Cybercriminals have an impressive arsenal of tools that they can use to try an infiltrate a network. Whether it’s through social engineering, malware or exploiting flaws in software, hackers will stop at nothing to try and extort money or steal valuable corporate data.
In recent years, hackers have been deploying new tactics in their efforts to break into a system and one attack method that has been growing in prominence is a DDoS attack.
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with huge volumes of traffic from multiple sources. Quite simply, hackers will try and crash a website by flooding it with more traffic than the server can handle.
These attacks can range in severity and are often used as a smokescreen while hackers conduct more invasive attacks in the background.
DDoS attacks have been growing in size, scale and sophistication, and they have the potential to cause great damage to an organisation. This can include loss of data, loss of revenue, reputational damage, loss of customers and investment into new security measures.
In 2016, one of the world’s largest DDoS attacks caused major disruption and demonstrated just how devastating an attack could be. Hackers created an army of up to 100,000 Internet of things (IoT) devices to attack Dyn, a major Domain Name Service provider.
By flooding Dyn with huge volumes of traffic, hackers were able to bring down the websites of over 80 of its customers including Amazon, Netflix, Airbnb, Spotify, Twitter, PayPal and Reddit. Damage from the attack is reputed to have cost $110 million and in the immediate aftermath of the attack, over 14,500 domains dropped Dyn’s services. Clearly, the knock-on effect from a DDoS attack can have massive ramifications for an organisation.
A DDoS attack occurs when multiple machines work together to attack one target. To execute an attack, hackers will use phishing emails and a range of other methods to install malware on remote machines. These machines will form what is known as a botnet. A botnet is a collection of internet-connected devices, which can include PCs, servers, mobile devices and Internet of things (IoT) devices that are infected and controlled by malware.
After installing malware on these machines, the hackers can control the devices from a centralised location and instruct them to bombard a site with traffic. Botnets can range from thousands to millions of devices under the control of criminals. To make as much money as they can from these botnets, many hackers will rent out them out to other would be attackers to conduct further DDoS attacks.
DDoS attacks can vary quite significantly and there are a multitude of different ways an attack can be carried out. The three most common attack methods include:
1. Volumetric Attacks - Volumetric attacks are the most common form of DDoS attacks. A botnet is used to flood a network or server with traffic that appears to be legitimate. The sheer quantity of traffic can in turn cripple the service and completely block access to the site.
2. Protocol Attacks – Protocol attacks are primarily focused on exploiting vulnerabilities in a server’s resources. The goal is to render a service inaccessible by exploiting a weakness in the networking layer of the target systems.
3. Application Layer Attacks – Application layer attacks are the most sophisticated type of attack method and often the most difficult to detect. The attacks are aimed at the layer where a server generates web pages and responds to http requests. The attack will take place at a much slower rate and traffic may appear legitimate masking the true nature of the attack until the service is overwhelmed and inaccessible.
One of the first things an organisation will need to determine is whether a spike in traffic is legitimate or a DDoS attack. Organisations with a thorough understanding of their historic traffic trends will tend to pick up on an attack quite quickly, whereas organisations that are less tuned into these baselines are unlikely to detect an attack until it’s too late.
Before a website crashes completely, there are often a few warning signs that may point to a DDoS attack. These include:
* A huge spike in traffic
* Unusually slow network performance
* Unavailability of a particular website
* Inability to access any website
* Excessive amounts of spam emails
While there is no way to completely avoid becoming a target of a DDoS attack, there are steps that can be taken to mitigate any damage and reduce the effects of an attack on a network.
* Organisations should consider the use of a DDoS protection service that will detect abnormal traffic flows and redirect any DDoS traffic away from the network.
* Create an incident response plan to ensure prompt communication, mitigation, and recovery in the event of a DDoS attack.
* Install and update antivirus software
* Secure network infrastructure through the use of a firewall, VPN, Anti-spam and other layers of DDoS defence techniques.
* Follow good security practices to minimise the risk of attacks - Avoid clicking on links or downloading attachments from unknown sources.
* To prevent IoT devices being compromised and used in a botnet, it’s important to change any default usernames and passwords and keep up to date with the latest security patches.
MetaCompliance specialises in creating the best Cyber Security awareness training available on the market. Our products directly address the specific challenges that arise from cyber threats and corporate governance by making it easier for users to engage in Cyber Security and compliance. Get in touch for further information on how we can help transform Cyber Security training within your organisation.