On a Friday afternoon at 5 PM, you’re cruising along the backroads in your car, listening to your favorite music. You’re on vacation and making excellent time to your destination until you notice the long stream of red tail lights a few miles ahead. After sitting in standstill traffic for over an hour, you realize that highway construction created a detour to the two-lane backroad that you were using to skip the rush hour traffic.
When your company experiences a Distributed Denial of Service (DDoS) attack, the digital version of this driving scenario occurs. When attackers try to flood your services and systems with too much traffic, they come to a standstill.
To understand how to stop a DDoS attack, you should know what they are and how they work.
What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack maliciously disrupts a network’s, system’s, or website’s normal operations by overwhelming it with a high volume of requests. By sending this traffic, the malicious actor causes the technology to become overwhelmed and unable to respond, ultimately causing a service outage.
To accomplish their objectives, malicious actors typically deploy botnets, a network of devices compromised by malware, including:
- Computers
- Servers
- Routers
- Internet of Things (IoT) devices
Why do adversaries deploy DDoS attacks?
Since a DDoS attack interrupts digital services, malicious actors deploy them for various reasons, including:
- Holding systems ransom: Forcing target organizations to pay in exchange for stopping the botnet’s attack
- Hacktivism: Disrupting services owned or operated by an organization with opposing ideological views
- Cyber espionage or warfare: Nation-state sponsored attacks to disrupt critical infrastructure as part of larger geopolitical conflict
- Cybercrime: Camouflaging other activities, like ransomware deployment or data exfiltration, to evade detection
What is the impact of a DDoS attack?
As organizations increasingly rely on their digital infrastructure, DDoS attacks impact business operations and reputation more. Some examples of impact include:
- Lost revenue: If customers are unable to use services, like making online purchases, the organization loses revenue.
- Reputation damage: Customers lose confidence in organizations with unstable services, like financial institutions whose online accounts are inaccessible.
- Compliance risk: Attackers using the DDoS attack as a shield when exfiltrating sensitive data, like personally identifiable information (PII), undermine the organization’s data protection controls which can lead to fines and penalties.
What are some common DDoS attack types?
To stop a DDoS attack, you need to understand some commonly deployed methods so you can identify indicators. While DDoS attacks can be categorized as application-layer, flood, and protocol, these categories often overlap.
Application-layer (Layer 7) attacks
These DDoS attacks focus on communications between users and applications, like the following examples.
HTTP Flood
An HTTP Flood attack sends high volumes of HTTP requests to the targeted server. Two examples of these attacks are:
- HTTP GET: barrage of malicious asset requests, like images or files, that prevents legitimate traffic
- HTTP POST: exploiting resource-intensive website form submission processes to overwhelm the target server’s processing and bandwidth, making it inaccessible.
Slowloris
Attackers exploit an HTTP request’s “Keep-Alive” header that tells the server to expect more requests. By sending incomplete requests, the attacker keeps connections open and uses up resources, meaning that legitimate users cannot access the server.
Volumetric attacks
These attacks seek to deplete server resources or networking systems, like the following examples.
UDP Flood
The attacker sends large volumes of User Datagram Protocol (UDP) packets to the targeted server. Typically, when a server receives UDP packets, it follows this process:
- Checks for running programs listening at the specified port
- Responds with an Internet Control Message Protocol (ICMP) or ping packet if no programs are receiving packets
In the UDP flood, the server becomes overwhelmed checking for running programs, using up resources and disrupting normal traffic.
TCP SYN Flood
The TCP SYN flood attack is a good example of a DDoS that overlaps two categories because it floods the protocol with information, making it both a flood and protocol attack type.
The attack targets the Transmission Control Protocol (TCP), the three-way handshake between sender and receiver that follows this pattern:
- Sender forwards a data segment to the receiver using Synchronize Sequence Number (SYN)
- Receiver acknowledges this with a response (SYN ACK)
- Send acknowledges the receiver’s message (ACK)
In a TCP SYN flood, the attacker often spoofs the ACK response IP address so that the receiver never gets a completed handshake, using up resources and making the service unavailable.
DNS Amplification
This attack exploits how the Domain Name System (DNS) recursor responds to client requests and tracks down a DNS record. An attacker uses a botnet to send a lot of small queries to the server, using up resources and causing a service disruption. The typical DNS amplification attack follows these steps:
- Attacker installs malware on an endpoint to control the device.
- The compromised device sends the DNS recursor UDP packets with spoofed IP addresses that point to the victim’s real IP.
- Each UDP packet makes a request to the DNS resolver.
- The DNS resolver responds to the requests, sending a lot of responses to the spoofed IP address.
- The target IP address receives all these responses, which uses up resources and causes a service disruption.
Protocol Attacks
Typically measured in packets per second, these attacks overwhelm a resource by exploiting a protocol to consume the targeted system’s resources, like:
- Bandwidth
- Memory
- Processing power
IP Null
An IP packet header’s protocol field defines the transport protocol being used, like TCP or UDP. In this attack, the header field has no information, wasting resources as the server attempts to process the packets correctly.
Although the IPv6 Hop-by-Hop Option (HOPOPT) may mitigate this, the attack may still work if:
- The server is unable to accept and process the packets.
- High volumes of packets overwhelm system resources.
9 Steps to Mitigating DDoS Attack Risk
Mitigating, detecting and responding to a DDoS attack as quickly as possible can reduce its impact. Some steps you can take to protect your organization include:
- Network security monitoring: Using firewalls, intrusion detection systems (IDS)/intrusion prevention systems (IPS), and load balancers to detect and filter malicious traffic.
- Rate limiting: Setting incoming request thresholds for dropping or deleting excess traffic to prevent excessive traffic from an IP address
- Traffic filtering: Blocking suspicious or malicious requests before they reach web servers
- Content delivery network (CDN): Caching content and distributing it across multiple servers to handle legitimate requests efficiently and spread malicious traffic across the network to reduce impact
- Web application firewalls (WAF): Inspecting incoming traffic, filtering out potentially harmful requests, and protecting against commonly used attack patterns
- Isolating web applications and databases: Placing these on separate network segments mitigates reduces impact by limiting the attacks reach and mitigates unauthorized access risks.
- Regular software updates and patching: Updating server operating systems, software, and applications reduces attack surface
- Endpoint detection and response: Updating anti-virus and anti-malware signatures to prevent malware turning connected devices into a botnet
- CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart): Requiring users to answer challenge questions reduces the impact of botnets attempting to use website forms
Graylog: Security Monitoring to Stop a DDoS Attack
With Graylog Security, you can use prebuilt content to map security events to MITRE ATT&CK. By combining Sigma rules and MITRE ATT&CK, you can create high-fidelity alerting rules that enable robust threat detection, lightning-fast investigations, and streamlined threat hunting. For example, with Graylog’s security analytics, you can monitor user activity for anomalous behavior indicating a potential security incident. By mapping this activity to the MITRE ATT&CK Framework, you can detect and investigate adversary attempts at using Valid Accounts to gain Initial Access, mitigating risk by isolating compromised accounts earlier in the attack path and reducing impact.
Graylog’s risk scoring capabilities enable you to streamline your threat detection and incident response (TDIR) by aggregating and correlating the severity of the log message and event definitions with the associated asset, reducing alert fatigue and allowing security teams to focus on high-value, high-risk issues.
