Denial-of-Service (DoS) and, more commonly Distributed-Denial-of-Service (DDoS) attacks are among the most common cyber threats that exist on the Internet.
Recognizing how they work and preventing threat can help to reduce the chance that a DoS attack is carried out against your organization. Or that computers in your organization are unwitting accomplices.
What is a DoS Attack?
The purpose of a Denial-of-Service attack is to shut down a machine or network, rendering it inaccessible or unusable to its target users.
This is accomplished by sending a flood of Internet traffic to a server, effectively overloading it. The server – incapable of processing the requests coming in at the rate they’re arriving – stalls or crashes.
The organizational result of a DoS attack is often lost time and money.
Distributed Denial of Service (DDoS)
In the old days of the Internet, it might be possible to flood a server with a single machine.
An aware security monitor could recognize that all the traffic was coming from a single IP address and then move to block access.
Those were the good old days.
Now, when an attacker wants to carry out a Denial-of-Service attack, they employ the help of thousands of machines to make it happen. When that happens, it’s not just a Denial-of-Service attack, but rather a Distributed-Denial-of-Service attack.
Because the attack is being distributed across a broad network of machines all homed in on one goal: overloading the target server.
The worst part?
Most of the time, these machines are unwitting accomplices.
That’s right – you or your employees could be facilitating cybercrime.
How Does this Happen?
A machine can become an unwitting accomplice to a DDoS attack if it’s been infected with malware, perhaps from a Drive-by-Download or Malvertisement.
In these instances, the malware provides a vector for an attacker to take control of a machine and use it to create a botnet.
While the name sounds cool, the implication is not.
These machines are taken over (effectively, “zombie-fied”) and become part of the network of bots used to carry out the attacker’s bidding.
It’s a bit like the way Emperor Palpatine controlled the Galactic Senate and the entire clone army; each thought they were free, but, in reality, were merely doing the bidding of the Sith Lord.
Types of Attacks
There are several different types of attacks – and reasons for carrying them out. Two of the more common ones include:
• Application layer attacks. In this form of attack, bots are directed to a specific part of a web application, rather than the entire network. This can often be used as a deception; while security or network engineers are paying attention to the part of the network under attack, an attacker can slip through a ‘back door’ to the system and steal sensitive information.
• Advanced Persistent DoS. This occurs when the attack lasts for a protracted period of time (the longest (so far) being 38 days as part of a corporate feud (ostensibly). These are sophisticated attacks because the attacker may toggle attacks towards different parts of an application layer while concentrating the thrust of effort on a single part of the system. They attack the middle and the flanks at the same time.
Many of these organizations have valuable data and either very small (or no security operations teams) available to monitor when they’re under attack. They also don’t have the sophistication to catch, for instance, when an attack is merely a diversion and the real threat is hidden, happening behind their back.
Why Are These Carried Out?
At some level, the same question can be asked of all cybercrime: why do it?
Often, it’s money. Sometimes, it’s just for fun.
For example, several years ago, Internet service Feedly was attacked and extorted from a group of attackers who crashed the service.
In the case of the Advanced Persistent DoS mentioned above (that lasted 38 days), a corporate feud was suspected.
In other cases, attackers engaged in hacktivism have been known to carry out DDoS attacks to crash websites they find politically offensive.
Sometimes, aspiring hackers do it simply to ‘earn their stripes.’
Only Big Companies Need to Worry about DDoS, Right?
While large companies are more likely direct targets, small and medium-sized organizations also make good targets for DDoS attacks, especially for those “script kiddies” trying to earn their stripes.
Many of these organizations have valuable data and either very small (or no security operations teams) available to monitor when they’re under attack. They also don’t have the sophistication to catch, for instance, when an attack is merely a diversion and the real threat is hidden, happening behind their back.
In other instances, employees at these companies, without proper employee training can become unwitting accomplices.
Again, because these organizations often don’t have the sophistication to recognize or prevent against various security threats, their users get exposed to Malware that turns their machines into botnet zombies.
Fortunately, if you’ve got a good SIEM and monitoring traffic, you might be able to catch an attack before it’s underway. Similarly, DNS providers like Cloudflare can provide a layer of protection to prevent attacks or mitigate them when they’re underway.
How to Know if There’s an Attack
There are a handful of ways to tell if an attack is occurring. Some common ones include:
• Unusually slow network performance
• Unavailability of the website
• Inability to access a website
Check the Logs
If any of these symptoms are occurring, you want to check your server logs and review your net statistics (netstat -an).
If you see repeating thousands of IP addresses statused at TIME_WAIT, the server is likely timing out and crash is imminent.
By monitoring your logs, your SIEM can do some of this lifting for you and clue you into what’s happening quickly. If backed by a solid security operations team, you may be able to be back on your feet before any real damage is done.
How to Prevent a DDoS Attack (or Avoid Participating in One)
As with all forms of cybercrime, there are no guarantees that they can be avoided or prevented.
However, good security habits, combined with vigilant monitoring of your logs and a responsive security team can go a long way in preventing an attack before it occurs.
