You might be wondering how that's even possible, and the answer is simple: botnets, a massive network of compromised computers or bots controlled by hackers. During a DDoS attack, the botnet targets a single web service and overwhelms it with requests. This renders the targeted service inaccessible to its regular users. The result may be lost sales, missed conversions, and a tarnished reputation.
All web services are limited in their ability to handle browser requests, and a DDoS attack targets that. Because of a sudden influx of website traffic, an unprepared web server will find it challenging to respond to and receive requests.
Now that you know what a DDoS attack is, you're likely wondering how you can safeguard your site from experiencing one. Unfortunately, this is a complicated attack to prevent as server requests typically arrive from thousands of inconspicuous locations. Consequently, a targeted site might be unable to distinguish normal from malicious traffic.
What's the difference between a DoS and a DDoS attack?
A DDoS attack is a subcategory of the denial-of-service (DoS) attack. A DoS attack aims to render your online service inaccessible to users. However, there is a distinction — typically, a DoS attack originates from one single perpetrating device, whereas a DDoS attack requires a botnet.
Because a DoS attack only comes from one address, it's typically more manageable to thwart. Even several bots probably wouldn't be enough to dismantle a web server. We can't say the same for a DDoS attack simply because of size and scale. And, that is what makes them distributed denial-of-service attacks and is also why they're so effective.
What is a DDoS attack example?
It's helpful to review a DDoS attack example to understand how your customers feel when they experience an outage.
Imagine if you organized 1000 friends to call the same takeout restaurant simultaneously. It would be impossible for the restaurant to fulfill that number of orders at once, and they wouldn't be able to discern regular customers from those involved in your plan. Customers who can't place an order will blame the restaurant for the outage when, in reality, it was your plan. Since they can't get their food, they'll grow frustrated.
If you need another DDoS attack example, consider a parade clogging up the main road in a small town. The cars simply trying to get to their destination will be unable to do so because of the clog.
What are some consequences of a DDoS attack?
There may be consequences if your website falls victim to a DDoS attack. A typical attack can bring a website down for two and twelve hours, resulting in tens or hundreds of thousands in lost revenue.
In addition, getting DDoS-ed damages your website's reputation and perceived safety. Users of an affected website will see your website is down and may not realize that a DDoS attack is to blame. One critical facet to delighting customers is never to inconvenience them. A DDoS attack could deter an eager site visitor and render them uninterested in buying from your shop.
What happens during a DDoS attack?
A DDoS begins with the assembly of a botnet. Once a cybercriminal gains access to and plants malware in thousands or millions of networked devices, they convert them to bots (also called "zombies"). They can use various means to achieve this, including phishing, malicious downloads, unauthorized logins, etc. Once the hacker converts computers into bots, the malware allows the attacker to control all devices from one controller.
Hackers can transform various devices into a bot, from personal computers to servers, virtual assistants to microwaves. The rise of the Internet of Things has made these attacks more effective by providing more fodder for botnets which can be hijacked without the device owner realizing it.
Once a hacker has the botnet in place, they employ one or more DDoS methods to harm their target. There are several DDoS attacks, each targeting a different part of the network. We can group these attacks into three categories: application layer attacks, protocol layer attacks, and volumetric attacks.
Application Layer DDoS Attack
The first form of DDoS attack is the application layer. This targets and exploits the application layer of the OSI model, where clients directly interact with the web service. The application layer fields and responds to HTTP requests, which browsers send to web servers when they want to view a web page. These attacks are also called layer "7 DDoS attacks," as they target the seventh layer of the OSI model.
This goal is to overload the target web server with HTTP requests. A single HTTP request is easy for a bot to send but can be relatively resource-intensive for the server processing the request. Application layer DDoS attacks employ high volumes of simultaneous and complex HTTP requests to slow or take down a server.
What's worse, this attack is elusive since bot traffic looks like regular traffic at first — it's just devices making HTTP requests, after all. Strategically, attackers increase demands without the target noticing, then suddenly induce a traffic spike that crashes the target.
Some common instances of application layer attacks are HTTP floods, in which a botnet sends thousands or millions of page requests at once. There are also DNS flood attacks, which seek to overwhelm one or more DNS servers and prevent them from converting domain names to IP addresses.
Protocol Layer DDoS Attack
During a protocol layer DDoS attack, the botnet aims deeper into the server's processes at layers three and four of the OSI model. This is effective because these layers handle the connections between networked devices.
This type of siege exploits the protocols that govern how computers talk to each other. It sends a stream of fake requests that the server cannot process. Servers can handle these faulty requests to some extent, but not thousands or millions at once.
A protocol layer DDoS attack example is a SYN flood attack. A SYN uses the Transmission Control Protocol (TCP), which governs how two computers connect over a network against itself. According to TCP, the client first sends a request (a SYN) to the server. The server then sends back a response. Finally, the client confirms it received the response from the server, completing the interaction.
Botnets in a SYN flood initiate the TCP with requests containing false IP addresses. The target server replies to each but never gets a final confirmation from any bots. This clogs the request queue and drains the server's resources.
Volumetric DDoS Attack
There's a third type of DDoS attack: volumetric. These take advantage of a target's limited bandwidth. Attackers request vast amounts of data from a server, too much for the server to send at once. Consequently, regular users can't access pages since the bots expended bandwidth. Like application layer attacks, volumetric DDoS traffic initially appears legitimate but soon escalates with harmful results.
Why do DDoS attacks occur?
DDoS attacks don't breach the target server's security layer but exploit existing network infrastructure vulnerabilities. There's not necessarily a break-in or data theft (though that could coincide). This fact can help clue you into some potential motivations for why DDoS attacks could happen. Some common motivators for launching a DDoS attack include:
- Extortion: In exchange for ceasing DDoS attacks, hackers may request payment.
- Activism: Activist hackers — or "hacktivists" — often employ DDoS attacks to take down a website for a cause or protest against a business, organization, or governing body.
- Diversion: Sometimes, this distracts IT staff from a different attack on the network, like theft or a database injection.
- Competition: Some businesses may temporarily launch discreet DDoS attacks to take down a competitor at an inopportune time.
- Recreation: Some folks enjoy wreaking havoc.
How can you mitigate the impact of a DDoS attack?
The key to successfully mitigating a DDoS attack is to discern between regular and attack traffic masterfully.
Think of it this way. Say there's a massive annual sale on your ecommerce site. Your website might experience higher traffic volume — and you'll likely suspect those to be eager customers. But it's also possible that a hacker is targeting.
So how do you attempt to mitigate a hacker eager to take your site down? If you drop or limit traffic, you risk tossing out good traffic accidentally. Your best bet is to take a multifaceted approach. Here are some ways you can consider acting in response to a DDoS attack.
- Rate Limiting: This would involve capping the number of requests a server accepts over a designated period.
- Web app firewall: This tool helps you specifically mitigate a layer 7 attack. In this situation, the web application firewall would act as a reverse proxy and protect the server from various forms of malicious traffic.
- Blackhole routing: When this is implemented and doesn't include specific restriction criteria, you'll lose both real and hacker-induced traffic. However, you can use this in defense during a DDoS attack.
- Anycast network diffusion: Lastly, you can try to use an Anycast network which will scatter the traffic across a network that consists of distributed servers. The network will absorb the traffic.
Protecting Your Site From a DDoS Attack
One more piece of not-so-great news: DDoS attacks are becoming more elaborate yearly. Today's episodes combine multiple methods described above, assisted by machine learning and artificial intelligence to scope out vulnerable devices and hit them where it hurts most.
However, by keeping a close eye on your traffic levels and staying vigilant to online threats, your business can thwart small-time DDoS attempts and recover from successful ones. Unfortunately, it all comes with the territory, and it's your responsibility to keep your website up and your visitors happy.
Editor's note: This post was originally published in January 2021 and has been updated for comprehensiveness.