Skip to content
Inter.link Portal
Menu

What is a Distributed Denial of Service (DDoS) Attack?

What is a DDoS Attack?

A distributed denial-of-service (DDoS) attack is a cybercrime in which the attacker floods a server with internet traffic to disrupt the normal traffic from the legitimate users of a targeted server, service or network.  

For cybercriminals to be successful in their goal of disruption, DDoS attacks use multiple compromised computer systems as sources of attack traffic. These can include computers and other networked resources such as Internet of Things (IoT) devices.  

There are many different reasons why DDoS attacks are carried out. Some attacks are carried out by displeased individuals and hackers desiring to use flood attacks to take down a company's servers so they can send a message or have fun by exploiting cyber weakness. Frequently DDoS attacks are used to mask other, more targeted cyber-attacks.

Why are DDoS Attacks so dangerous?

DDoS threats are on the rise, and even some of the largest global companies are not immune to being "DDoS'ed". The largest attack in history occurred in February 2020 to none other than Amazon Web Services (AWS), overtaking an earlier attack on GitHub two years prior. DDoS ramifications include a drop in legitimate traffic, lost business, and reputation damage.  
  
DDoS represents a significant threat to business continuity. As organizations have grown more dependent on the Internet and web-based applications and services, availability has become as essential as electricity.  

DDoS is not only a cyberthreat to retailers, financial services and gaming companies with an obvious need for availability. DDoS attacks also target the functionality of mission critical business applications that your organization relies on to manage daily operations, such as email, salesforce automation, CRM and many others.  

There’s the common term of DDoS Protection but if you ask ten different people what's in there, you will get ten different answers. That is not just because the types of attacks are very different, but also because the types of applications that customers would like to protect are very different. This is why it needs to be made clear what is included in the protection, and pricing needs to be transparent too.

Theo Voss

CEO and Co-Founder, Inter.link

 

Additionally, other industries, such as manufacturing, pharma and healthcare, have internal web properties that the supply chain and other business partners rely on for daily business operations. All of these are targets for today’s sophisticated cyber attackers.

There is no doubt, as evidenced in the alarming rise of DDoS attacks, that DDoS detection and mitigation is an absolute necessity for businesses that rely on internet traffic in order for them to avoid disruption of applications and services, revenue loss, and brand damage.   

How does a DDoS attack work?

DDoS attacks are carried out with networks of Internet-connected machines.  

These networks consist of computers and other devices (such as IoT devices) which have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred to as bots (or zombies), and a group of bots is called a botnet.  

Once a botnet has been established, the attacker is able to direct an attack by sending remote instructions to each bot.  

When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-service to normal traffic. Because each bot can appear as a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.


The Use of an Online Service Taken Too Far

A DDoS attack is essentially the use of an online service taken too far. For example, a website may be capable of handling a certain number of requests per minute. If that number is exceeded, then the website’s performance is degraded, or it may be rendered completely inaccessible.

This overload may be caused by an attack or even legitimate use, such as an e-commerce site being overwhelmed on Black Friday or a ticket sales platform going down when sales for a popular event are opened.  

DDoS attacks are capable of overwhelming a target at various levels. For example, a web application may have a maximum number of requests that it can handle.

Alternatively, the server that it is running on may have a limit on the amount of simultaneous connections that it can manage. A network likely has bandwidth restrictions that could be overwhelmed by an attacker. Exceeding any of these thresholds will result in a DoS attack (from a single source) — or a DDoS attack if the attack uses multiple IP addresses for amplification— against the system.

How to identify a DDoS Attack

The first step in avoiding or stopping a DDoS attack is knowing that an attack is taking place. To detect an attack, one has to gather a sufficient network traffic information, then perform analysis to figure out if the traffic is friend of foe. This process can be performed manually or in an automated fashion. DDoS detection is the key to quickly stopping or mitigating attacks and in order for this to happen, two success criteria need to be met:  

  1. Speed of detection
  2. Accuracy of detection

So detection methods are a key consideration in formulating a strong DDoS defense, a crucial pillar of cybersecurity overall. 

The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. But since a number of causes — such a legitimate spike in traffic — can create similar performance issues, further investigation is usually required. Traffic analytics tools can help you spot some of these telltale signs of a DDoS attack:  

  • Suspicious amounts of traffic originating from a single IP address or IP range  
  • A flood of traffic from users who share a single behavioral profile, such as device type, geolocation, or web browser version  
  • An unexplained surge in requests to a single page or endpoint  
  • Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g. a spike every 10 minutes)  

There are other, more specific signs that can vary depending on the type of DDoS attack. There are multiple types of DDoS attacks, such as application layer attacks (sometimes called a Layer 7 DDoS attack), protocol attacks, and volumetric attacks.

Here’s how to tell if you’re under DDoS attack

Unusually high network traffic and unexplained sources:  

One of the most apparent signs of a DDoS attack is a sudden and significant increase in network traffic. This traffic surge can overwhelm your network infrastructure. Monitor your network traffic patterns and sources, e.g., unexpected countries of origin. Irregular spikes or unusual patterns in incoming traffic indicate a possible attack. Performing a deep packet inspection to analyze the type and origin of incoming traffic can help differentiate legitimate traffic from malicious traffic.  

Website slowness or inaccessibility:  

If your website or online services become slow or completely unavailable to users, this could be due to a DDoS attack. However, during seasonal holidays or festivals, a surge in traffic needs more critical analysis as it could be caused by bandwidth limitation rather than a DDoS attack. Provisioning for additional bandwidth or advanced CDN services can come in handy during such times and prevent confusion.  

Service disruptions with increased error rates:  

Check for service disruptions in critical systems such as email, database, or cloud services. If users experience difficulties accessing these services, this could be due to a DDoS attack. Check for a significant increase in error messages or HTTP error codes, such as 503 (Service Unavailable) or 504 (Gateway Timeout).  “Service Unavailable” errors during cart checkout can impact your revenue realization significantly.  

“It's vital to tell the difference between normal traffic and attack traffic when detecting and preventing an attack. If DDoS protection is switched on ahead of time instead of when a company is already under attack, it gives the protection the chance to become deeply familiar with the usual non-attack traffic.”

Theo Voss

CEO and Co-Founder, Inter.link


Unwanted bot traffic:  

DDoS attacks often employ botnets. Being vigilant for indicators of elevated bot traffic, such as a notable increase in automated, non-human visitors to your website can go a long way in protecting against botnet-based DDoS attacks. Scrutinize patterns of traffic originating from automated software/bots programmed to execute repetitive, often straightforward tasks online. These seemingly inconspicuous points can develop into potential weak links in your system's defense, potentially leading to lateral damage. For instance, if your login process lacks additional security measures (e.g., captcha challenges or image recognition), it can render your critical systems susceptible to security threats.  

Resource depletion:  

DDoS attacks can target specific server resources such as CPU or memory. Monitor resource utilization—if it's consistently high, this could signify an ongoing attack. Resource-hungry business processes such as ERP or Advanced Analytics /computing processes can take significant hits when CPU, memory or bandwidth are depleted.  

ISP alerts:

Collaborate closely with your Internet Service Provider (ISP), who might be able to detect unusual traffic patterns and alert you to a potential DDoS attack. In the event of a severe DDoS attack, contact your ISP and share traffic data with them. They may be able to help mitigate the attack closer to its source. Engage with your ISP early on to get expert help.  

Monitoring tools and anomalous user behaviour:  

Use specialized DDoS detection and mitigation tools to automatically identify and respond to irregular traffic patterns from both external and internal user behavior. You can choose to use an in-house DDoS mitigation solution or a similar service via the cloud, or even use hybrid options, depending on your needs.  

Rate limiting and traffic filtering:  

Implement rate limiting and traffic filtering to block or restrict traffic from suspicious sources, which can help mitigate the impact of the attack. However, this approach can have the drawback of restricting legitimate traffic as well. Features like BGP FlowSpec can be of essential help here.

Integrated DDoS Protection from Inter.link   

Inter.link offers a tight integration between IP connectivity services, and DDoS protection available from within our own network.  

This "protected transit" delivers the best performance, and we offer it with transparent pricing so that customers get the best protection with the most pricing predictability. 

When experiencing an attack, efficiency is crucial and by receiving DDoS Protection from the same provider as your IP Transit, this superior integration means you have greater control, making it easier and therefore much more efficient to protect your infrastructure. We offer multiple tiers so you can pick the type of protection that suits you best, we provide transparent pricing with no surprises, and we do not bill based on clean traffic. 
  
If you are interested in finding out more about Inter.link DDoS Protection, click here 

Interested in who we have already helped with DDoS Protection?
Check out this customer story.

 

  

Comments