A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the regular traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.
From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.
How does a DDoS attack work?
DDoS attacks are carried out with networks of Internet-connected machines.
These networks consist of computers and other devices (such as IoT) that have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are called bots (or zombies), and a group of bots is called a botnet.
Once a botnet has been established, the attacker can direct an attack by sending remote instructions to each bot.
When the botnet targets a victim’s server or network, each bot sends requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting in a denial of service to regular traffic.
Because each bot is a legitimate Internet device, separating the attack traffic from regular traffic can be difficult.
How to identify a DDoS attack
The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. However, since several causes — such as a legitimate spike in traffic — can create similar performance issues, further investigation is usually required. Traffic analytics tools can help you spot some of these telltale signs of a DDoS attack:
- Suspicious amounts of traffic originating from a single IP address or IP range
- A flood of traffic from users who share a single behavioral profile, such as device type, geolocation, or web browser version
- An unexplained surge in requests to a single page or endpoint
- Odd traffic patterns, such as spikes at odd hours of the day or practices that appear to be unnatural (e.g., a point every 10 minutes)
There are other, more specific signs of a DDoS attack that can vary depending on the type of attack.
What are some common types of DDoS attacks?
Different types of DDoS attacks target varying components of a network connection. Knowing how a network connection is made is necessary to understand how other DDoS attacks work.
An Internet connection is composed of many different components or “layers.” Like building a house from the ground up, each layer in the model has another purpose.
The OSI model, shown below, is a conceptual framework used to describe network connectivity in 7 distinct layers.
While nearly all DDoS attacks involve overwhelming a target device or network with traffic, attacks can be divided into three categories. An attacker may use one or more different attack vectors or cycle attack vectors in response to countermeasures taken by the target.
Application layer attacks
The goal of the attack:
Sometimes referred to as a layer 7 DDoS attack (about the 7th layer of the OSI model), these attacks aim to exhaust the target’s resources to create a denial-of-service.
The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is computationally cheap to execute on the client side. Still, it can be expensive for the target server to respond to, as it often loads multiple files and runs database queries to create a web page.
Layer 7 attacks are difficult to defend against since it can be hard to differentiate malicious traffic from legitimate traffic.
Application layer attack example:
HTTP flood
This attack is similar to pressing refresh in a web browser over and over on many different computers simultaneously – large numbers of HTTP requests flood the server, resulting in denial-of-service.
This type of attack ranges from simple to complex.
More straightforward implementations may access one URL with the same range of attacking IP addresses, referrers, and user agents. Complex versions may use many attacking IP addresses and target random URLs using random referrers and user agents.
Protocol attacks
The goal of the attack:
Protocol attacks, also known as state-exhaustion attacks, cause a service disruption by over-consuming server and network equipment resources like firewalls and load balancers.
Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible.
Protocol attack example:
SYN flood
A SYN Flood is analogous to a worker in a supply room receiving requests from the front of the store.
The worker receives a request, goes and gets the package, and waits for confirmation before bringing the package out front. The worker then gets many more package requests without confirmation until they can’t carry any more packages, become overwhelmed, and requests start going unanswered.
This attack exploits the TCP handshake — the sequence of communications by which two computers initiate a network connection — by sending a target many TCP “Initial Connection Request” SYN packets with spoofed source IP addresses.
The target machine responds to each connection request and then waits for the final step in the handshake, which never occurs, exhausting the target’s resources.
Volumetric attacks
The goal of the attack:
This category of attacks attempts to create congestion by consuming all available bandwidth between the target and the more extensive Internet. Large amounts of data are sent to a target through amplification or another means of creating massive traffic, such as requests from a botnet.
Amplification example:
DNS Amplification
A DNS amplification is like if someone calls a restaurant and says, “I’ll have one of everything; please call me back and repeat my whole order,” where the callback number belongs to the victim. With minimal effort, an extended response is generated and sent to the victim.
By requesting an open DNS server with a spoofed IP address (the victim’s IP address), the target IP address receives a response from the server.
What is the process for mitigating a DDoS attack?
The key concern in mitigating a DDoS attack is differentiating between attack traffic and regular traffic.
For example, if a product release has a company’s website swamped with eager customers, cutting off all traffic is a mistake. If that company suddenly has a surge in traffic from known attackers, efforts to alleviate an attack are probably necessary.
The difficulty lies in telling the real customers apart from the attack traffic.
In the modern Internet, DDoS traffic comes in many forms. The traffic can vary in design from un-spoofed single source attacks to complex and adaptive multi-vector attacks.
A multi-vector DDoS attack uses multiple attack pathways to overwhelm a target differently, potentially distracting mitigation efforts on any trajectory.
An attack that simultaneously targets multiple layers of the protocol stack, such as a DNS amplification (targeting layers 3/4) coupled with an HTTP flood (targeting layer 7), is an example of multi-vector DDoS.
Mitigating a multi-vector DDoS attack requires various strategies to counter different trajectories.
Generally speaking, the more complex the attack, the more likely it is that the attack traffic will be difficult to separate from regular traffic – the attacker’s goal is to blend in as much as possible, making mitigation efforts as inefficient as possible.
Mitigation attempts that involve dropping or limiting traffic indiscriminately may throw good traffic out with the bad, and the attack may also modify and adapt to circumvent countermeasures. To overcome a complex attempt at disruption, a layered solution will give the most significant benefit.
Blackhole routing
One solution available to virtually all network admins is to create a black hole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route, or blackhole, and dropped from the network.
If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a black hole as a defense. This is not an ideal solution, as it effectively gives the attacker their desired goal: it makes the network inaccessible.
Rate limiting
Limiting the number of requests a server will accept over a particular time window is also a way of mitigating denial-of-service attacks.
While rate limiting is useful in slowing web scrapers from stealing content and mitigating brute force login attempts, it alone will likely be insufficient to handle a complex DDoS attack effectively.
Nevertheless, rate limiting is useful in an effective DDoS mitigation strategy.
Web application firewall
A Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By putting a WAF between the Internet and an origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic.
By filtering requests based on a series of rules used to identify DDoS tools, layer 7 attacks can be impeded. One key value of an effective WAF is the ability to implement custom rules in response to an attack quickly.
Anycast network diffusion
This mitigation approach uses an Anycast network to scatter the attack traffic across a distributed server network to the point where the network absorbs the traffic.
Like channeling a rushing river down separate smaller channels, this approach spreads the impact of the distributed attack traffic to the point where it becomes manageable, diffusing any disruptive capability.
The reliability of an Anycast network to mitigate a DDoS attack is dependent on the size of the attack and the size and efficiency of the network. An essential part of the DDoS mitigation implemented by Cloudflare is using an Anycast distributed network.
Cloudflare has a 192 Tbps network, an order of magnitude greater than the most significant DDoS attack recorded.
The DDoS protection we implement at Cloudflare is multifaceted to mitigate the many possible attack vectors.