In-depth

What is a DDoS attack?

Criminals are building armies of digital zombies that can be trained on your business - should you be worried?

Distributed denial of service (DDoS) attacks are widely-considered to be the sledgehammer of cyber attacks. Rather than attempt to quietly infiltrate targeted software and computers, DDoS attacks effectively use brute force to knock target websites and machines offline.

The attack method does this by essentially overwhelming a website or server with more access requests than it can handle, causing it to malfunction and drop offline. Even if an attack fails to take a website or server down, it can lead to the services supported to run a lot slower and see web pages get stuck in loading loops when accessed by legitimate users.

To carry out such an attack, a lot of internet-connected devices are needed. Unfortunately, a huge number of unsecure IoT devices have flooded the market in recent years that simply do not have the capability to ward off attackers - usually due to weak or non-existent default passwords.

This makes it possible for criminals to launch effective and widespread DDoS attacks without exerting too much effort. With the right tools, hackers can break past this weak layer and gain remote control of a device. In just a few clicks, a single criminal can muster an army of internet-enabled devices (such as TVs, webcams, routers and even kitchen appliances) to flood a target website with traffic.

The strength of a DDoS attack depends on how many devices it's able to direct toward a target. Over the past few years the rising popularity of IoT devices, including those connect household appliances to the internet, has provided a steady stream of new recruits for DDoS botnets.

Because DDoS attacks don't obtain unauthorised access to a company's infrastructure or data, it's not considered a 'hack' in the traditional sense. However, that doesn't mean they aren't just as damaging or disruptive. Businesses ranging from e-commerce sites, like eBay, to digital news organisations all stand to suffer if taken deliberately offline.

While inherently damaging in and of themselves, DDoS attacks are also often used as smokescreens for even more invasive attacks. They often serve as a precursor attack, distracting IT teams so that a more invasive cyber attack can occur.

It's because of the potential damage they can cause that DDoS attacks have been made illegal. After a 2006 amendment to the Computer Misuse Act 1990, it's a criminal offence to launch a DDoS attack.

A very brief history of DDoS

The methodology we know today as DDoS is widely considered to have first emerged in 1995 during the Net Strike attacks against sites owned by the French government. Attacks had become somewhat automated by 1997, primarily due to the FloodNet tool created by the Electronic Disturbance Theater (EDT) group.

Following an attack by Anonymous in 2010, the DDoS tactic would be firmly planted on the threat map. Using a tool dubbed the Low Orbit Ion Cannon' (LOIC), the group was able to successfully flood targeted servers with TCP or UDP packets, facilitated through a point and click UI.

Recent DDoS attacks

DDoS has since evolved further, with two high-profile attacks demonstrating the ease at which criminals are able to take down targeted servers.

In October 2016, an 18-year-old allegedly configured his Twitter account and website to contain a redirect link that when clicked would automatically make a 911 call. Emergency services in the towns of Surprise and Peoria, Arizona, as well as the Maricopa County Sheriff's Office were inundated with fake calls as a result.

Surprise received over 100 calls in the space of a few minutes, while Peoria PD received a "large volume of these repeated 911 hang up calls", which, given enough data traffic, could have knocked the 911 service offline for the whole of the Maricopa County.

More details of how the attack was actually carried out can be found here.

Related Resource

Cybersecurity crisis-planning checklist

Tips for planning and ensuring business continuity

Download now

The second notable incident it the DDoS attack on DNS provider Dyn, which took place at about the same time as the Surprise 911 overload. It's thought that attack was powered by Mirai, a piece of malware that recruits IoT devices into a botnet. Dyn said it had observed tens-of-millions of discrete IP addresses associated with Mirai were part of the attack, with an army of 150,000 internet-connected CCTV cameras thought to have been a core part of the botnet.

More details of the Dyn DDoS attack and Mirai can be found here and here.

Since, DDoS attacks have been growing in size and scale. In June 2019, Amazon Web Services (AWS) claims to have blocked the largest DDoS attack in history. The incident happened in February, hitting 2.3 Tbits/sec at its peak smashing the previous peak record of 1.7 Tbits/sec.

Just days later, Akamai said it had prevented the largest-ever distributed denial of service (DDoS) attack, measured in packets-per-second (pps), targeting a large European bank. The attack, which the networking and security company registered at 809 million PPS, was recorded on 21 June.

Who's conducting DDoS attacks?

This varies depending on the target. It could be cyber activists (aka hacktivists) targeting a particular company, organisation or government agency, a commercial rival or even just people with nothing better to do who choose a target at random. DDoS is also sometimes used as a smokescreen for other criminal activity, like when TalkTalk had data on four million customers exfiltrated while it was dealing with one.

DDoS isn't a legitimate form of political protest, either. Impairing the operation of any computer has been a crime in the UK under the Computer Misuse Act since 2006, following changes made under the Police and Justice Act, and DDoS breaches the Computer Fraud and Abuse Act in the US. 

How do DDoS attacks work?

DDoS is now almost exclusively the territory of botnets-for-hire, no longer populated just by compromised PCs and laptops: the Mirai botnet last year connected together hundreds of thousands of IoT devices to power a DDoS attack. Devices such as routers and even CCTV cameras have default credentials that often don't get changed by owners, leaving hackers an easy route to infection and control.

A botnet comprising close to 150,000 digital CCTV cameras was thought to be used in the DDoS attack against DNS provider Dyn, an attack that took a swathe of well-known internet services offline.

DDoS attacks come in many technical guises, and some are more common than others. Nearly all, however, involve flooding to some degree or other. Be it a User Diagram Protocol (UDP), Transmission Control Protocol (TCP) Synchronize (SYN), GET/POST or Ping of Death flood, they all involve sending lots of something that eats up server resources in trying to answer or checking for authenticity.  The more that are sent, the less resource the server has to respond until eventually it collapses under the strain.

How much does a DDoS attack cost?

That depends if you mean cost to the organisation who has fallen victim, or the perpetrators, of a DDoS attack. Kaspersky Labs reckons the average cost to an organisation is $106,000 (82,000) if you take everything from detection through to mitigation and customer churn into account.

For the attacker, it's less expensive, with DDoS-for-hire services ranging from $5 (3.88) for a few minutes to $500 (388) for a working day.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020
Ransomwiz lets you test your security with simulated ransomware
ransomware

Ransomwiz lets you test your security with simulated ransomware

21 Sep 2020
Best free malware removal tools 2020
Security

Best free malware removal tools 2020

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Windows Server flaw sparks emergency US gov warning
vulnerability

Windows Server flaw sparks emergency US gov warning

21 Sep 2020