A distributed denial-of-service (DDoS) attack renders a system nonfunctional, making it unavailable to legitimate users.
What is DDoS? DDoS is a malicious attack in which a system is degraded and rendered unusable to legitimate users. In many cases, DDoS is a coordinated campaign during which multiple compromised devices are used to overwhelm a target with massive volumes of traffic, rendering its services inaccessible to intended users.
A DDoS attack degrades infrastructure by flooding the target resource with traffic, overloading it to the point of inoperability, or by sending a specifically crafted message that impairs application performance. DDoS attacks can target network infrastructure such as firewall state tables, as well as application resources such as servers and CPUs. DDoS attacks can have severe consequences, compromising the availability and integrity of online services and causing significant disruption, with the potential for financial losses and reputational damage. These attacks can also be used as a smokescreen to distract security and risk teams from data exfiltration.
A DDoS attack is like thousands of people trying to cram through a doorway all at the same time. The result is that no one can get through the doorway, including people who have a legitimate reason to pass through to the other side. Or, the attack can be like a single person with a key that locks the door after passing through, preventing anybody else from entering.
Attacks like this are usually coordinated across a large number of client computers and other network-connected devices. These attacker-controlled resources may have been set up for this express purpose, or more likely have been infected with malware that lets the attacker remotely control the device and enlist it in attacks.
Because the attack is coming from so many different sources, it can be extremely difficult to block. Imagine, again, the hoard of people cramming the doorway. Simply blocking one illegitimate person (or malicious traffic source) from getting through won’t help since there are thousands of others to take its place. Advances in automation frameworks allow attacks to spoof IP addresses, autonomous system numbers (ASNs), browser user-agents, and other telemetry to bypass traditional security controls.
It’s important to distinguish between Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks. Both are types of cyberattacks aimed at disrupting the availability of a target system or network, but they differ in how the attacks are carried out.
A DoS attack is typically launched from a single source or a small number of sources, with the attacker overwhelming the target system or network with a flood of traffic or requests, exceeding its capacity to handle them.
DDoS attacks, on the other hand, involve multiple sources or a botnet, which is a network of compromised computers or devices under the control of the attacker. The attacker coordinates these multiple sources to simultaneously launch the attack against the target. DDoS attacks are generally more difficult to mitigate than DoS attacks because they come from multiple sources, making it challenging to distinguish legitimate traffic from malicious traffic.
While the DDoS threat landscape is constantly evolving, F5 has found that most attacks fall into the following broad categories.
Volumetric attacks are among the most common types of DDoS attacks. These attacks aim to overwhelm the target's network bandwidth by flooding it with a massive volume of data or traffic. Such techniques include UDP (User Datagram Protocol) floods, ICMP (Internet Control Message Protocol) floods, and reflection attacks leveraging protocols such as NTP (Network Time Protocol), Memcached, and DNS to amplify the amount of traffic received by the target. The sheer magnitude of traffic saturates the target's network infrastructure, causing it to become unavailable to legitimate users. Flood-based attacks often target layers 3, 4, or 7, with SYN flood being a very common attack that can overwhelm network firewalls and other critical network infrastructure.
Protocol attacks, such as those that target weaknesses in the TCP/IP protocol stack, which is the foundation of Internet communication. These attacks specifically target the ability of network infrastructure to track and handle traffic. For example, SYN flood attacks inundate the target with a barrage of TCP SYN packets, overwhelming the target's ability to establish legitimate connections. These are also known as “computational” attacks, since they often overload the compute capacity of network devices, such as routers and firewalls.
Application vulnerability attacks, also known as Layer 7 attacks, specifically target the application layer of the network stack. These attacks focus on exploiting software vulnerabilities in the applications or services running on the target server to exhaust the server's resources, such as CPU, memory, or database connections. Examples of application layer attacks include HTTP GET floods (sending a large number of HTTP requests), slowloris attacks (holding connections open with partial requests), HTTP POST floods, TLS renegotiation, and DNS queries.
Asymmetric attacks, also known as reflective or amplification attacks, exploit the functionality of certain network protocols to amplify the volume of attack traffic. In an asymmetric DDoS attack, the attacker sends a small amount of specially crafted network packets to a vulnerable network or service, typically using a forged source IP address. These packets trigger the generation of much larger responses from the targeted system or network, resulting in a significant amplification effect.
Multi-vector attacks, which leverage more than one of the above methods, are becoming increasingly common. By employing more than one attack technique, attackers are able to amplify the impact and increase the difficulty of defending against multiple attack vectors simultaneously.
Following are several key concepts and definitions related to DDoS attacks, mitigation, and prevention.
DDoS attacks can have severe implications for businesses, organizations, and individuals.
DDoS attacks can lead to significant financial losses. When services are disrupted or inaccessible, businesses may experience revenue impact due to interrupted transactions, decreased customer engagement, or missed opportunities. Additionally, organizations may incur costs associated with mitigating the attack, conducting incident response and recovery activities, and potential regulatory penalties.
Successful DDoS attacks can damage an organization's reputation and erode customer trust. If a company's services are repeatedly disrupted or unavailable, customers may lose confidence in the organization's ability to deliver reliable services. Rebuilding trust and restoring a damaged reputation can be a challenging and time-consuming process.
DDoS attacks can cause severe operational disruptions. Organizations heavily dependent on online services may face productivity losses, as employees are unable to access critical systems or collaborate effectively. Service disruptions can impact supply chains, customer support, and overall business operations, leading to delays, inefficiencies, and increased operational costs.
By investing in robust DDoS mitigation strategies and engaging cybersecurity professionals to design and implement security measures, organizations can significantly reduce the risk and impact of successful DDoS attacks, safeguard their financial stability and reputation, and ensure the continuity of their operations.
Following are some common DDoS mitigation techniques used to defend against attacks. Organizations often employ a combination of these methodologies to create a layered defense strategy that can effectively mitigate the impact of DDoS attacks. Early detection is also key to initiating prompt incident response and mitigation measures, allowing organizations to contain the impact before it escalates.
Traffic filtering involves examining incoming network traffic and applying filters to block or allow specific types of traffic. This technique can be employed at different levels, such as network edge routers, firewalls, or dedicated DDoS mitigation appliances. By filtering out malicious or unwanted traffic, organizations can reduce the impact of DDoS attacks and help ensure that legitimate traffic reaches the intended destination.
Rate limiting restricts the number of incoming requests or packets from a particular source or within a specified time frame. By enforcing rate limits, organizations can mitigate the impact of DDoS attacks by preventing an overwhelming influx of traffic.
Anomaly detection involves monitoring network traffic patterns and behavior to identify deviations from normal patterns. It utilizes statistical analysis and machine learning algorithms to establish baseline behavior and detect anomalous activities that may indicate a DDoS attack. Anomaly detection systems can identify unusual traffic spikes, packet flooding, or other patterns that are indicative of an ongoing attack.
Behavioral analysis focuses on monitoring the behavior of users, systems, or network entities to detect and identify suspicious or malicious activities. Behavioral analysis techniques can help in differentiating between legitimate traffic and attack traffic, allowing organizations to respond effectively to DDoS attacks while minimizing false positives. This analysis can be performed on the client-side as well as server-side through intelligent proxies that detect system stress that may be indicative of a denial-of-service attack.
Deploying a content delivery network (CDN) can help mitigate the impact of volumetric attacks and provide enhanced availability and performance. CDNs can use their distributed network infrastructure to identify and block malicious traffic, ensuring that legitimate requests reach the target.
Load balancers and application delivery controllers (ADCs) can also act as a defense mechanism against DDoS attacks by intelligently distributing and managing traffic. Load balancers can detect and mitigate DDoS attacks by applying various techniques such as rate limiting, traffic shaping, or redirecting traffic to specialized DDoS protection solutions.
Implementing cloud-based DDoS protection services can help provide dedicated and scalable mitigation capabilities to defend against DDoS attacks. By redirecting traffic through these services, organizations can benefit from advanced mitigation techniques, real-time threat intelligence, and the expertise of specialized providers.
As DDoS attacks continue to grow in scale and complexity, organizations need multiple layers of protection to stop these attacks before they reach the enterprise network. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools. As the frequency of these attacks and the cost of outages continue to escalate, the importance of a holistic, layered defense to mitigate these attacks is now mission-critical.
Learn about real-life DDoS attacks and how they were mitigated by watching or reading the following case studies.
As DDoS attacks continue to evolve, organizations need to stay updated on the latest trends and developments.
A recent trend has been the growing prevalence of Internet of Things (IoT) botnets. IoT devices, such as smart cameras, routers, and connected appliances, often have weak security measures and are susceptible to compromise. Attackers exploit vulnerabilities in these devices to infect them with malware and enlist them as part of a botnet. The combined computing power of thousands of compromised IoT devices can generate massive volumes of DDoS attack traffic.
Application-layer attacks, which aim to exhaust server resources or exploit vulnerabilities in specific applications, often mimic legitimate user behavior, making them harder to detect and mitigate. Application-layer attacks are particularly challenging to defend against because they require a deeper understanding of application behavior and require specialized protection mechanisms.
The emergence of DDoS-as-a-Service platforms has made launching DDoS attacks more accessible to less technically skilled individuals. These platforms are found on the Dark Web and provide easy-to-use interfaces that allow users to rent and deploy DDoS attack resources, often utilizing botnets-for-hire.
Advanced DDoS threats require advanced DDoS protection, and F5 services and solutions are here to help. The best way to defend yourself from a DDoS attack is to prevent it. F5 solutions mitigate multi-vector denial-of-service attacks that overwhelm critical infrastructure, target key protocols, and exploit vulnerabilities in your applications or services. F5 solutions also protect against DNS amplification attacks and other flooding exploits by validating query requests, mitigating malicious communications, and providing visibility into DNS and applications so that their health, optimization, and protection can be maximized. F5 DDoS mitigation solutions provide multi-layer defenses that deliver greater depth of defense against blended network attacks and sophisticated application exploits, and can detect and eliminate threats in near real-time.