What is a DDoS Attack?

A Denial-of-Service attack or DoS attack targets a server, service, or network, in an attempt to overwhelm or crash its target by flooding it with false Internet traffic or requests. The overwhelmed target slows down or simply denies service to its legitimate users due to the shortage or unavailability of resources.

Distributed Denial-of-Service attack, or DDoS, is DoS that involves multiple compromised or controlled sources to generate the attack.

DDoS attacks can target any of the 7 “layers” within the Open Systems Interconnection (OSI) model. OSI model is a conceptual model that breaks down network communication into seven “layers” which include 1)Physical, 2)Datalinks, 3)Network, 4)Transport, 5)Session, 6)Presentation, and 7)Application. The most common targets of DDoS attacks are Network (Layer 3), Transport (Layer 4), and Application (Layer 7).

While all DDoS attacks involve flooding its target with malicious Internet traffic, the attacks can be divided into 3 categories: 1)Volumetric Attacks, 2)Protocol Attacks, and 3)Application Layer Attacks.

Volumetric attacks aim to create congestion between the target and the wider Internet. The congestion was done by targeting the network (Layer 3) to slow down the web performance and degrading access for legitimate users. These attacks often utilize amplification to create large amounts of data.

Protocol attacks, also known as state-exhaustion attacks, target the vulnerabilities at Layer 3 (network) and Layer 4 (transport) of the OSI model. The attacks consume all the available capacity of web servers or their intermediate resources, such as firewalls and load balancers.

Application layer attacks, also known as Layer 7 DDoS attacks, aim to exhaust the resources by targeting the layer where web pages are generated on the server and delivered in response to HTTP or HTTPS requests.

Why is DDoS Prevention Important to Software Developers?

A DDoS attack can cost an organization both time and money. These costs include but are not limited to:

  • Data loss
  • Information leakage
  • Monetary loss
  • Extended work hours
  • Problems with time-sentitive project
  • Losing user trust
  • Damage to organization/business's reputation

Examples of DDoS attacks:

In 2000, Michael Calce, a 15-year-old boy who used the online name “Mafiaboy,” launched one of the first recorded DDoS attacks. Calce hacked into the computer networks of several universities. He used their servers to operate a DDoS attack that crashed several major websites, including CNN, E-Trade, eBay, and Yahoo. Calce was convicted of his crimes in the Montreal Youth Court. As an adult, he became a “white-hat hacker” identifying vulnerabilities in the computer systems of major companies.

In 2016, a massive DDoS attack was launched against Dyn, a major Domain Name System provider. The attack took down thousands of websites including major websites and services, such AirBnB, CNN, Netflix, PayPal, Spotify, Visa, Amazon, The New York Times, Reddit, and GitHub. The attack impacted stock prices and was a wake-up call to the vulnerability in IoT services.

In 2018, one of the largest DDoS attacks in history was launched against GitHub. However, due to precautionary measures, the platform was only taken offline for a matter of minutes. The malicious Internet traffic was routed through scrubbing centers to limit the damage. GitHub was back up and running within 10 minutes.

Not only businesses are targeted by DDoS attacks, financial institutions and governments are also targets of increasingly directed and specific attacks.

Check out this how-t0-video to learn the importance of application security and follow along with the steps below.

DDoS Mitigation

Identify Unusual Internet Traffic

An obvious sign of a DDoS attack is sudden unavailability or drop in the site or service’s performance. While it is an obvious sign, it is not a definite sign for the attack. It is also possible that there is a sudden increase in the number of legitimate users accessing the site or the service. With these uncertainties on how to differentiate between malicious internet traffic and traffic from legitimate users this becomes a major problem when dealing with DDoS attacks.

Some other signs of a DDoS attack include but are not limited to:

  • Suspicious amounts of traffic from a single IP address or IP range
  • Flood of traffic from users with common behavioral profile, such as device type, geolocation, or web browser version
  • Unexplained surge in requests to a single page or endpoint
  • Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to spike every x minutes

Protecting yourself from a DDoS attack is hard, once you identify a DDoS attack, it is already in progress, so it is important to plan and be prepared for an attack at any time.

Act As Soon As Possible

Act as soon as possible after an attack is identified. The earlier an attack is identified and controlled, the more readily the harm can be contained. There are technologies or anti-DDoS services that can assist companies or organizations in recognizing unusual Internet traffic and signs of DDoS attacks.

Internet Service Providers can utilize Blackhole Routing to redirect traffic to a “black hole,” which is a null route, to protect the target website or network from the attack.

An emergency management plan can also be developed in response to potential DDoS attacks. When an attack occurs, everyone should know what their role is and the actions they should be taking. Quick and effective actions can greatly reduce the cost of stopping and healing from the attack.

Firewall and Routers

Firewalls and routers should be configured to reject bogus traffic. It is important to keep firewalls and routers up to date with the latest security patches. Firewall and routers will be the first line of defense against the attack.

Artificial Intelligence

AI programs can help identify and defend against known DDoS indicative patterns. It is possible to quickly route Internet traffic to the cloud where it will be analyzed, and malicious traffic will be blocked before it reaches the targeted website or network’s server.

Rate Limiting

Limit the rate of request a server will accept over a certain timeframe. In rate-limiting, it is very important to identify the source of vulnerability to a DDoS attack in an application. They are pages, features, or API endpoints that involve backend queries. The limiting rate is different based on the application and the function of the request sent to the server. For example, 3 login attempts or 6 content refreshing requests within a minute. There can also be penalties for exceeding the rate limit, such penalties include but are not limited to retry allowed after a certain timeframe, account lockdown, and redirection to another page.

Typically rate-limiting works based on tracking the IP address of the request sender. An IP address is the main identifier for a requestor, it is a unique numerical or alphanumerical identifier assigned to any device the connects to the Internet. Rate limiting measures the time lapses between requests for an IP address and also measures the number of requests an IP address sends within a timeframe. Requests will not be accepted if the rate of the request exceeds the limit.

There are also other trackers for rate limiting, such as when rate limiting is used with user logins. When deploying rate-limiting protection to the user authentication process, it is recommended to use a combination of IP address and username as the trackers. With user logins, two possible situations can occur:

1)     Using an IP address alone as the tracker, an attacker can make login attempts from multiple IP addresses to guess the password and break into the targeted account. These IP addresses can be from any compromised or controlled source. With an IP address alone as the tracker, login attempts on a single account can be unlimited as long as the attacker can get new IP addresses to send the request.

2)     Using username alone as the tracker, an attacker with a list of known usernames can try a variety of commonly used passwords with those usernames and has a chance of successfully breaking into at least a few of those accounts. With username alone as the tracker, these attempts can all be done by a single IP address.

Code without Rate Limiter – node.js

    const express = require('express')
    const axios = require('axios')
    const app = express()

    // HacWare API endpoint
    // https://www.hacware.com/doc/index.html
    const domain = '{domain}'
    const path = '/api/v1/auth/'
    const base_url = 'https://' + domain
    const route = base_url + path

    const uid = '{uid}'
    const sec = '{sec}'

    app.get('/auth', function (req, res) {
        axios.post(
            route,
            {
                "uid": uid,
                "sec": sec
            },
        ).then(res => {
            console.log(`statusCode: ${res.statusCode}`)
            console.log(res)
        }).catch(error => {
            console.error(error)
        })
    })

Code with Rate Limiter – node.js

Node package: express-rate-limit

Package installation

    npm install express-rate-limit
    const express = require('express')
    const axios = require('axios')
    // rate limiter node package
    const rateLimit = require('express-rate-limit')
    const app = express()

    // HacWare API endpoint
    // https://www.hacware.com/doc/index.html
    const domain = '{domain}'
    const path = '/api/v1/auth/'
    const base_url = 'https://' + domain
    const route = base_url + path

    const uid = '{uid}'
    const sec = '{sec}'

    const limiter = rateLimit({
        windowMs: 15 * 60 * 1000,       // 15 minute
        max: 100,                       // limit each IP to 100 requests per windo
        message: 'Too many requests'    // error message sent to user when max is exceeded
    })

    // apply limiter to all request
    app.use(limiter)

    app.get('/auth', function (req, res) {
        axios.post(
            route,
            {
                "uid": uid,
                "sec": sec
            },
        ).then(res => {
            console.log(`statusCode: ${res.statusCode}`)
            console.log(res)
        }).catch(error => {
            console.error(error)
        })
    })

To see an example code: Wuqian Ye / RateLimiting · GitLab

There are also negative sides of rate-limiting where there is a decrease in performance and can still result in an outage if the infrastructure is overloaded. Rate limiting alone is likely insufficient to handle a complex DDoS attack, but it is a useful component in an effective DDoS mitigation strategy.

Always-On vs. On-Demand Protection

With on-demand protection, traffic flows as it normally does until a potential DDoS attack is detected. Once the attack is identified, actions will be taken to re-route the traffic to the cloud where it will be analyzed and filtered before reaching the targeted server.

No additional cost for on-demand protection is required until it is needed, but there are other trade-offs. It requires a longer time to notice a potential DDoS attack. Traffic spikes also must reach certain thresholds before analysis begins. It also takes additional effort for someone to manually turns on the protection and stop the attack.

Conclusion

Distributed Denial-of-Service attacks are a major concern on Internet today. It is also evolving in recent years. Attacks are becoming more frequent and complex. Businesses of all sizes, financial institutions, organizations, governments, etc. are all potential targets of DDoS attacks. It is very necessary to adopt anti-DDoS practices and learn about other web security concerns.

References

https://us-cert.cisa.gov/ncas/tips/ST04-015

https://www.cloudflare.com/resources/assets/slt3lc6tev37/bNnFz1PMZtHvYsCWrl3n1/fe46ed61db9ee7d9e4466484d6612de7/Five-Best-Practices-for-Mitigating-DDoS-Attacks-WP.pdf

https://aws.amazon.com/shield/ddos-attack-protection/

https://www.ibm.com/cloud/cloud-internet-services?p1=Search&p4=43700063020558701&p5=p&gclid=d6d4c609ecba16785899a701e8554042&gclsrc=3p.ds

https://us.norton.com/internetsecurity-emerging-threats-what-is-a-ddos-attack-30sectech-by-norton.html

https://touchstonesecurity.com/prevent-ddos-attacks/

https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/

https://www.comptia.org/content/guides/what-is-a-ddos-attack-how-it-works

https://www.verizondigitalmedia.com/blog/how-rate-limiting-thwarts-layer-7-ddos-attacks/


HacWare makes it super easy for Software Developers and IT teams to launch hyper custom cybersecurity education solutions to combat phishing attacks. Learn more about HacWare at hacware.com.

Also, check out our free secure code streams on Twitch and Youtube!