DDoS attacks pose an ever-increasing threat to cybersecurity. According to a 2021 Cloudflare report, they're on the rise at an astoundingly rapid rate.
Being aware of warning signs is critical, particularly those related to non-malicious performance and availability issues, like slow network connections or site crashes that do not indicate malicious intent.
Attackers frequently exploit internet services to cause disruption for various reasons, including revenge, blackmail or hacktivism. Distributed DoS attacks can be particularly perilous.
What is a DoS Attack?
Denial-of-service attacks (DoS attacks) are malicious cyberattacks designed to block legitimate users from accessing networks or systems, usually by overwhelming finite resources with traffic that clogs them up completely or disrupts services altogether. While DoS attacks come in various forms, all have the ability to interfere with normal operation of networks or servers and cost victims time, money, reputation and sometimes legal trouble depending on jurisdictional rules.
DDoS (distributed denial-of-service attacks) involve numerous connected machines or devices -- such as IoT devices, smartphones, personal computers and network servers -- located worldwide. DDoS attacks utilize networks of compromised devices to flood a targeted website, web application, application programming interface or data center infrastructure with unwanted internet traffic and make it impossible for victims to send or process valid online requests, making it hard for them to buy products, use services or obtain information online.
Hackers use IP address spoofing (also called IP source spoofing) to mask their traffic as it comes in from different machines, making it harder to detect. They may also employ botnets to generate this traffic, making it harder for security professionals to block specific sources.
An alternative way of conducting a DDoS attack is exploiting weaknesses in software running on machines or networks. An application-layer attack could exploit memory or disk space resources on a computer until their use becomes insufficient for functioning normally, leaving its victim unable to function normally.
A DDoS attack can be used to either extract funds from people or make political statements. Hacker group Anonymous, for example, has conducted attacks against ecommerce websites and banks to either demand payment from them or send a political statement against companies they oppose. A smaller-scale DDoS may also be launched against competitors or events of public concern; regardless of motivations used the goal remains the same - to disrupt or deny services that consumers and businesses depend upon.
DDoS Attacks
DDoS attacks are designed to disrupt or significantly slow network traffic, leaving legitimate users unable to access services they need online. DDoS attacks can be initiated by cyber threat actors using compromised machines and networks in an effort to overwhelm a particular network or web application.
As attackers become more sophisticated, so do their DDoS attacks. Botnets with armies of malware-infected devices may be employed to generate large-scale attack traffic which saturates bandwidth, making it hard for target to accept additional data - this type of volumetric attack can be difficult to detect.
SYN flood attacks are another popular DDoS technique. An attacker sends malformed packets that flood server ports with SYN requests without completing the three-way handshake necessary for connection establishment, causing servers to reject new connections - an attack which can be extremely difficult for any business network even with extensive preparations in place to counter.
Network security solutions that detect abnormal traffic patterns and block any data entering from outside sources is the best way to defend against DDoS attacks, providing visibility as to their progress as well as any necessary actions that need to be taken in order to mitigate them.
DDoS attacks can be launched by hackers, criminal organizations and hacktivists; however, extortionists often resort to this tactic to force businesses into paying up in exchange for not carrying out these assaults on them. Many online software companies have found themselves vulnerable after refusing extortionist demands and going offline as a result.
As businesses have increasingly moved online, more business services are offered over the internet and are susceptible to cyber attacks such as DDoS attacks that make products or services inaccessible to customers. Such attacks can cost companies both financially and reputationally; with adequate DDoS protection measures in place, risks associated with these cyberattacks can be minimized.
Slowloris Attack
The Slowloris attack exploits a vulnerability in how web servers handle connections. By sending an endless stream of incomplete HTTP requests that never complete, an attacker can tie up server resources and render websites and web apps unavailable to legitimate users. Slowloris attacks can be carried out using one computer and require minimal bandwidth consumption compared with more powerful DDoS attacks launched from botnets.
Slowloris' simplicity belies its effectiveness at targeting popular server types like Apache and the open-source Flask web application framework. Hacktivists used Slowloris to bring down Iran's official website using it in 2009; since then it's been linked with many high-profile server takedowns by hackers or threat actors.
An attacker initiates the Slowloris attack by opening multiple sockets on a vulnerable server. Unlike traditional attacks that use malformed packets as attack vectors, Slowloris employs valid HTTP requests that slip by Intrusion Detection Systems without detection. To maximize its effect, hackers send partial requests that never complete. Eventually overloading their target's maximum concurrent connection pool leads to its collapse due to strain.
Slowloris attacks can last for long periods, much like those used by tortoises and hares. For even greater stealthiness during its attacks, Slowloris can suppress log file creation during an attack to avoid red flags appearing in its log entries.
Slowloris attacks are relatively straightforward to prevent and mitigate. First of all, keeping both web server and operating system updated will protect from hackers exploiting known vulnerabilities; additionally instituting a reverse proxy or load balancer acts as a buffer between web server and clients to help safeguard them against attack.
If your budget allows, specialized DDoS mitigation services such as Imperva AppTrana cloud WAF provide protection from Slowloris attacks as well as others. With custom rate limiting, traffic filtering and diversion features built-in for protection against all known DDoS attacks, such services offer invaluable protection against DDoS attacks.
Botnets
Botnets are networks of computer systems, servers, desktop computers, laptops, tablets and other devices infected with malicious software and controlled by threat actors to send spam, engage in click fraud or launch distributed denial-of-service attacks (DDoS). Hackers gain control over these slaved devices through malicious software installed onto them that allows them to remotely manage them without their owners knowing.
Botnets range from small groups of infected devices up to thousands, and hackers often rent or sell them out to others for use in sending spam, engaging in click fraud or carrying out DDoS attacks for various financial or other gain. Botnets may also be employed against specific companies or websites for political or ideological purposes.
Hackers exploit vulnerabilities present in victim systems or websites in order to infiltrate devices with botnet malware, upload malicious software and then execute commands to activate bots that in turn connect back with one another and the attacker through command-and-control (C&C) servers.
C&C servers are typically housed on compromised systems or websites and may include anything from publicly accessible web servers and email servers, email forwarding services and DNS servers to internal network routers. Malicious actors who control botnets are known as bot herders.
While most people have at least some understanding of cybersecurity threats and how to secure their computer systems, others lack this awareness. This often results in accidental DDoS attacks; for example when popular websites post links for readers to visit after breaking news stories are posted online; hundreds or even thousands of visitors may click these links at once, overwhelming the website and forcing it to temporarily or indefinitely deny service to other users.
After experiencing a DDoS attack, the initial step to recovery should be recovering data from backups before taking steps to strengthen security protocols and fortify networks to prevent future incidents. A professional cybersecurity team could prove invaluable at this critical juncture.