Denial-of-service (DoS) attacks aim to make websites or applications unavailable to legitimate users by disrupting services by overwhelming them with fake network traffic. Attackers send superfluous web requests towards an app or API endpoint, overloading systems and causing a disruption in service.
DoS vs. DDoS
What is the difference between a Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack?
DoS attacks = fake traffic originates from a single source
DDoS attacks = fake traffic originates from many different sources
DDoS attacks are significantly harder to stop because you must block incoming traffic from many disparate sources, as opposed to a single source.
DD0S attacks direct bogus network requests at websites and API endpoints with the goal of making those resources unavailable.
Attacker’s Goal = Crash the Website, Application, or Web Service
A DDoS attack doesn’t target specific data, but instead seeks to make a website, app, or API inaccessible. In effect, DDoS attacks hold data “hostage” by making it unavailable to end users.
If the website or API service is nonfunctioning, hypothetical real-world outcomes look like this:
Square’s payment platform is down, so a restaurant cashier can’t complete credit card transactions and loses revenue
Banana Republic’s e-commerce website has crashed, so a customer purchases clothing from Everlane.com
TikTok is frequently down, so users gravitate towards sharing content on more stable platforms like Instagram
Costs of a DDoS Attack
The primary cost of a DDoS attack is the loss of revenue that would have otherwise been generated if the web layer asset was available. Customers often seek the service or product they need on a competitor site since your site isn’t available. Further, downtime for an application negatively impacts both user experience and brand perception.
Attackers use a toolkit composed of specialized malware, bots, and stressor tactics in order to execute a DDoS attack.
Spikes represent influxes in web traffic that potentially indicating a DDoS attack attempt.
Types of DDoS Attack Tactics
Application (Layer 7) as Target
When targeting applications at Layer 7, attackers target the “top” layer in the OSI model where common internet requests (e.g. HTTP GET and HTTP POST) occur.
The attacker then sends false HTTP GET and HTTP POST requests which are difficult to distinguish from legitimate requests. As a result, Layer 7 DDoS attack consumes server and network resources, which results in increased infrastructure costs.
Network (Layer 3) & Transport (Layer 4) as Targets
Attacks targeting Layer 3 and Layer 4 rely on the abuse of network protocols to amplify and send large volumes of traffic to a targeted server, for example:
SYN Flood: A SYN flood is a type of DoS attack that sends a series of “SYN” messages to a computer, such as a web server. SYN is short for “synchronize” and is the first step in establishing communication between two systems over the TCP/IP protocol.
UDP Flood:A UDP flood is a volumetric DoS attack where attackers overwhelm random ports on the host with IP packets containing User Datagram Protocol (UDP) packets. The host looks for applications associated with these datagrams.
“Low and Slow” Method
Using the “low and slow” method, attackers send small numbers of web requests from multiple locations in order to keep ports on targeted servers open for as long as possible. Attackers use a very slow rate of request in order to mimic legitimate traffic, making it difficult to accurately detect. Common tools to execute the “low and slow” method are:
Real-World Examples of DDoS Attacks
DDoS attacks can cripple web services that companies rely on to serve their end-customers.
The developer platform GitHub was the victim of the largest documented DDoS attack in history. In 2018, attackers sent 1.3 terabits per second (Tbps) of traffic database for over 15 minutes by sending spoofed traffic from memcache, a popular database caching system. Spoofing IP addresses allows memcached’s responses to be targeted against GitHub.
In 2016 attackers targeted Dyn, a DNS service provider for major websites like Reddit, the New York Times, and HBO. Dyn fell victim to the Mirai botnet attack which directed bogus network traffic at Dyn, taking their DNS servers, and all websites using their servers, offline for several hours.
Spamhaus, an email spam filtering organization, was the target of Layer 3 DDoS attack. Attackers sent 300 Gbps of traffic which took Spamhaus’s website, email servers, and DNS IPs offline for seven days.
How to Defend Against Denial of Service (DDoS) Attacks
DDoS Protection for Web Applications & APIs
DDoS attack mitigation should keep apps and APIs available, but without impacting performance for end users. The ideal cloud DDoS solution provides automated protection for application, network, and transport layers.
Two key ways to detect and stop DDoS attack traffic are:
1. Application (Layer 7) Protection
The key to prevent app and API DoS attacks is knowing your expected traffic patterns. You’ll need visibility into the sources and volume of traffic aimed at your web layer assets.
An effective security solution includes a web application firewall (WAF) that examines suspicious web requests over time, contextualizes those requests to determine whether an actual attack is occurring, then automatically blocks abusive traffic when thresholds are met.
2. Network (Layer 3) & Transport (Layer 4) Protection
The ideal network and transport layer DDoS prevention solution provides:
Heuristics-based network flow monitoring to inspect incoming network traffic, finding anomalies and signs of network protocol abuse
Multiple detection techniques, including traffic signatures and anomaly algorithms, to detect malicious traffic in real-time
Automatic mitigation applied inline for fast attack prevention
Cloud DDoS can examine traffic before it reaches app or API endpoints to stop DoS attacks and let the legitimate web requests through.