It's no secret that security has topped the list of concerns faced by CIOs this year. With cybercrime on the rise and growing in sophistication, no network is safe from attack. One of the most common threats facing enterprise networks are denial-of-service (DDoS) attacks.
What are DDoS Attacks?
A denial-of-service attack occurs when a target is inundated with thousands of communication requests that originate from multiple machines, subsequently overwhelming the server and preventing it from responding to any more legitimate user requests.
Alternatively it can also occur when network connections between the target server and users become obstructed, blocking all communication between them. These attacks have serious and far-reaching implications for enterprises, especially those that rely on their websites, such as SAAS-based companies and E-Commerce sites.
What Do They Exploit?
DDoS attacks commonly exploit three of the seven conceptual layers found in a communication network, these being the network (layer 3), transport (layer 4) and application (layer 7). In the first two incidences, attacks occur when a server is overcome with data packets and other traffic.
Layer 7 attacks often involve a breach or vulnerability in a web application, and the perpetrator responsible overwhelms the server of database powering the application. These attacks can be difficult to detect because they mimic legitimate user traffic.
Attack Trends Prevalent in DDoS Threats
1. Attacks from Mobile Devices
As the number of mobile device users grows, so do the number of attacks perpetrated by mobile devices. Mobile devices have weaker security protection than their PC counterparts, with their users often neglecting to install anti-virus applications and downloading apps without taking security risks into account. This negligence makes it easy for perpetrators to infect these devices with malicious malware and hijack for the purposes of launching a DDoS attack.
2. Volumetric Attacks
These attacks flood a targeted network with data packets that overwhelm the available network bandwidth, resulting in traffic congestion, overloading of the server and hassles for users trying to access the network. These attacks are continually growing and becoming more sophisticated, and can last for longer and longer durations.
3. Browser-based Bot Attacks
Browser-based bots are malicious software code segments that run inside a web browser and are surreptitiously installed when a user visits a malicious site, after which they can launch an attack against a targeted server. They can also imitate browser behaviour to evade anti-DDos measures. These attacks often target the application layer, and can be tricky to detect.
4. SYN Flood Attacks
The most common of DDoS attacks, a SYN flood attack is perpetrated when the attacking requester sends multiple SYN messages to a targeted server without transmitting any confirmation ACK messages, or by sending spoofed SYN-messages that cause the server to send SYN-ACK responses to a falsified IP address. This SYN flood binds the server's resources so no more connections can be made, subsequently causes a denial of service.
A combo SYN attack consists of two variations of SYN attacks. The first involves using regular SYN packets to exhaust the server resources while the second uses larger SYN packets (above 250 bytes) to saturate the network. Both attacks are executed at the same time, to devastating results.
5. 'Hit and Run' Attacks
Hit and run attacks occur when the server is bombarded with short packet bursts at random intervals over a prolonged period, often lasting days or weeks. They're designed to exploit slow-reacting anti-DDoS solutions and are often a popular choice because they're cheap and easy to deploy.
6. Spoofed User-Agents
A frequently-used attack technique, spoofed user-agents involves DDoS bots pretending to be so-called "good" bots from reputable sources such as Google to avoid detection. By doing so, they can penetrate low-level filters and wreak havoc on the targeted servers.
7. Shared DDoS Botnets
A group of compromised computers on the Internet, having been taken over by malware, is known as a botnet. This malicious software infiltration is usually undetected by the unwitting owners of these machines, who have no idea that perpetrators can use these "zombie" machines to remotely launch DDoS attacks. Botnets don't only have to include computers, but can consist of hosting environments and CCTV cameras (among others), and can be shared among multiple criminals.
8. NTP Amplification Attacks
Network Time Protocol (NTP) is used by computers to synchronise their clocks over the internet. This form of attack exploits a feature on NTP servers called MONLIST, which returns a list of the last 600 IP addresses that communicated with a server. Attackers send out MONLIST requests to NTP servers using a target server's spoofed IP address, which is then overwhelmed by multiple data packets being returned from the other NTP servers.
9. Multi-Vector Attacks
A rising trend in DDoS attacks sees multiple vector attacks being used to disable a network or server. A traditional DDoS attack campaign is centered on a single vector or attack type. Multi-vector attacks consist of strategies invoking a combination of DDoS attacks, such as the simultaneous use of volumetric and application layer attacks. This approach is very appealing to cybercriminals, as it has the potential for the most collateral damage within a target.
It's of vital importance that modern enterprises stay knowledgeable about the threats they face and prepare for them. With cybercrime constantly evolving in sophistication, it's never to soon to take stronger security measures.
