- July 22, 2020
- Posted by: Suhith Kumar
- Category: Software testing
It’s now well-documented that, with the coronavirus (COVID-19) pandemic forcing people to work remotely and making them over-reliant on digital solutions, cyberattacks across the world have skyrocketed during the first (January to March) and second (April to June) quarters of 2020.
According to a Kaspersky report, the US government’s Department of Health and Human Services, hospitals in France’s capital Paris, online game servers were among the victims of DDoS attacks in February and March.
Reportedly the attackers didn’t succeed in trying to slow down the HHS servers despite flooding them with millions of hits over several hours.
The Kaspersky report says the average duration of this type of attacks also grew during the first three months, lasting 25 per cent longer than during the corresponding period last year.
DDoS attacks have been on the rise over the years.
In 2012, Bank of America, JP Morgan Chase, Citigroup were among the major US banks and financial institutions targeted by cyber attackers.
They hijacked hundreds of servers with each creating a peak of 60 GB of traffic per second.
The series of attacks lasted three days and interrupted online and mobile banking services for extended periods.
Forward to 2018 and a widely known developer platform (GitHub) was the victim. A record 1.35 terabits of traffic per second hit the website, causing sporadic outages over a 15 to 20-minute period.
This followed an attack on GitHub in 2015, which lasted six days, with the website appearing inaccessible to normal users.
Distributed Denial of Service is a malicious attempt to overwhelm a targeted network or server with a flood of data more than what the target can handle.
The aim of these attacks is to slow down the response time of a hosting server or take it down altogether, thereby preventing actual users from accessing a website.
Types of DDoS attacks
They can be classified as follows:
- Volume-based attacks
- Protocol attack
- Application layer attacks
Volume-based Distributed Denial of Service
This type of DDoS attack is the most common and includes User Datagram Protocol (UDP) flood, ICMP (Internet Control Message Protocol) flood and other spoofed-packet floods.
The aim here is to overwhelm a website’s available bandwidth with a deluge of traffic, so much so that normal users coming from different sources are unable to access the website.
Protocol-based Distributed Denial of Service
The hacker’s objective is to make the target unreachable by taking advantage of a protocol weakness, typically with many SYN commands to the server.
Types include fragmented packet attacks, ping of death, Smurf and more.
Application layer Distributed Denial of Service
Measured in requests per second, the aim of this DDoS attack is to take down the web server. Also known as layer 7 DDoS attack (with reference to the OSI model), this can be difficult to flag as malicious and hence challenging to guard against.
How DDoS affects businesses
The cost of carrying out this type of attack is relatively inexpensive and depends on the duration and strength (MBPS, GBPS or TBPS) of an attack.
On the contrary, according to web analytics firm Neustar’s annual DDoS attack report 2017, businesses can lose up to US$2.5m in detecting and mitigating the effect of each DDoS attack.
The same report establishes that about 40 per cent of its respondents knew of the attacks on their network from their customers.
The result of this is a double whammy: brands become less trustworthy and the brand image goes for a toss.
In fact, a study by Corero ranks reputational damage as the worst effect of the phenomenon.
Companies using Internet of Things (IoT) put themselves at a greater risk of a DDoS attack, with the relatively new technology plagued by insecurities and therefore being soft targets for hackers.
Research finds that 98 per cent of IoT device traffic is unencrypted, thereby divulging personal and confidential data.
Failure to deliver Service Level Agreement (SLA) to clients is another major consequence of a DDoS attack on a business.
Preventing DDoS attacks
While companies invest in cybersecurity and IT security testing to protect against cyberattacks, hackers, too, are becoming smarter. DDoS attack prevention is, therefore, more challenging now than in the past.
Below we discuss the ways businesses and enterprises can mitigate the risks associated with DDoS.
GitHub used traffic scrubbing as a DDoS mitigation method to counter the attack on its systems in February 2018.
Using this technique, the traffic destined for the target IP address is rerouted to datacenters, where the unwanted traffic (from attackers) is scrubbed.
Businesses may route traffic through the scrubbing centers or use them when they come under a DDoS attack.
Scrubbing centers are distributed worldwide and have DDoS protection equipment and large bandwidth to deal with the attack traffic as heavy as 300 GBPS or more.
Content delivery network (CDN)
CDN refers to the distribution of web servers across the globe.
If a web server is being targeted by a DDoS attack, CDNs help offset the load by distributing the flood of traffic to other, more localized servers.
Since the traffic is distributed to a network of servers, volumetric attacks, unless the attackers can generate enough traffic to overwhelm a server, are usually ineffective.
CDNs will ensure that the business website remains online, while the customers don’t notice any discrepancy in their user experience.
However, CDNs must have the bandwidth available to handle high volumes of traffic, measured in megabits, gigabits and terabits per second.
CDNs protect applications from application layer attacks such as cross site scripting, remote file inclusion and SQL injection.
With DDoS being a major IT security concern, businesses are turning to their internet service providers for protection.
ISPs have the capacity to reduce the spam entering the system and thereby ease the load on the server by using a technique known as blackhole routing.
ISPs normally have access to remote triggered blackhole filter, abbreviated as RTBH, to help their customers filter DDoS attacks. The technique helps avoid the abnormal traffic before it enters a protected network.
Either autonomously or after a request from a customer, ISPs can act in the following two ways:
- Blackhole the traffic at its source
- Blackhole the traffic to the target
By blackholing traffic at the source (attackers), the ISP stops the spam traffic to its customer’s web server and allows the legitimate (or normal) traffic to pass through.
This type of blackholing may not be possible if the source addresses of the attackers is unknown.
If the ISP blackholes traffic to the target, normal and abnormal traffic to the customer’s web server will drop off.
The DDoS attacker, by forcing the web server to be made unavailable, has in a way been successful. However, the ISP saves its customer’s other resources and this technique is cost-effective.
DDoS attacks have the potential to throw businesses into disarray and cause long-lasting damage internally and externally.
With the number of attacks increasing exponentially year-on-year, cybersecurity and IT security are high on the list of priorities for businesses.
That, combined with effective mitigation methods and use of resources, is the only way to alleviate cyber attacks and neutralise any adverse effect in the running of your business.