A distributed denial-of-service (DDoS) attack is when multiple entities are operating together to attack one target. DDoS attackers often leverage the use of a botnet—a group of hijacked internet-connected devices to carry out large-scale attacks. Attackers take advantage of security vulnerabilities to control numerous devices using command and control software.
The goal of a DDoS attack is to exhaust network bandwidth, server resources, or applications in such a way that legitimate users cannot access a site. The purpose for such attacks, however, can vary widely.
A DoS (denial of service) attack is an attempt to make a computer resource unavailable for its intended users by a single attack entity. For example, a DDoS attack may flood website servers with bogus traffic, causing a website outage. People launch these attacks for many reasons—to extort money, seek revenge, gain a competitive edge, destabilize a government, or stage a social or political protest.
- Volume-based/Volumetric Attacks: use connectionless protocols such as UDP to congest site bandwidth.
- Protocol Attacks: seek to overwhelm specific devices, including web servers, firewalls, and load balancers. These connection-based attacks typically work by exhausting the number of concurrent sessions that a device can handle.
- Application/Layer 7 Attacks: target specific applications or servers by establishing a connection and exhausting resources.
Firewalls can be helpful in detecting an incoming DDoS attack, but they can’t do much to defend against the attack, because:
- Firewalls can be easily overwhelmed and rendered useless. When you consider the average size of a DDoS attack, that bandwidth can quickly become overwhelmed and the attack proceeds unabated.
- Firewall rules can be fooled if the strike initially appears to look like it’s legitimate network traffic – like a SYN flood. DDoS protection, which provides deep packet inspection and has specific countermeasures to combat and stop all types of DDoS attacks, is very different than the static operation of using traffic rules in firewalls.
- Not all targeted assets are behind a firewall. Websites on the perimeter network, as well as applications shared/provided with/by third-party platforms and DNS services, cannot be protected by on-premise firewalls with updated rule sets
They feature a large volume of traffic, often from botnets, and attempt to overwhelm a network or service.
- AMT – Automated Multicast Tunneling Protocol
- ARP – Address Resolution Protocol
- BGP – Border Gateway Protocol
- BOOTP – Bootstrap Protocol
- DHCP – Dynamic Host Configuration Protocol
- DNS – Domain Name Service Protocol
- FTP – File Transfer Protocol
- GRE – Generic Routing Encapsulation
- HTTP – Hypertext Transfer Protocol
- HTTPS – Hypertext Transfer Protocol Secure
- ICMP – Internet Control Message Protocol
- IMAP – Internet Message Access Protocol
- MVRP – Multiple Registration Protocol
- NNTP – Network News Transfer Protocol
- NTP – Network time protocol
- OSPF – Open Shortest Path First Routing Protocol
- PIM – Protocol Independent Multicast
- POP – Post Office Protocol
- PPOe – Point-to-Point Protocol Over Ethernet
- PPP – Point-to-Point Protocol
- PTP – Precision Time Protocol
- RADIUS – Remote Authentication Dial-In User Service
- RTPS – Network interoperability protocol
- SFTP – Secure File Transfer Protocol
- SMTP – Simple Mail Transfer Protocol
- SNMP – Simple network management protocol
- SSH – Secure shell
- SSL – Secure Socket Layer
- TCP – Transmission Control Protocol
- Telnet – Telephone Network Protocol
- TLS – Transport Layer Security
- TTL – Time To Live
This amplification attack uses the protocol designed to advertise and find plug-and-play devices as an attack vector.
Amplification attacks begin with the attacker spoofing the target’s IP address. This is one reason that the majority of amplification attacks target services that use UDP, as it is a connectionless protocol that does not validate the source IP address. In the next step, the attacker sends a small query to a server or resource that generates a very large response forwarding that response to the target.
- Cross-site scripting (XSS) is a form of injection in which an attacker injects malicious script into a web application. The end user will have no idea that a hacked site should not be trusted.
- Cross-site request forgeries (CSRFs) trick end users into executing state-change actions on a web app with which they are authenticated. Such attacks can instigate actions such as transferring funds or changing email addresses.
- SQL injections are a well-known exploit in which SQL data is inserted into a query response from a client.
- Used in completely opportunistic attacks, affecting individuals’ home computers, as well as targeted strikes against organizations
- Attempted with little risk or cost to the adversary involved
- Successful, with no reliance on having to monetize stolen data
- Deployed across numerous devices in organizations to inflict bigger impacts and command bigger ransoms
- Spoofed/Non-spoofed DoS Attacks
- TCP (SYN, etc.), ICMP, UDP Floods
- Botnets
- Blackenergy, Darkness, YoYoDDoS, etc.
- Common DoS/DDoS Tools
- Slowloris/Pyloris, Pucodex, Sockstress, ApacheKiller
- Voluntary Botnets (Anonymous, etc.)
- HOIC, LOIC, etc.
- Application Attacks
- HTTP URL GET/POST Floods
- Malformed HTTP Header Attacks
- Slow-HTTP Request Attacks
- SYN Floods Against SSL Protocols
- Malformed SSL Attacks
- SSL Renegotiation Attacks
- SSL Exhaustion (Single Source/Distributed Source)
- DNS Cache Poisoning Attacks
- DNS Request Floods
- SIP Request Floods
- Custom Attacks – Unique to Your Service
- Location-based IP Addresses
WannaCry is a ransomware cryptoworm targeting machines running certain older versions of the Microsoft Windows operating system. One characteristic that made this exploit dangerous was the variety of different elements that it contained, including a transport mechanism used to spread through a network.
Reflection and amplification attacks often come as a pair, though they serve two different but often compatible purposes. By spoofing source addresses, attackers can hide their identity by “reflecting” requests off a third party. Amplification attacks add to this by taking advantage of processes in which a small query will have a large — sometimes very large — response. Amplification attacks are, by nature, always reflection attacks as well.
Bots are programs that perform an automated, often repetitive, task. Botnets are a group of connected devices that run a bot or multiple bots. Botnets are commonly used in a DDoS attack.
- Anomaly Based Detection
- Hybrid Attack Detection
- Passive Log Review Detection
- Pattern-Based Attack Detection
- Proactive Detection
- Real-time Anomaly Detection
Web applications are increasingly seen as part of DDoS attacks, in which the goal is not to bring down the target, but to smokescreen a vulnerability assessment of web applications.
A WAF is a security solution that is utilized to monitor, filter or block inbound and outbound web application traffic.
Vercara UltraDDoS Protect is a DDoS mitigation service. UltraDDoS Protect scrubs malicious Internet traffic, allowing clean, legitimate traffic to flow to your infrastructure.
UltraWAF is a cloud-provider, hardware, and CDN agnostic security solution, making it compatible anywhere applications are hosted. Integrated with Vercara’s always-on DDoS mitigation service, the combination provides a comprehensive, layered protection stack that proactively prevents bot-based volumetric attacks, as well as threats that target the application layer, such as SQL, XSS, CSRF, session hijacking, data exfiltration, and zero-day vulnerabilities.
Yes. Vercara maintains PCI DSS Level 1 compliance for its UltraWAF and UltraDDoS Protect solutions. Vercara is audited annually by a third-party Qualified Security Assessor QSA. Vercara’s Attestation of Compliance (AoC) is available upon request.
With a low TTL, your DNS changes will take effect faster throughout the Internet. The TTL determines how long recursive servers cache your records. The lower the TTL, the sooner these servers seek new answers from your authoritative DNS server. Generally, the TTL default is 86400 seconds—24 hours, way too long when you’re under a DDoS attack. Vercara recommends that you set your TTL for DNS A records to 300 seconds (five minutes). Your changes will happen more quickly, ensuring you can redirect and protect your traffic.
An HTTP flood attack is a volumetric, application layer attack designed to overwhelm a server with HTTP requests
It is a DDoS attack that targets the NTP server – flooding it with traffic so that it can not respond.
