Hello everyone and welcome back to the Cognixia podcast. Every week we come together to discuss a new development or an interesting concept or just about anything new from the world of emerging digital technologies, hoping to inspire all of you to take the next big leap in your career by learning something new and adding a new skill to your repertoire.
Over the weeks, we have taken up some very awesome subjects to discuss in the Cognixia podcast, and we appreciate all the love you have sent our way by tuning in week after week to listen to us.
This week, we are back once again with another interesting episode of the Cognixia podcast. Today’s podcast talks about something we all have heard about and read about, something that has become commonplace in our news these days, something that has adversely impacted so many networks and enterprises across the world, something that is a huge unscrupulous nuisance, and while we are still coming up with ways and means to combat it, the nuisance in itself continues to evolve as unscrupulous elements get smarter and figure out new ways to attack. Today, we talk about DDoS attacks, what they are, what they do, and what is being done to combat them as well as overcome them.
DDoS stands for Distributed Denial-of-Service. A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target and/or its surrounding infrastructure with a flood of internet traffic. DDoS attacks rely on multiple compromised computer systems for their effectiveness and the sources of their attack traffic. DDoS attacks compromise not just computer systems but also connected devices as well as IoT setups. To understand this better, imagine a traffic jam on a national highway that is clogging up the whole traffic to and from two points that the highway connects, thereby preventing anybody from going from city A to city B and from city B to city A. This is what a DDoS attack does to the system, preventing normal functioning by clogging up the system.
So, how does a DDoS attack function?
To operate and function, DDoS functions require machines connected to the internet, basically, a network of internet-connected devices, including computer systems as well as connected devices. Once the network is infected with malware, the devices in the network can now be remotely controlled by the attack. The individual devices are then called bots or sometimes even called zombies, while the group of devices is called the botnet. So, once the network is infected, it becomes a botnet. Once the botnet is established, the attacker can carry out the attack further. This is usually done by sending instructions remotely to every bot in the botnet.
The botnet can then target a potential victim’s server or network. To attack the victim’s server or network, every bot is made to send requests to the victim’s IP addresses. This would cause the victim’s server or network to be overwhelmed. This would clog the system completely, resulting in denial-of-service to the regular, normal traffic.
The major challenge here is that every bot that is attacking the victim’s network or server is a legitimate device connected to the internet. Owing to this, it is extremely difficult for the victim’s server or network to differentiate the traffic it is getting from the attacking bot and that it is receiving from the regular, normal devices, making it super challenging to overcome the attack, eventually leading to complete clogging and breakdown of the system.
Now that we have a fair understanding of what is a DDoS attack and how it takes place, let us take some time to understand how a DDoS attack can be identified. If you observe your system suddenly running extremely slow and you are unable to accomplish any tasks on your system because of the lag, chances are your system is under a DDoS attack. However, before alerting everybody about a potential attack, check if there is another possible cause for the slowing down, and check with other systems in the network if they are observing a slowdown or unavailability too. Similarly, if you observe a sudden spike in traffic to your system, likely unexpected, even if it shows up as legitimate, investigate further to check if you are under a DDoS attack. If your system or server or network is observing performance issues, chances are you could be under a DDoS attack. Always keep smart and sharp traffic analytics tools to ensure you can investigate quickly and alert everybody if you are under attack.
The four key indicators that would most likely indicate if a server or network is under a DDoS attack are –
One, a suspicious amount of traffic is seen to originate from a single IP address or a sequence or range of IP addresses.
Two, there is a suspicious flood of traffic from users who appear to have a similar behavioral profile, say a similar type of device, the same geolocation, or even the same browser version.
Three, an unexplained, unexpected spike in requests being received by a single endpoint or a single page in the application or website or system, etc.
And, four, there are suspicious spikes of traffic at unusual hours or there is an odd, suspicious pattern you see developing differently from the usual, simply put, any unnatural pattern of traffic or spikes
There can be different types of DDoS attacks, so the indicators can vary specifically on the type of DDoS attack the system or the server or the network is under, but these four indicators should at least help identify the warning signs that the system is under attack or not.
While we are on this topic, let us quickly touch upon some of the most common types of DDoS attacks, so you can understand what all a DDoS attack entails in different types of attacks. Each type of DDoS attack would usually affect a different component of the network connection. Based on that, the attack would be slightly different from the other types of DDoS attacks. As a thumb rule, the key to identifying the type of denial-of-service attack would be to identify how the network connection was established.
As a lot of you might know, a network connection with the internet would involve multiple components, called layers. Every layer serves a different purpose in the network. Based on which layer is getting attacked, the type of DDoS attack would be determined and one can decide the further course of action to take to overcome the attack.
Some of the most common types of DDoS attacks are:
One, is application layer attacks, also called layer 7 DDoS attacks which aim to exhaust the target’s resources and create a denial-of-service situation
Two, HTTP flood attack which resembles how one would hit the refresh button on a browser window again and again and again many times, thereby flooding the server with requests and causing a denial-of-service situation
Three, protocol attacks, also referred to as state-exhaustion attacks which cause overconsumption of the server resources or the network equipment resources, such as firewalls or load balancers, eventually leading to a denial-of-service situation.
Four, SYN flood attack. Imagine, you are someone behind the counter in a store, and you are getting requests for products that consumers want to buy, your job is to take the requested product from whatever shelves they are stored on and provide it to the front desk or cashier staff to then pass it on to the customer. Now, you can service only so many requests at a time. But imagine, you get double or triple or more requests per minute than you can normally handle. It will overwhelm you with requests and you will be unable to function or serve anybody, right? This is exactly what an SYN flood attack is. It exploits the TCP handshake by sending a huge number of requests to the TCP initial connection request SYN packets with spoofed source IP addresses.
Five, volumetric attacks. Volumetric DDoS attacks that cause a congestion situation by soaking up all the available bandwidth that exists between the target and the internet at large. As part of the attack, a large volume of data gets sent to the target of the attack using some form of amplification system or something similar which would generate massive amounts of traffic from a botnet.
Six, DNS amplification attack. A DNS amplification DDoS attack involves making an open request to an open DNS server from a spoofed IP address which would be the victim’s IP address, leading to the target IP address and then receiving a response from the server involved in the attack.
These are some of the common types of DDoS attacks. This brings us to the most important million-dollar question – how to mitigate a DDoS attack?
Suppose you are already under a DDoS attack, how to come out of it?
The key to mitigating a DDoS attack lies in one of the trickiest things to do when a system is under a DDoS attack – differentiating between the attack traffic and the normal traffic. The sooner this differentiation is done, the sooner you will be able to mitigate this attack. This is also where the whole challenge lies. DDoS traffic could be coming from so many different sources and so many ways. It could come from a single unspoofed source or it could come from multiple adaptive sources. It could attack a single layer or it could attack multiple layers at the same time. Depending on the type of attack and the layers under attack and the sources of the attack, one can build strategies to mitigate and overcome the DDoS attack.
There is no one-size-fits-all strategy when it comes to mitigating DDoS attacks. However, as a thumb rule, it is good to remember that the more complex the DDoS attack, the more challenging it is going to be to differentiate between the attack traffic and the regular legitimate traffic. Also, always remember that just dropping or limiting the incoming traffic indiscriminately may not always be a good idea. Such measures will not just stop or limit the attack traffic but also block out the regular legitimate traffic. Moreover, attackers can always come up with ways to overcome the countermeasures taken to combat the DDoS attack. A layered solution to mitigating DDoS attacks might usually work out to be the best possible resolution.
Another popular method to mitigate DDoS attacks is blackhole routing. Network administrators can use this option and route all the traffic to a black hole. One can simply configure a black hole routing pathway to divert all traffic – legitimate as well as malicious to a null route. This null route is called a black hole, which will take the traffic away from the main pathway, dropping it from the network, thus, helping mitigate a DDoS attack on the network or server. However, the problem with blackhole routing is that it still gives the attackers to achieve their desired outcomes as the network/server remains inaccessible to everyone.
The other popular strategy for mitigating DDoS attacks is called rate limiting. In this method, the number of requests a server can accept during a defined time frame is limited. This effectively blocks out traffic beyond this defined limit, while also slowing down the scrapers that are working to steal the data during the denial-of-service attack. It may not be too effective in blocking out efforts to maliciously login using brute force, though.
Another strategy that can be used for mitigating DDoS attacks, especially a layer 7 denial of service attack would be using a web application firewall. The web application firewall can be used to create a sort of reverse proxy by creating a barrier between the internet and the origin server, thereby acting as protection for the server from some of the malicious traffic. A series of rules can be implemented, additionally, to filter out the malicious traffic and put a quick check on the layer 7 DDoS attacks.
These are some of the most common ways to mitigate the onslaught of a distributed denial of service attack.
So, now, we are sure you have a fair idea of what are distributed denial of service attacks, how they work, what they attack, and the impact they can have, as well as what are some of the common ways to mitigate such attacks. The best way, we would say, is still to keep up-to-date on your cybersecurity measures and have an active risk management plan in place. For this, you will need skilled, highly functional cybersecurity and information security experts. So, consider getting CISSP certified yourself or having your team get CISSP certified. To know more about the live online instructor-led training for CISSP certification, visit our website www.cognixia.com. You can get in touch with us there over the chat function to get all your questions answered and learn more about the training courses.
With that, we come to the end of this week’s episode. We hope you enjoyed listening to it and learned something new from it. We promise to come back next week with another new, exciting episode of the Cognixia podcast.
Until next week then!