Inside a DDoS attack

Everyone who runs a website has heard of DDoS attacks and hopes never to see one at their doorstep. But, what do you really know about these attacks? Our perception can be muddied by several myths and misconceptions. Also, to efficiently protect one’s website from such attacks one needs to understand what they are. Let’s review the fundamentals.

Understanding DDoS attacks

A DDoS (Distributed Denial of Service) attack takes place when a hacker sends a lot of traffic to a particular website, essentially overwhelming it. The website server gets overloaded with these malicious requests and can’t function properly so it becomes inaccessible to visitors.

Perhaps you have seen situations when a website of some company can’t be accessed at the time of an important event or release connected to it (maybe it has even happened to you – and hey, there’s no shame in it; it has also happened even to Amazon). It occurs when the traffic is too high and the company’s servers can’t handle it.

A DDoS attack seeks to emulate such a situation, only without the pleasant (save for the headache that is fixing it!) feeling that you managed to draw so many people to your website.

In a sense, this type of attacks is somewhat similar to spam: flooding some resource with tons of undesired information and making it hard to find legitimate emails. Or, in this case, just crashing the website.

In a DDoS attack, the perpetrator gains access to computers or other devices that are connected to the Internet and uses their bandwidth to perform the attack. It is most often done with the users whose devices are being used for this purpose are not even aware. Usually, to hijack the device, the hacker needs to inject it with malware but it isn’t always so.

Sometimes, one can find themselves as a part of a DDoS attack because of some seemingly safe activity they did online.

One example of that is the 2015 attack on 8chan. To gather their army of invading devices, the hacker bought bandwidth of the users of a popular VPN/proxy address provider through its sister company. Then, people who simply wanted to hide their IPs basically had them borrowed to commit a crime. While the use of that bandwidth to perform an assault on any website is illegal, buying and selling IPs is not. Those users should have read the terms of service which allowed it.

Since malicious traffic is coming from so many sources at once, it is nearly impossible to stop it and block all of it.

Why are such attacks carried out? The primary reason is money, as it’s possible to extort some from the unfortunate victim to stop the attack. On the other hand, sometimes DDoS attacks are performed just out of spite and to sow discord.

But why are DDoS attacks particularly dangerous today, you might ask? The answer is simple. Just like with any technology, modern Internet of Things devices that we all love so much can and are used by bad actors for their purposes which often involve conducting denial-of-service attacks on websites.

And the scariest thing here is the number of IoT devices. As of 2019, there are almost 27 billion of them worldwide. Moreover, the security of such devices is often lacking as their developers tend to focus more on functionality and, pardon the slang, oomph of their tools than on the questions of cybersecurity that are generally rather boring to the public and can’t be used in advertising as effectively. These two factors put together make our IoT environment something of a time bomb waiting to go off at some hacker’s prompt. The most famous example of an IoT-powered DDoS attack is, perhaps, the Mirai botnet one that happened in 2016.

How can DDoS attacks be prevented?

Most of the ways to protect one’s network or website from DDoS attacks rely on rapid detection. Speed is very important here because the faster the attack is blocked, the less damage it can do.

Detecting a DDoS attack can’t be reliably done by a human specialist due to how much data they would need to sift through and how rapidly. Therefore, technical methods have to be used. Of course, since they are not operated by humans, they must be given some criteria to work with and understand what qualifies as abnormal activity. Such criteria may include certain IP addresses and IP ranges that are to be blacklisted, variations of HTTP cookies, etc.

Once a likely attack is detected, it needs to be quarantined. Today, it is done via a cloud-based solution most of the time because hardware solutions are often too limited in their scope and don’t have enough capacity to deal with all malicious traffic coming with a DDoS attack.

There are various means of getting your website rid of this undesirable traffic. Black-hole routing, for example, routes it to a dead address that no host machine is assigned to, causing DDoS traffic to be “dropped” there harmlessly.

Scrubbing” data centers are another way of traffic filtering. All traffic coming to your website is transferred to such a data center where it is determined if it’s legitimate or not.

Another undoubtedly cool way to protect your website from DDoS attacks is a very futuristic one. However, today, we have technologies that weren’t imaginable just a few decades ago as something that will be actually available to the mortals.

I’m talking, of course, of artificial intelligence and machine learning (AI and ML).

The main benefit of machine learning is that it’s not simply a set of filters that legacy protection measures often provide. It can, indeed, learn to see patterns that are common to something. What interests us the most is that AI can be taught what a particular website’s traffic normally looks like and notice any irregularities faster and more efficiently than any human can.

However, unlike simple filtering mechanisms, AI is not limited in it. It doesn’t need a strict set of filters to determine if an attack is happening because just like a human being (at least, in theory), it can recognize something it has never seen before (and hasn’t been told by a human that this is a malicious attempt) as a threat.

All in all, there are many methods of protection against DDoS attacks. Most of them come in the form of a service that can be acquired from a security firm. And indeed, such protection is not cheap. It is a difficult question if your website needs it and there is no universal answer. Some sites are more likely to get attacked than others. Some can afford to go down for a couple of hours while others can’t.

The choice is yours. But I hope that now you know a bit more about DDoS attacks and approaches to defend against them.

[Editor’s note: this is a contributed article. Information about the author is found below.]

Sam Chester is a co-founder of Cooltechzone.com, a website dedicated to online privacy and cybersecurity. His area of expertise includes data security and analytics, software, and Internet censorship. He is a staunch supporter of limiting the role of government agencies in the lives of the citizens.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.