Attack of the Network Traffic

Understanding and Avoiding Distributed Denial of Service (DDos) Attacks

Many computer users are familiar with customary tactics hackers use to target their prey — sending malicious links or attachments that prompt a victim to click, thus installing malware or Trojans on the targeted computer and opening a door into the victim’s network. However, attacks that happen on the back-end are much more mysterious.

Online criminals have long attacked computers connected to the Internet by overwhelming their targets with more traffic than their infrastructure can possibly handle, often with the help from a powerful botnet. The scale of these bandwidth-clogging attacks has continued to grow over the years, and the techniques used to launch them keeps evolving. That said, many IT pros still overlook this class of attack, and don’t take the proper precautions to prevent them.


DDoS vs. DoS

Attacks that overwhelm network services with massive amounts of traffic are known as distributed denial of service (DDoS) attacks, and cyber criminals use them to bring down websites, network services, and company networks.

DDoS attacks are markedly different from the denial of service (DoS) attack, the DDoS namesake. Generally, a DoS attack is designed to disrupt a computer, program or network service. A “Plain Jane” DoS attack relies on an underlying technical weakness or vulnerability in the system being attacked. For example, perhaps a particular file server doesn’t handle certain malformed network requests properly. If an attacker sends such a request to the server, it crashes and visitors can’t download their files. They are denied service.

From the attacker’s point of view, DoS attacks are easy to exploit; the attacker just needs to know the right network traffic to send, or sequence of events to trigger. DoS attacks don’t take many resources or overwhelming force to achieve; however, DoS attacks have an Achilles’ heel: IT pros can easily defend against them. Since DoS attacks depend on some sort of specific software weakness, once the weakness is fixed, attackers are thwarted. Furthermore, security vendors can create signatures that identify the specific traffic used to trigger DoS flaws, and easily block any attacker who sends that type of traffic.

On the other hand, DDoS attacks are much harder to defend against. Unlike basic DoS attacks, a DDoS attack does not rely on any underlying vulnerability or weakness in the system being attacked. Rather, it relies on overwhelming force. The concept is simple: network servers — even the huge, load-balanced, clustered ones running the largest enterprises — can only handle a finite amount of network traffic. If more network traffic is generated than a server can handle, and that traffic appears to be from many different sources from different geographic locations, the server can be overwhelmed.

Attackers don’t even have to use specially crafted traffic, either; legitimate traffic is better because it is disguised as normal customer requests, and the victim won’t be able to differentiate the two. The server is overwhelmed by traffic volume, and since the attack seems to comes from hundreds (or even thousands) of sources, it’s tremendously difficult to block or halt.


How DDoS Traffic is Generated

The concept behind DDoS attacks is simple; however, the challenge lies in how to trigger huge amounts of legitimate network traffic from a variety of sources. A single computer isn’t able to generate nearly the volume of bandwidth necessary to take an average network server, and traffic from a single source can easily be blocked. So how do attackers get the power necessary to generate a deluge of network traffic from distributed sources?

There are essentially two ways this can be accomplished:

• Botnets – Botnets are networks of compromised victim computers. By using basic infection tactics, attackers infect thousands, and in some case millions, of victim computers. The attacker can then assume control and harness the power of all these computers for a DDoS attack. It can take a while to harvest enough victim machines to perform a large-scale DDoS attack, but experts have seen botnet-based DDoS attacks grow in scope, some generating 20 to 70 Gbps of attack traffic.

This content continues onto the next page...