate users. Additionally, bad actors design the requests to look like legitimate traffic, making the attacks even harder to defend against.

Slowloris

Compared to other attacks, Slowloris attacks are stealthier but just as effective. It begins with the bad actor sending numerous partial HTTP requests to the target web server that keeps the connection open, and the target waits for the rest of the requests. The bad actor occasionally sends more HTTP headers for the open requests but never completes it. With the server's connection pool filled with these slow, lingering requests, legitimate users cannot establish new connections.

DNS Flood

Similar to DNS amplification, this attack deals with DNS servers but instead directly targets the DNS server itself. The bad actor sends many application layer requests or DNS queries to the target to resolve domain names to IP addresses. The requests look legitimate and might even be for real domain names, making it difficult for the DNS server to distinguish these requests from legitimate traffic. As the DNS server becomes overwhelmed, it can slow down significantly or even crash, affecting not just the DNS server but all the services and users relying on it for domain name resolution.

Motivations behind DDoS attacks

Understanding the motivations behind DDoS attacks is crucial for developing effective defense strategies. These attacks, which overwhelm servers and networks with a flood of traffic, can be driven by a range of motives:

• Financial Gain: Some attackers launch DDoS attacks as extortion, demanding payment from the targeted organization to stop the attack. Businesses that rely heavily on online presence, such as e-commerce sites, are particularly vulnerable to this type of motivation. Some bad actors will even attempt extortion in exchange for not selling DDoS services targeting the organization on dark web markets.
• Hacktivism & Protest: Political, social, or religious affiliations can motivate attacks to make a political statement, draw attention to a cause, or protest against specific actions or policies of an organization or government. DDoS attacks in this category aim to disrupt services as a form of digital protest since website takedowns can draw attention to their cause.
• Revenge: Disgruntled attackers like ex-employees or customers with a grudge may initiate DDoS attacks driven by personal vendettas against an organization or its leaders. These attacks are often persistent, reflecting the personal nature of the motive, intending to cause damage and disruption to an organization's online operations.
• Competitive Advantage: In some cases, businesses engage in DDoS attacks against competitors to disrupt their operations and gain a competitive advantage. These unethical sabotage tactics inflict brand damage or loss of business and force competitors to divert resources from growth to security.
• Diversion: Sophisticated hackers might use DDoS attacks as a smokescreen, diverting the attention of security teams from more severe security breaches like data theft. As bad actors quietly infiltrate networks to steal valuable customer data or intellectual property, the chaos of the DDoS attack provides cover.

The impact of DDoS attacks

DDoS attacks can have severe and far-reaching impacts on businesses. These malicious attacks can cause immediate disruptions, such as website downtime and service unavailability, resulting in significant financial losses. Additionally, the reputational damage caused by being targeted by a DDoS attack can have long-term consequences, leading to a loss of customer trust and potential business opportunities.

Other impacts of DDoS attacks can include:

• Service Disruption: The most immediate effect of a DDoS attack is the disruption of online services. This disruption can mean downtime for websites, online platforms, and critical services, leading to a direct loss of revenue, especially for e-commerce sites. Businesses relying on online services or transactions for income can experience significant financial losses due to downtime caused by DDoS attacks.
• Increased Operational Costs: Responding to a DDoS attack involves mobilizing additional IT resources. It may also require emergency expenditure on specialized mitigation services or hardware. These mitigation services often cost more than the attack, increasing operational costs for businesses already facing financial losses due to service disruptions.
• Loss of Data: In some cases, DDoS attacks can be used as a diversion tactic while bad actors steal sensitive data. This data theft can have long-term consequences for businesses, including loss of revenue and damage to their reputation. Additionally, companies may face legal consequences and penalties if customer data is compromised.
• Damage to Brand Reputation: Being targeted by a DDoS attack can damage an organization's brand reputation, especially if the attack is prolonged or successful. This harm can lead to customer mistrust and loss of potential business opportunities, as customers may doubt the security of the affected organization.

Real-world impact of DDoS attacks: Bandwidth.com

One notable example of the tangible damage of DDoS attacks is the case of Bandwidth.com, a prominent Voice over Internet Protocol (VoIP) service provider that faced substantial financial and operational losses after an attack. In September 2021, the company experienced a notable DDoS attack, leading to days of service outages. Bandwidth directly lost about $700,000 from lost transaction volume, but the attack also led to a projected revenue loss of $9 to $12 million.

Beyond the impact on Bandwidth's bottom line, the attack had far-reaching effects, impacting other VoIP vendors like Twilio and Phone.com, who rely on Bandwidth as an upstream provider. This loss of services forced some downstream Bandwidth customers into emergency mode, trying to mitigate issues with ported phone numbers and call forwarding.

During the outage, Bandwidth worked with customers to divert traffic off their platform to mitigate the impact on their businesses. This act meant deliberately moving customers to competitors with the potential of them not returning after the challenges posed by the attack. Luckily, the company retained many customers, with several indicating they would likely return.

Bandwidth's experience highlights the expansive nature of DDoS attacks and how they can lead to financial losses, operational disruptions, customer trust issues, and long-term reputational damage.

How to mitigate DDoS attacks

With the high potential for damages and negative impact, preventing or withstanding DDoS attacks is crucial for online businesses. Companies must implement proactive strategies and reactive measures to protect themselves from these malicious attacks and lessen their impact. Some ways to mitigate DDoS attacks include:

Robust Network Infrastructure

Correctly configure the components of your network infrastructure and incorporate redundancy and resilience measures to withstand DDoS attacks. When one path or server is under attack, there should be multiple alternative paths or servers that traffic can be rerouted to, ensuring continued service availability. Scalability is another critical factor; quickly scaling up resources in response to increased traffic can help absorb and dissipate the impact of a DDoS attack. To stay on top of the latest threats, you should regularly perform security audits to help identify potential vulnerabilities.

DDoS Protection Services

Employ specialized DDoS protection services that can use advanced technologies to identify and mitigate DDoS threats. These services work by analyzing traffic patterns and filtering malicious traffic, protecting your network. Use Content Delivery Networks (CDNs) as part of your strategy. CDNs distribute your traffic across a global network of servers, which not only improves website performance but also helps in absorbing and dispersing DDoS attack traffic, reducing the load on your primary servers.

Rate Limiting and Traffic Shaping

Add rate limits to control the number of requests your server will accept over a specific period, which can prevent it from becoming overwhelmed during a DDoS attack. Additionally, traffic shaping, which involves controlling and prioritizing network traffic, can ensure critical services maintain performance during high-traffic periods. Together, these techniques can help mitigate the impact of a DDoS attack by controlling and balancing traffic flow.

Web Application Firewalls

Use Web Application Firewalls (WAFs) to monitor, filter, and block malicious traffic targeting web applications. Since WAFs can analyze incoming traffic and data input patterns, they are particularly effective in preventing attacks that exploit web application vulnerabilities, such as SQL injection or Cross-Site Scripting (XSS). Companies can customize WAFs with specific rules depending on their organizations' needs and resources.

Intrusion Detection and Prevention Systems

Monitor network traffic for signs of a DDoS attack using Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). These systems can detect anomalous traffic patterns indicative of an attack and take automated actions to block this traffic. The effectiveness of IDS and IPS lies in their ability to respond quickly to threats, helping to mitigate potential damage from DDoS attacks.

Geographical Blocking

Consider temporarily blocking or limiting traffic from specific geographic regions if a significant amount of attack traffic originates from areas not critical to your business operations. This tactic can reduce the volume of malicious traffic reaching your network. However, companies should use it cautiously to avoid unintended service disruptions for legitimate users.

Response Planning

Develop a well-defined incident response plan for DDoS attacks that outlines the roles and responsibilities of your team, communication protocols, and specific steps for mitigating an attack. A good response plan can significantly reduce the time to respond to an attack, minimizing its impact and aiding in quick recovery.

Incorporating Fingerprint into your DDoS mitigation strategy

During a DDoS attack, it's crucial to distinguish between legitimate user traffic and attack traffic. Different techniques are needed to identify and filter out these malicious requests depending on the method used for the DDoS attack. Fingerprint's Device Intelligence Platform is a JavaScript-based solution that helps businesses identify visitors by analyzing over 70 identification signals to create a unique visitor identifier.

Since DDoS attacks often occur at the network or transport layer and can involve non-browser-based methods (like those using botnets or spoofed IP packets), the effectiveness of JavaScript-based device intelligence in mitigating such attacks is limited.

However, businesses can use Fingerprint in some specific types of attacks. HTTP Flood attacks that send numerous requests to a web server, typically through browsers or scripts that mimic browser activity, can be analyzed with Fingerprint to identify and filter out malicious traffic, saving your web server from being bogged down with unnecessary processes.

For DDoS attacks that use web scraping bots or automated scripts to generate HTTP requests, Fingerprint's browser bot detection can help identify and block these bots, thereby mitigating the attack.

Fingerprint can identify suspicious browser sessions and is particularly effective with other security measures like firewalls, DDoS protection services, and rate limiting. After a DDoS attack, companies can use Fingerprint's device intelligence data to analyze attack patterns, understand how the attackers operated, and improve defenses for future incidents.

Conclusion

DDoS attacks remain a significant risk for businesses. The impact of these attacks can be considerable, damaging your network and causing long-lasting damage. Mitigating the risk and impact of DDoS attacks requires a multi-faceted and proactive approach, incorporating advanced technologies, traffic management strategies, monitoring systems, response planning, and more.

For more information on how Fingerprint's Device Intelligence Platform can help you identify bad actors who visit your website, start a free trial. Contact our sales team to learn how we can help you protect your website and prevent fraud.