What is a DDoS attack?

One of the most powerful attacks on the internet today is the Distributed Denial of Service, or DDoS, attack. What makes it so powerful is its versatility, as every time Information Security experts think they’ve seen it all, a new version of the attack arises. This has been the story since these attacks first surface all the way back at the beginning of the 21st century.

Eugene Kaspersky, legendary cybersecurity pioneer, said it best when discussing this topic on his blog:

“DDoS attacks have evolved very quickly… They’ve grown much nastier and become a lot more technically advanced; from time to time, they adopt utterly unusual attack methods; they go after fresh new targets, and break new world records in being the biggest and baddest DDoS’s ever. But, then, the world in which DDoS find themselves has evolved very quickly too. Everything and the kitchen sink are online: the number of assorted ‘smart’ [sic] devices connected to the net now far outstrips the number of good old desktop and laptop computers.”

The basic idea of a DDoS attack is to overload a target until it can no longer function as intended. Its origins are in the Denial-of-Service (DoS) attack, but what separates the two attacks are the number of machines involved. In a DoS attack, one machine attacks the target. In a DDoS attack, however, the attacking machine is aided by a plethora of other machines.

These machines are called a botnet, which is a portmanteau of “robot” and “network.” The botnet is composed of hundreds, thousands, or even millions, of devices controlled by the attacker. The machines that form a botnet are called zombies. The term zombie infers that a computer is being controlled by an infection (much like the fictional monsters). Zombies are either infected with malware or exploited via some vulnerability in their software. The way these zombies are controlled is via the Command-and-Control (C2) server. All commands that an attacker sends to the machines are through the C2 server.

Botnets used to need someone with specialized knowledge to control them. These days, however, anyone with access to cryptocurrency like Bitcoin can rent a botnet. DDoS-as-a-Service has become an incredible threat as it allows script kiddies to play hacker villains for a while. Anytime a DDoS-as-a-Service is employed, the client is given an easy-to-use frontend webpage. This webpage functions as a Command-and-Control server in GUI (Graphical User Interface) form. It does not require much technical know-how to operate, which in turn makes it all the more dangerous.

Plenty of destructive botnets are a mere encrypted payment away, and a good deal of this makeup most DDoS attacks recorded. The most famous instance was Lizard Squad leveraging their rented botnet to topple Xbox Live, the Playstation Network, and even North Korean government websites. This band of trolls and script kiddies went after high priority targets with a fury not seen in many years, perhaps not since the Anonymous hacktivism incidents. They gained significant media exposure, and while their arrogance would eventually lead authorities to them, they left a trail of chaos in their wake.

More on Botnets: Famous examples

Botnets have evolved throughout the years, and their uses have not always been for DDoSing. Here are some of the most important examples:

Earthlink Spammer:

Created by Khan K. Smith in the year 2000, this was arguably the first notable botnet. Its purpose was not DDoS attacks, but rather to send out phishing emails at a high rate. Whether intentional or not, the DDoS attack was born here as the mechanism for creating it had been born. Other botnets have followed this style of a phishing attack, such as 2007’s Cutwail.

Grum:

This botnet created a large amount of the world’s spam email traffic in 2010. It first came into existence in 2008, and before shutting down 2012, around 18 percent of global spam came from Grum. The spam emails were usually targeted towards pharmaceuticals. These spam emails were, of course, malicious attempts at infecting users. A large number of malware infections to this day are a result of such spam.

Conficker:

The botnets formed by the Conficker malware were legendary. It was a worm virus that easily penetrated defenses and grew one of the largest botnets seen in the first decade of the 2000s. A total of 4 million machines were zombified and formed the botnet. It peaked in 2009 and was estimated to have infected roughly 15 million machines globally. Not all infected machines, as the data shows, joined the botnet.

Mariposa:

Spanish for “butterfly,” this botnet was not a graceful creature. Instead, it was one of the most vicious and powerful botnets seen at the time in 2009. Mariposa used a combination of Peer-to-Peer (P2P) networks, malicious internet links, and malware-loaded USB drives (a common social engineering tactic). Eventually, the FBI got involved and was able to pinpoint Mariposa’s C2 server and shut it down. Before this occurred, however, Mariposa infected a massive chunk of Fortune 500 companies. It was also one of the first DDoS-as-a-Service botnets in history.

Mirai:

The first botnet to leverage IoT devices, Mirai changed the threat landscape forever. No longer was it just computers becoming members of a botnet, but any smart device that could be exploited (refrigerators, televisions, and much more). Mirai itself was a malware created to take advantage of Minecraft servers, but it created something far beyond the scope of gaming. The biggest cause for Mirai’s spread was poor IoT security practices.

The botnet is versatile, readily available, and powerful. No wonder DDoS attacks are so easily carried out by them.

Famous DDoS Attacks

To truly understand the power of the Distributed-Denial-of-Service, just like we did with botnets, it is vital to explore well-known incidents. What follows is far from an exhaustive list and analysis, but it should shed light on just how dangerous the DDoS attack is.

Github:

In the year 2018, the popular website for software repositories came under attack from a massive DDoS. The attack clocked in at 1.35 Tbits/s per second and overloaded Github servers. The company had DDoS protection in place, but it simply could not withstand a record-breaking barrage like this. According to GitHub, thousands of autonomous machines attacked over tens of thousands of unique endpoints.

Cloudflare:

The name of Cloudflare is synonymous with DDoS protection, so it should come as no surprise that hackers of all stripes want to test their defenses. In 2014 Cloudflare experienced an NTP reflection DDoS attack. The result was their servers being stressed by 400 Gbit/s per second.

Rio Olympics:

Back in 2015, the Summer Olympics were preparing to be in full swing in Rio de Janeiro, Brazil. What was also in full swing was a massive DDoS attack led by a DDoS-as-a-Service botnet. Called LizardStresser, it worked with other botnets and targeted official Olympics committee websites. The attacks went on for months, disrupting the domains from functioning. At their peak, the attacks clocked in at a whopping 540 Gbit/s.

Imperva:

Much like the Cloudflare DDoS attack, Imperva is also the main target for cybercriminals due to their DDoS mitigation services. In 2019, Imperva came under attack by an SYN DDoS attack that peaked at around 580 million packets per second. This surpassed the Cloudflare attack significantly, at least in terms of PPS, as the Cloudflare DDoS peaked around 130 packets per second.

Dyn:

Remember the Mirai botnet we discussed earlier? It has been used in many prominent DDoS attacks, and this is one of the biggest. The DNS provider Dyn came under attack from the botnet in 2016. Many prominent companies that used Dyn’s services, including Netflix, Paypal, and Reddit, were brought down by this attack.

Krebs on Security:

Brian Krebs is a well-respected cybersecurity researcher who runs the blog “Krebs on Security.” This blog became a target of the Mirai botnet as well, and according to Krebs, it was the largest DDoS attack he had ever seen. Krebs is no stranger to DDoSing, as a cybersecurity journalist, it sort of comes with the territory, but with the Mirai attack, his site could not withstand the assault. The attack peaked at around 623 Gbit/s and shut down the website in totality for a while.

Types of DDoS Attacks

While this is hardly an exhaustive list, the point here is to demonstrate the versatility of the DDoS attack. Some of the most popular DDoS attack types are the following:

Reflection attack:

An attacker spoofs internet packets so that a server will respond in a specific way. The idea is to trick the server into thinking the packets are being sent from the domain it controls. This is why it is called a reflection, as the Denial-of-Service is brought about by tricking a server into “reflecting” communications. The data spreads quickly and efficiently, bringing a target down without raising the alarm.

ICMP flood:

An attacker floods a target with malicious Internet Control Messaging Protocol packets. Many types of this attack exist, with one popular example being the ping flood. In a ping flood attack, an exorbitant amount of ping requests get sent to the target. Since ping is a legitimate request, the target server responds to each and every ICMP echo request. Eventually, the flood from the botnet becomes too much and the server is no longer able to communicate or receive new requests.

SYN flood:

The TCP/IP protocol requires a three-way handshake to complete a connection with a device. The Syn-Syn/Ack-Ack connection allows for fewer DDoS opportunities than, say, the UDP protocol, which requires no handshake. This does not mean, however, that it is free from exploiting. In an SYN flood DDoS, the botnet keeps sending the first SYN message over and over, forcing the server to restart the handshake until it is no longer able to handle it. The attack targets all open ports.

Slowloris:

Named after the adorable Asian primate, this attack utilizes the old adage of “slow and steady wins the race.” Instead of overloading a target with as much traffic as possible in a short period, the Slowloris attack uses the botnet in an ingenious manner. It will have all machines send partial HTTP requests, which over time, eventually cause the targeted server to fill its connection pool. This blocks any legitimate users from connecting. Learn more about Slowloris Attack

DDoS Attack Process

All DDoS attacks generally follow the same process. To get a better look into an attacker’s mindset, it will be useful to list this process out.

Threat actor finds the domain or IP address of the target they want to DDoS.
Either through infection, exploiting vulnerabilities, or rental on the dark web, an attacker gains control of a powerful botnet.
Weighing their options and plan of attack, the threat actor begins commanding the botnet to execute the DDoS via their C2 server.
If the attacked target does not have any DDoS mitigation strategies, or if they do but they prove ineffective, the target begins experiencing disruptions.
Eventually, the target cannot handle the flood of traffic and is overloaded.
The DDoS attack continues as long as the attacker wills it, or alternatively, DDoS protections finally kick in and block the endpoints of attack.
DDoS is then reported to relevant authorities who try to ascertain the location and identity of the attacker. Sometimes they are caught, and sometimes they walk away scot-free if they can prevent creating a digital footprint.

DDoS Mitigation Strategies

Preventing attacks against yourself is a multi-faceted affair. The first line of defense you should employ is a strong firewall. Some DDoS attacks target specific ports that, if a firewall is configured properly, the packets sent during the attack will not reach your router. While firewalls are a good start, they are not the end of the story as many DDoS attacks bypass Intrusion Detection Systems. Depending on the individual attacking you, they may be a script kiddie or somebody that has actual technical knowledge. Don’t assume they are going to be the former.

Some specialized DDoS attacks, like NTP amplification, will require specific configurations to create a proper defense. The “monlist” command is key to exploiting an NTP server. Depending on the server used, it is possible to install a patch that disables the “monlist” command. The tricky thing with this is that the patch must be 4.2.7 or above. There are many NTP servers that are legacy servers and cannot support this patch. As such, there is another workaround that must be implemented for mitigation. On a public-facing NTP server, US-CERT recommends legacy systems input the “noquery” command to the “restrict default” system configuration. If executed properly, it will disable the “monlist” command.

No matter what DDoS attack is being faced, large organizations should consider using third-party DDoS mitigation service. Whether you are a nation-state, a multinational corporation, or some other major entity, this is a vital part of a holistic defense. These services can handle major attacks as they have the server space to contain and break up the packets before they can reach the intended target. These “always on” protection services are not cheap, though, which is why using them is only recommended for the largest of companies (or if you have money to burn).

For routers belonging to a Local Area Network (LAN), your static IP address will be the most likely reason you get DDoS’d. To prevent your true IP address from being used against you, a Virtual Private Network (VPN) is your best bet. A good VPN encrypts your connection and hides your IP behind the IP address of the server. As a result, it is impossible for an attacker to find a vector to assault you with.

With PureVPN, you are given a cost-effective option of preventing a DDoS attack. With a network of over 6500+ global servers in 78 plus countries, AES 256-bit encryption, every protocol supported, and much more, PureVPN has your back against cybercriminals. PureVPN prevents WebRTC leaks, DNS leaks, and IPv6 leaks, so you can be sure that no attacker will ever find the data necessary to attack with.

Get PureVPN 31-Day Money-Back Guarantee

In Conclusion

In closing, consider these words on DoS and DDoS protection from professors Qijun Giu and Peng Liu (as written in an extensive research paper on the topic):

“DoS attackers exploit flaws in protocols and systems to deny access of target services. Attackers also control a large number of compromised hosts to launch DDoS attacks. Simply securing servers are no longer enough to make service available under attack, since DoS attack techniques are more complicated and many unwitting hosts are involved in DoS attacks… For defenders, it is difficult to decide whether a packet is spoofed, to prevent a host from being compromised and controlled, to ask upstream routers to filter unwanted traffic, and to keep defenders themselves from DoS attacks… DoS attacks in wireless networks extend to the scope not viable on the Internet. The existing defense approaches illustrate that security countermeasures should be studied and incorporated into wireless protocols at lower layers, and mobile hosts should actively and collaboratively participate in protecting their wireless networks.”

Denial-of-Service and Distributed-Denial-of-Service attacks will continue to evolve. There is no stopping that. As technology inevitably marches forward, security solutions must also stay in lock-step with that progress. It is something that will require the actions of not only InfoSec professionals, but regular citizens as well. All of us must hold ourselves accountable for preventing these types of attacks. Fighting infections that can cause botnets, increasing server protections, avoiding social engineering traps, and anything else that can cause DDoS attacks to evolve.

It will take all of us. Together. Believe this much, here at PureVPN, we are here to help.

Cookie	Duration	Description
__stripe_mid	1 year	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid	30 minutes	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
Affiliate ID	3 months	Affiliate ID cookie
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Data 1	3 months
Data 2	3 months	Data 2
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
woocommerce_cart_hash	session	This cookie is set by WooCommerce. The cookie helps WooCommerce determine when cart contents/data changes.
XSRF-TOKEN	session	The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes.

Cookie	Duration	Description
__lc_cid	2 years	This is an essential cookie for the website live chat box to function properly.
__lc_cst	2 years	This cookie is used for the website live chat box to function properly.
__lc2_cid	2 years	This cookie is used to enable the website live chat-box function. It is used to reconnect the customer with the last agent with whom the customer had chatted.
__lc2_cst	2 years	This cookie is necessary to enable the website live chat-box function. It is used to distinguish different users using live chat at different times that is to reconnect the last agent with whom the customer had chatted.
__oauth_redirect_detector		This cookie is used to recognize the visitors using live chat at different times inorder to optimize the chat-box functionality.
Affiliate ID	3 months	Affiliate ID cookie
Data 1	3 months
Data 2	3 months	Data 2
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_J2RWQBT0P2	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_12584548_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_UA-12584548-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
_hjIncludedInSessionSample	2 minutes	No description available.
_hjTLDTest	session	No description available.
PAPVisitorId	1 year	This cookie is set by the Post Affiliate Pro.This cookie is used to store the visitor ID which helps in tracking the affiliate.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_app_session	1 month	No description available.
_dc_gtm_UA-12584548-1	1 minute	No description
_gfpc	session	No description available.
71cfb2288d832330cf35a9f9060f8d69	session	No description
cli_bypass	3 months	No description
CONSENT	16 years 6 months 13 days 18 hours	No description
gtm-session-start	2 hours	No description available.
isoCode	1 month	No description available.
L-k26wU	1 day	No description
L-KVHA4	1 day	No description
m	2 years	No description available.
newVisitorId	3 months	No description
owner_token	1 day	No description available.
PP-k26wU	1 hour	No description
PP-KVHA4	1 hour	No description
RL-k26wU	1 day	No description
RL-KVHA4	1 day	No description
wisepops	2 years	No description available.
wisepops_session	session	No description available.
wisepops_visits	2 years	No description available.
woocommerce_items_in_cart	session	No description available.
wp_woocommerce_session_1b44ba63fbc929b5c862fc58a81dbb22	2 days	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.