What is a DDOS attack?
DDOS attack, or denial of service attack, is a name for a family of cyber attacks that disable computer systems by creating unusual traffic load.
Such attacks are not new, and the first known DDOS attack occurred in 1996 when a company called PANIX, the oldest Internet service provider, was shut down for days because of SYN overflow, a method that has become a classic DDOS.
Since 1996, the popularity of the attack has increased exponentially, and it has become one of the most significant cyber threats facing companies.
In the third quarter of 2020, the private sector experienced a 50% increase in the number of DDOS attacks compared to last year, and CISCO estimates that by 2023 the number of denial of service attacks will double and reach 15 million.
How does a DDOS attack work?
Each server is built to receive and respond to requests- denial of service attack exploits just that by flooding the server with a large number of requests.
To create the load hackers seek infected devices and use them as malicious traffic sources. Hackers can target any device that is connected to the Internet and infected with malware, from computers and cell phones to refrigerators and home security systems. These devices can work without interference so that device owners are not aware that their cell phone has been forcibly “recruited” to an “army of bots”.
The LOG4J vulnerability that emerged in early 2022 raised concerns that this critical vulnerability could be exploited to make device bots, which could prove disastrous given the high prevalence of the LOG4J system.
It is also difficult for the network administrator to identify bots – each of them has a legitimate IP address.
Types of DDOS attacks
There are 3 main ways to flood the server using high traffic volume:
When you type in a website address, like eBay, you are actually asking the server to upload the page to you. This mechanism is what hackers target in application layer attacks- the bots send the server requests that any regular user can make, but in massive amounts and in a short period of time:
- Uploading a specific URL
- Upload a specific image within the page
- Request documents using the GET protocol (a common method of sending HTTP requests)
- Request to refresh the page
Utilizing network-level weakness, this type of attack sends initial connection requests (SYN). The attack causes flooding because the server must respond to SYN requests in one of the following ways:
- Confirm login request
- Send a command to complete the login process
- Wait for a reply from the sender of the request
- Crash after waiting for too many responses
Composing 50% of all DDOS attacks, this type of exploit floods the bandwidth and disables the server in a lack of free space. One of the most common attacks of this type is a DNS attack.
DNS, a domain name system, acts as the Internet phone book. A DNS attack sends requests that have a very large volume of information to the server, but instead of requesting that this information reach the applicant’s IP (bots/hackers), they request that the information reach the server, thus flooding it with information.
Defense against DDOS attack
Reducing the attack surface- Make sure that the space exposed to DDOS attacks is minimal, by using a CDN, which saves your site content on other servers, and helps distribute suspicious traffic among other servers. In addition, you can also use firewalls or ACL to control what traffic reaches the server.
Identify DDOS attack signs:
- Suspicious IPs – Notice if requests to your server are grouped in certain areas that are usually not your traffic source
- A sharp increase in the amount of traffic – many requests at regular intervals and high frequency
- Low performance – upload time of the site is very slow
- Disabled website for a long period of time
Security Systems – IDS solutions detect exceptional requests and abuse of protocols. These systems can work with firewalls and WAF, but need security experts to monitor.