I blog about security and hacking all the time.  Information security is super interesting to me, but also, I need to be on top of the latest cyber security news and happenings so I can help protect our clients.  But it’s just as important for everyone to have an awareness of cyber security risks and attacks.  That’s why we’re starting a series of blog posts on specific attacks today.  This week, we’re covering Distributed Denial of Service, or DDoS. What Is DDoS And Why Your Servers Need Protection.

What is DDoS

Distributed Denial of Service, DDoS, is an attack designed to stop legitimate users from accessing a resource on the Internet.  Attackers do that by overwhelming servers with illegitimate requests.  In plain english, make a website too busy answering requests from the attacker to serve up the page to you when you ask for it.

An attacker is not directly able to extract data from the victim’s network by attacking them in this way.  However, like most cyber security threats, it can be chained together with other exploits to make the attack more severe.

Why?

It’s usually done to prove a point, or simply for bragging rights.  If a big online retailer was taken offline because of a DDoS attack, of course that would cause massive losses of revenue, but that is usually secondary to the repetitional damage the attackers hope to cause.

The best example of this is when the hacker group Anonymous launched a DDoS attack against Boston Children’s Hospital in 2014.  The attack was in opposition to the US state of Massachusetts taking a child called Christina into state care.  The Anonymous collective launched at attack on the hospital where Christina was being cared for, taking all of their online services offline.  Their demand was to allow Christina to go home to her parents, but ultimately their action was in vein.  Even still, this is a perfect example of why DDoS attacks are launched against companies and institutions.

How Does It Work?

In a default configuration, a server will try to answer any and all requests which come to it.  And that is usually what you want.  If 10, 100 or 1 million people want to access your website at the same time, you want your server to try and deliver that content to everyone asking for it.  As we described above, every person who can’t get to your service might be a customer lost.

But also by default, a server only has so much capacity to handle requests.  Once that capacity has been used up, subsequent requests are ignored, or sometimes queued up.

This is where we get to the Distributed part of the Distributed Denial of Service.  DDoS attacks usually come from a botnet.  A botnet is a network of computers which run an attacker’s code on demand.  The botnet is usually made up of normal people’s computers and servers which have been infected with malicious code, and are then a part of a bad-actor’s botnet.  The botnet code waits for instructions from the attacker’s server, and when it receives those instructions, it executes them.

So imagine you’re an attacker, and you decide you want to take beatyconsultancy.co.uk offline.  You have either created your own botnet, or you have rented some time on one (yep, that’s a thing).  You write the instruction to all the bots, to tell them at 10:00 GMT exactly, all of you ask for the beatyconsultancy.co.uk webpage, and keep refreshing it for 1 hour.  So at 10:00 exactly, our web servers receive 4 million requests per second, and the site goes offline to everyone else, because it’s too busy trying to server the requests from the bots.

Now in actually, we have DDoS protection as you would expect from us, but that’s a fair description of how the attack works, nonetheless.

Amplification

And it gets worse!  What we described here accounts for one response for every requests we send in.  So we need lots of computers to send lots of requests to generate enough load to take a service offline.  But what if you could generate 3 or more responses for every request you send to the server?  Your attack would be 3 or more times more powerful, right?

Yep, that’s exactly right – and so that’s how most modern and sophisticated DDoS attacks work.  And that’s what happened to AWS a few weeks ago.

Protection

But all hope is not lost!  DDoS attacks have a pretty noticeable pattern, so it can be fairly easy to spot if you know what you’re looking for.

A Web Application Firewall, or WAF, like AWS WAF, is a service which examines all the requests coming in from the Internet, asking for service from your servers.  The WAF is constantly updated with definitions of new attacks, a lot like how antivirus programs work.  If the WAF notices a pattern of requests which look like a known attack, like a DDoS attack, it can block that requests from getting to your servers.  That means legitimate users are still able to access your services, while the bad actors are blocked before they even hit your server.

You can also route your traffic through a content distribution network like CloudFlare, to use their DDoS protection service.

So now you know how DDoS works, why you need protection from it, and how to go about it.  As always, if it’s something you could do with help to deploy, just get in touch!