The term ‘DDoS’ is familiar to every website operator today, even if they haven’t experienced the effects at first hand. We live in an age in which life is lived online. Turnover of local shops has long been lagging behind that of online shops. Now imagine that one of these profitable online shops has to close its doors temporarily due to a problem. Wouldn’t they do everything they could to keep the drop in sales as low as possible?
Different types of attacks
Companies are now taking lots of precautions to keep their web pages accessible in the case of an attack. But the dark side of the Internet has discovered that blackmail and threats work. With this knowledge, blackmailer emails in the style of a newsletter are sent to website owners. Often these are just empty threats created and sent on the principle that ‘someone will pay up’. This scenario manifests itself again and again here at nine.
But all sorts of other things can come our way too. An attack out of nowhere: without a threat or advance warning, and a website is already inaccessible to its customers for almost an hour. Drops in sales occur for the rest of the day too due to customers seeking out alternatives following the attack. Shortly before close of business, the website owner receives an email in which – in broken English – a large amount of ‘protection money’ is demanded from the company. Entertaining this kind of blackmail is rarely a good idea, as the attacker will remember this. The amount was not paid and another attack followed over a period of several days.
How do DDoS attacks work?
As can be assumed from the name, a distributed denial-of-service (DDoS) attack is basically an attack carried out by multiple different attackers that aims to restrict access to a service. The way this attack is carried out is not part of the definition. Often requests are sent that exceed the bandwidth; this means that these requests are bigger than the Internet connection itself. With this type of attack, we differentiate between ‘amplification’, ‘SMURF’ and ‘botnet’ attacks.
Amplification
With an amplification attack, a request with the victim’s (source) IP address is sent to a random service on the Internet. The aim here is to get this random service to send its response to the victim. To make this into an effective attack, the largest possible amount of data sets is requested. With this method, the attacker does not need much bandwidth; the damage to the victim comes from the response, which is many times bigger.
SMURF
The SMURF method is one of the older methods and no longer works very well due to modern security measures. First of all an attacker finds out so-called ‘broadcast addresses’, which forward all requests to an entire network. A request is then sent to these central ‘distributors’. As the sender, the attacker enters the IP address of the victim – as with amplification. The attacker then sends a request which is multiplied by the number of networking devices, making the response much bigger and more damaging.
Botnet
The most modern method and currently the latest ‘trend’ amongst hackers when it comes to DDoS attacks is the use of a botnet. This botnet can simulate normal user access so that it is almost impossible to tell the difference between an attacker and a normal customer. A botnet consists of an incalculable number of computers that are infected with a virus or Trojan and are under the control of hackers.
Defense / Protection
Irrespective of the size and type of a DDoS attack, a provider can try to divert the ‘malicious’ traffic away from the target server. Generally, however, the attacks are too big to be fought off with simple methods. Here it is worth using so-called Content Delivery Networks (CDNs) with filter functions. A CDN is sited upstream of the actual IT architecture and deploys a huge bandwidth. Thanks to the global availability of the CDNs, the attacking traffic usually doesn’t leave the country. As well as complex filters and firewalls, CDNs are also usually able to cache content so that traffic that has still managed to penetrate the filters is prevented from reaching the actual web server.
Are you interested in further contributions on topics such as DDoS, Disaster Recovery or security on your IT architecture?
On our blog we provide you with regular news, background reports and recommendations on the topics, that move you. Sign up for our free blog now and get the latest blog posts directly to your inbox by email.
