A company’s website and mobile app has a certain capacity when it comes to handling requests coming from multiple sources. A distributed denial of service (DDoS) attack tries to exploit this capacity by sending multiple requests to the attacked resource with the sole objective of taking it down or slowing it drastically. Companies which offer their services or products through their website and mobile apps are the primary targets of such attacks. So typical use cases for such attacks would be ecommerce sites, financial products’ websites, online casinos, mobile apps etc. The main intention is to overwhelm a site’s infrastructure and app logic through a flood of traffic and requests.
What is a DDoS Attack?
A DDoS attack is a cyberattack where an attacker sends a flood of requests to a server or network with the intention to disrupt normal traffic or to take it down completely. Many times, such attacks are carried out by rival businesses to take down a good performing business’ mobile apps and websites. Attackers also perform a DDoS attack with the intention of first taking down the business and then offering to bring it back up after getting paid a hefty amount.
DoS v/s DDoS
The key difference between a Denial of Service (Dos) and DDoS is that in the former, requests come from one source while in the latter, requests are sent from multiple sources. DDoS attacks are much faster and take a longer time to detect and fix since requests come from multiple sources, thereby increasing their complexity.
These attacks are sometimes carried out by IoT-connected networks which are also infected with malware. These can be controlled remotely and can also run as bots or groups of bots called botnet. All these bots, on identification of a target’s IP address, send requests at the same time causing the network to get overwhelmed.
DDoS Attacks and Mobile Apps
DDoS attacks are more common when it comes to mobile apps since it is easier to profile users through their individual devices. So, if you download an app from an app store, the app creator can get access to your device and data and take advantage of any security loopholes for an attack to be run in the future. Some common attacks on mobile apps are:
UDP Flood:
Here, an attacker floods random ports of an application with user datagram protocol (UDP) packets, owing to which the host then continuously keeps looking for the relevant applications without much luck. It then sends multiple ‘Destination unreachable’ packets as the response. This saps the server’s resources, ultimately shutting it down. UDP sees requests getting routed to random ports in a way that the system is unable to handle the sheer volume of requests.
ICMP (ping) Flood:
Here, the attacker sends ICMP echo request (ping) packets to flood the network. The packets are sent as far as possible randomly without a care in the world, thereby disrupting both incoming and outgoing traffic. The situation is further worsened when the server responds back with its own ICMP packets.
Ping of Death:
As the name suggests, a series of large-sized, malicious pings are sent across to a target application. Since usually there is a size limit for packets being sent, these attacks which focus on larger sized packets overwhelm the target systems.
SYN Flood:
In a typical TP/IP network transaction, there is a SYN, ACK, SYN-ACK 3-way handshake. When a request is sent from one side (through SYN), the other side sends the requisite information (through ACK). At this point, an acknowledgement (through SYN-ACK) comes in from the first side to indicate that the information has been received. This 3rd part doesn’t happen since the IP addresses are fake and the request is timed out owing to a long waiting time. This exhausts the resources, bringing the site down.
Slowloris:
Slowloris is an attack where one web server focuses on taking down another web server by establishing connection and sending partial requests. Since the requests are not completed and are often kept open, other legitimate connections are blocked.
NTP Amplification:
Using UDP traffic, an attacker targets publicly available network time protocol (NTP) servers. The query-to-response ratio is in the range of 1:20 to 1:200. The focus is on sending too many requests at a rapid pace to simply make it difficult for the application to respond. These are thus high-bandwidth, high-volume attacks.
HTTP Flood:
Here, an attacker makes use of malicious packets and spoofing techniques to exploit authentic HTTP POST or GET requests.
Some of the most recognized and widely known DDoS attacks are:
Application Layer Attacks:
These focus on flooding the target website with resource-intensive requests like database access or heavy file downloads. When a bot is used to send millions of such requests which seem genuine at first, the target site gets overwhelmed and ultimately slows down drastically. They target specific application packets and usually look to disrupt specific functionalities like online transactions. Typical examples of such attacks include HTTP floods, Slowloris, SQL injections and cross-site scripting. An HTTP Flood attack is characterized by multiple HTTP requests being sent to a web server. It is measured in requests per second.
Volume-Based Attacks:
Here, hackers utilize bots, multiple devices and different internet connections to flood a target site with bogus traffic. Legitimate traffic is thus blocked and the website ultimately crashes. Typical examples include User Datagram Protocol (UDP), DNS amplification and spoofed packet flood packets. In DNS amplification, a DNS server is directly attacked with requests for large amounts and volume of data. It is measured in bits per second.
Protocol Attacks:
With a focus on disrupting the networking layer, these attacks work on activities to overwhelm the firewall or load balancer by misusing the first-in first-out (FIFO) queue systems that are present for dealing with requests. Usually when one request comes in, other requests wait in a queue. But this attack leverages fake IP addresses to send millions of requests and keep them open. A SYN flood attack is a good example here.
DDoS Amplification
It is a strategy used by cybercriminals to overwhelm a Domain Name System (DNS) server with requests that appear to be legitimate but are actually not. Two ways of achieving this are:
Chargen Reflection:
Here an attempt is made to exploit Chargen, an outdated testing protocol that dates back to 1983. It allows the outside world to ask a device to reply with a stream of random characters, which is the exact security hole that is exploited by hackers. Small packets through a spoofed IP address of the target website are sent to multiple devices which respond back with their UDP packets, overwhelming the system.
DNS Reflection:
Here, the target system’s IP address is forged to send multiple requests to a DNS server which then responds with large replies. With the help of a botnet, the queries are amplified (Sometimes by up to X70 size) thereby increasing the traffic drastically. This immediately brings down the system. Most of the time, DNS servers are not configured accurately, leading to them accepting queries from anywhere in the world (outside the trusted domain network) as opposed to properly configured DNS servers.
Myths around DDoS Attacks
- Since data is not stolen, these attacks are ok: Granted that DDoS attacks do not directly attempt to steal data. But the impact on businesses from the perspective of reputation, credibility, website performance etc. is enough to impact revenues negatively. Also, their impact on different stakeholders cannot be understated. So they require our attention. For example, a DDoS attack on an e-commerce site might not steal any data with respect to past purchases, user preferences etc. But it could create a major setback for a company by bringing it down during a major sale/discount season
- They just target websites: These attacks do primarily target websites, but any device that is connected to the internet is vulnerable for an attack or impact. The infrastructure of a company and its resources are prone to being affected as well. For example, though a banking website could definitely be a good target for a DDoS attack, its app from a well-known play store could be easily targeted as well. In fact, this would have a major business impact since apps are increasingly being used by customers
- Their impact is not big enough to worry about: As per a Kaspersky Lab report, a DDoS attack can cost a company an average of $1.6 million which is not a small amount. Also, imagine if an ecommerce site is taken down for a couple of hours during a major season sale/offer period. It could mean business loss and competitors cashing in on the situation taking away their loyal customers. For example, Amazon had clocked in a record $11 billion worth of sales during its June 2021 Prime Day sale period. Imagine how much of an impact a DDoS attack might have had if the Amazon app was being attacked.
Understanding the DDoS Attack Map
A DDoS attack map, as the name suggests, provides a deep dive in the form of data visualization covering the attacks, their impact/size along with the source and destination countries of attacks. The goal is to provide insights to companies through historical data and patterns. There is also a news section which gives details about recent attacks from specific times or locations. Drilling down into the specifics of the map can equip the user with details about specific attacks that have taken place. Color coding is done to segregate the attacks as per class/impact, duration and source/destination. It helps organizations visualize the threat landscape and be better prepared to handle future attacks. Some of the maps also list down common IP addresses which are used extensively for DDoS attacks. Newer attack agents are also highlighted.
Preventing DDoS Attacks
Have a Plan in Place:
Being ready for uncertainties and possible attacks is always a good idea. Train users to look for signs of DDoS attacks.
Devise a Vulnerability Risk Management (VRM) Strategy:
This would ensure that steps are laid out, team members / experts are identified and relevant backups are created. Expert opinion is also good to have here
React Quickly and Use anti-DDoS Services:
It is important to identify such attacks immediately and notify the relevant parties like ISP providers, cyber security teams etc. Having a backup ISP for continued business operations is also a good idea. When excessive traffic is observed, companies can also route the excess traffic to a black hole to ensure the servers or websites don’t get overwhelmed.
Use the Latest Patches and Versions of Firewalls and Routers:
A lot of the time, security patches ensure protection from the most common types of attacks and hence it makes sense to incorporate them as part of your cybersecurity plan.
Adopt Real-time Testing:
Application developers can ensure to test every server request through a multi-dimensional testing platform in real-time.
Leverage Runtime Application Self-Protection (RASP):
Mobile applications can be protected in real time/ during runtime from the inside through RASP security. There is a much better visibility in terms of the dataflow of inputs and outputs and it also relies on an in-depth understanding of the architecture to be able to proactively help applications protect themselves. It reduces the chances of breaches and prevents malicious requests being received by vulnerable points of a network. It has “monitor” (which notifies teams about attacks but does not block requests) and “block” (which immediately blocks suspicious requests) modes, thereby providing flexibility to teams. It also ensures better performance since it intervenes only when a vulnerability is exploited on the back of its almost negligible false positives.
Make Smart Use of Intelligent Identification Techniques, artificial intelligence and machine learning to stay on top of your security game
What the Future Holds for DDoS Attacks
Just like we see improvements in almost every field (positive or negative), DDoS attacks are also seeing major developments. The emergence of botnets is here to stay and this is likely to especially be used for DDoS attacks coming from multiple sources, making them all the more complicated and swifter. Also, attack vectors have become more advanced as now attacks can happen simultaneously on multiple points like database, servers, applications etc. giving lesser time for organizations to react. AI and ML are also being increasingly used to further amplify the impact of such attacks.
Since companies have been conducting communication and businesses online, they are also more prone to such attacks. With increasing use of IoT, IoT security is a matter of concern as these devices are prone to become targets. Add botnets to the mix and it is a deadly combination. The first half of 2020 alone saw around 4.83 million DDoS attacks, which also puts an emphasis on multi-vector attacks. The right strategy will help and RASP is one of the emerging technologies in this field. To know more, contact AppSealing today!