DDOS Attack Types and Mitigation Strategies

Distributed denial-of-service (DDOS) attacks are malicious cyber operations that use a network of systems to target a service or network in attempts to overwhelm it or its infrastructure such that it can no longer function properly and shuts down fully or partially. The motivations for DDOS attacks vary. DDOS threats are a common extortion tactic threat actors use against e-commerce sites and online businesses to compel payment in ransomware cases. However, threat actors may not only seek financial gain; in some cases, hacktivism, cyber warfare, and revenge are underlying motivators. In addition, sophisticated threat actors have used DDOS attacks to distract targeted entities while they commit more nefarious malicious cyber operations. At the other end of the spectrum, DDOS attacks may be carried out as a prank. This is common in educational institution settings to make online exams unavailable for students, similar to pulling the fire alarm or phoning in a bomb threat to a school. In some cases, DDOS attacks are not malicious in nature and simply a result of network misconfigurations.

DDOS attacks can be conducted with relative ease. There is often very little technical competency needed, though the effectiveness of attacks varies based on the resources used and the security posture of the targeted network or system. While advanced persistent threat (APT) actors may not target small businesses or school districts with DDOS attacks often, a disgruntled former employee, competitor, or student can initiate an attack with few resources. There are DDOS-for-hire services that utilize bot armies (groups of connected devices) to conduct DDOS attacks against targets. The cost for these hires is usually calculated based on the amount and duration of traffic sent to a target. While DDOS attacks are illegal, these DDOS-for-hire services often advertise themselves online as booters or stressers that can be used to test a network’s resilience; however, these services rarely check for authorization to conduct stress tests. As such, almost anyone can anonymously hire these services to attack any target of their choosing. The ease with which DDOS attacks can be launched makes it imperative for organizations to implement controls and response plans to minimize the impact of these events.

Screenshot of DDOS-for-Hire website

In the above screenshot, this stresser site requires the user to sign up for free with a username and password; however, other sites are completely anonymous – just insert the target IP, port, and duration and click the “Launch” button.

Types of DDOS Attacks

There are various types of DDOS attacks that can negatively impact targeted organizations. While the NJCCIC organizes the types of attacks into three groups—volumetric, protocol, and application attacks—the distinction between the categories is blurred. Attackers will often employ several of these categories at once to ensure their attacks are as disruptive as possible.

Volumetric Attacks

Volumetric DDOS attacks are the most common and impactful. A volumetric attack overwhelms a network with massive amounts of network traffic to exhaust the target organization’s resources. In volumetric attacks, it is common for the attacker to employ numerous malware-infested systems, known as bots, to target an organization. User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) floods are a common means of carrying out volumetric attacks. UDP and ICMP are connectionless protocols that allow for fast data transmission without integrity checks, which makes them prime tools for attackers. Another common volumetric attack is a Domain Name System (DNS) flood. This occurs when an attacker floods a particular domain’s DNS servers to disrupt DNS resolution for that domain and prevent services from responding to legitimate traffic. DNS flood attacks can be difficult to distinguish from normal heavy traffic because the large volume of traffic often queries for records on the domain and appears as legitimate traffic.

Image Source: Acunetix

Volumetric attacks also commonly use reflection and amplification techniques to overwhelm the target network or service. One type of UDP volumetric attack is a Network Time Protocol (NTP) reflection and amplification DDOS attack in which the attacker enlists thousands of bots to spoof a target system’s IP address while making NTP requests to legitimate NTP servers on the internet. The result is a flood of traffic from the NTP servers to the targeted system, which overwhelms it. In volumetric attacks, more bots and servers enlisted to attack a given target ensures almost any network is overwhelmed.

 Image Source: Google

Protocol Attacks

Protocol attacks are intended to consume all the resources of a given target network or service by sending it numerous successive malformed connection requests. A SYN flood is a common protocol attack. In a normal three-way handshake that establishes a connection between two computers, the client computer sends the host a SYN request. The host acknowledges the SYN request by sending back a SYN-ACK message, and then the client computer acknowledges the SYN-ACK by sending an ACK message to establish the connection with the host. In a SYN flood, numerous SYN packets are sent to every port on a targeted server using a spoofed IP address. The host responds with a SYN-ACK, but because the initial SYN packets were spoofed, there are no responses from the client. Eventually, the host computer’s ports become overwhelmed with half-open connections and legitimate connection requests are denied. In addition to SYN floods, there are a number of other similar protocol attacks, including Ping of Death and Smurf DDOS. Protocol attacks consume the processing resources of network equipment such as firewalls, load balancers, and servers, and they are typically measured in packets per second.

Image Source: Imperva      

Application Layer Attacks

Application attacks target an organization’s web applications whereby the attacker sends numerous, seemingly legitimate, processing requests to the application. These attacks require the application to use central processing unit and memory resources until those resources are exhausted and the application cannot respond to any more requests. On an e-commerce site, processes to add an item to a shopping cart and to check out are computationally expensive. Attackers who target these application processes with numerous concurrent requests can exhaust the target system’s resources and crash the server. Application layer attacks are typically measured in requests per second.

Preparation and Prevention

Any organization with an internet-facing service can become the target of a DDOS attack. As such, it is vital to have an incident response plan that accounts for DDOS attacks against an organization. The preparation phase of an incident response plan includes all the activities and controls that are implemented to prevent and prepare for a response to an attack. Oftentimes, the response to a DDOS attack includes working with an internet service provider (ISP) or DDOS mitigation service provider to assist in deflecting or scrubbing DDOS traffic aimed at the organization’s network. Establishing relationships with those providers ahead of any attack will help prevent and quickly respond to attacks.

Organizations can employ the following defensive measures to create a more cyber resilient environment to reduce the risk and impact of DDOS attacks:

• Security awareness training: Train employees to better understand cyber threats and provide a strong line of defense, especially when working remotely.
• Defense-in-depth cybersecurity strategy: Implement a defense-in-depth cybersecurity strategy and access controls, including applying the Principle of Least Privilege, enabling multi-factor authentication (MFA), utilizing a Network Access Control (NAC) solution for connectivity into internal networks, and establishing a comprehensive data backup plan.
• Device security: Ensure devices and routers are up to date, secure, and protected to reduce the risk of unauthorized access. This includes changing all default passwords to strong passwords, updating with the latest security patches after appropriate testing, discontinuing the use of vulnerable devices that have not been patched by the vendor, and disabling Universal Plug and Play (UPnP) on routers unless it is necessary for business operations.
• Network and resource segmentation: Distribute servers and critical data in different data centers to ensure they are located on different networks with diverse paths.
• Vulnerability assessment and penetration testing: Regularly check for and remediate exploitable security flaws and vulnerabilities.
• Firewall and router configurations: Configure firewalls and routers primarily to block unauthorized IP addresses, close unnecessary ports, disable port forwarding, and prevent DNS and ping-based volumetric attacks.
• Network traffic monitoring: Understand the organization’s network traffic patterns, continuously monitor network traffic, and recognize abnormal activity that would indicate a DDOS attack regardless of volume and duration. Look for warning signs, such as network slowdowns, spotty connectivity, or irregular website shutdowns.
• DDOS resiliency plan: Establish business continuity, disaster recovery, and incident response plans that include DDOS protections through ISPs or third-party firms that specialize in DDOS mitigation. Contract a backup DNS provider to maintain continuity in the event of an attack on primary DNS infrastructure. While these services do not guarantee that attacks will not result in outages, most organizations are not capable of defending against the many varieties of attack tactics on their own.
• Incident reporting: Report malicious cyber activity to the NJCCIC via the Cyber Incident Report form. 

Additional Resources

DHS CISA – DDOS Attack Quick Guide

NIST - Advanced DDoS Mitigation Techniques

Google - Exponential Growth in DDoS Attack Volumes