In this piece, we’ll use a plain example to illustrate the existing types of DDoS attacks, and how businesses try to fend them off.
DDoS is a type of internet attack capable of disrupting anything from a phone booth to the Pentagon for those unfamiliar with the subject. A total of 5,351,930 DDoS attacks were recorded in Q1 2021 alone. The average attack duration was 50 minutes, representing a 31% increase.
Network engineers (like ourselves) and security engineers are responsible for defending against such attacks. Our company is mainly a developer of apps for entertainment. Until recently, there was simply no need for network expertise as such in the company.
It was some coincidence that right before my first working day, the company had been subjected to a tsunami DDoS attack (evidently as a result of some people fighting in the meme comments).
Even more surprising was the fact that the team managed to deflect the blow without any third-party assistance despite lacking any real expertise in resisting attacks like these. Regardless, we had to jump in and investigate what had happened and how to prevent it from occurring again.
At some point in my web research, I realized there was no single resource that presented the subject in plain terms. Most articles are published by businesses trying to sell their DDoS protection services, so the material is promotional rather than educational in nature. I started focusing on selecting a suitable DDoS protection solution, refreshing what we already knew on the subject. We figured it would make sense for me to collate all materials within a single text, add some expertise of my own, and post the whole thing as an article on the web.
So, here we go…
The first thing to know and accept as axiomatic is that there is no defense against DDoS attacks. If necessary, provided that sufficient resources are available, a malicious actor will be able to harm even well-protected, geo-distributed infrastructure, such as those operated by the major cloud providers: Amazon, Azure, and the like.
If we want to build a defense against DDoS attacks, we must prepare ourselves for the eventuality that, if we get targeted by a malicious actor in earnest, we may have to build up our defenses ceaselessly, until they start costing us ten times more than what the attacks cost any actor that targets us. Not to mention that it would take the malicious actor only a couple of clicks to scale up their attack.
If you have the resolve to fight it out, somewhere down the line, you may discover that the reputational and financial losses you suffer in consequence of an attack end up costing you less than your defenses and the constant strengthening thereof. Large hacking groups exist that attack major enterprises only to extort money in exchange for stopping the attack.
And if you Google “order a DDoS attack,” you’ll be surprised how easy it is to find the service you are looking for. Websites offering these kinds of services disguise themselves as legal providers of “website and service security testing for the benefit of their administrators.” Sounds legit. And it only costs $50 to $100 bucks (in fact, even more, inexpensive deals can be found on the darknet).
It would seem that if things are so bad that any school kid can order up a DDoS attack with their lunch money, there is nothing businesses can do about it. But we don’t think so!
Let’s see what we are trying to defend ourselves against and how.
First off, let’s agree that network engineers follow a specific network model to achieve the most rational network architecture possible.
This network model has four layers.
Each layer is fitted with its own set of equipment with varying functionality and capabilities: from the most basic units, the sole purpose is to transmit as much data as possible per second (switches) to susceptible data verification systems.
The higher the equipment is positioned in the hierarchy, the more sophisticated the technology will be, and the more intricate the algorithms on which it operates will be.
In terms of anti-DDoS protection, this means that each layer neutralizes its share of the threat until the eventual complete suppression thereof.
Let’s imagine we are building a house, but we know we cannot link it to the centralized water supply. What are we going to do?
(1) Figure out how much water the household will need, drill a well of the correct depth and width, and run pipes of the appropriate diameter into the house. In the parlance of a network engineer, this phase is called the Link Layer, or simply “Wires.”
(2) Install a primary filter and a pump. Let’s call this the Internet Layer (Routers)
(3) Install an intermediate filter: Transport Layer (Firewalls)
(4) Install a fine filter: Application Layer — Smart Firewalls — Next-Gen Firewall, and the specialized Web Application Firewall
Let’s take a quick look at these layers to see where we have potential bottlenecks.
ATTACKS ON THE LINK LAYER
In the most basic scenario for our house metaphor, a DDoS attack would be impersonated by an increase in the underground water pressure whereby more water gets pushed towards the surface, raising the internal pressure in the pipes and joints so that the pipes may eventually burst. The water would remain clean through all of this, except we would not use it because of the pressure (unless we are firefighters).
Something similar can happen when you are at home with your family or friends in the real world. Someone starts downloading a movie, and suddenly everyone starts complaining about the internet being too slow. This is called “line congestion.”
The first and simplest DDoS attack did just that.
The same thing happens when malicious actors attack large data centers. The difference is that, in this case, you cannot yell at the person who has decided to download stuff because the overloaded agent may be at the North Pole, for all you know.
Going back to our metaphor, we have to enlarge the well and replace the pipes to let through an increased volume of water under pressure.
Problems may arise already at this stage because home routers with 1,000 Mb connectors start from the US $100 as opposed to the US $30 ones with 100 Mb connectors, while similar equipment used in data centers costs between 100 and 1,000 times more. But let’s assume we have unlimited financial means to build up our pipes’ durability and throughput capacity to infinity. What next?
ATTACKS ON THE NETWORK LAYER
Now we discover that the water that rises from the well under pressure contains:
We activate the first of the filters we need to install to remove all this pollution.
But whereas before, the task was to ensure the required throughput capacity of the pipes. The challenge now is to filter off the pollution rising with the water.
At this stage, the white and black lists play the security role of such a filter.
The blacklists usually contain the IP addresses or entire pools of IP addresses that have been compromised on the web (after being used for spam mailing or the launch of DDoS attacks — these addresses are updated all the time).
But this is not as easy as it may seem: the blacklists will not always work. The malicious agent may supplant their IP address with any other internet user in the “Sender” box. In this case:
(a) The malicious agent will be more challenging to track down.
(b) The malicious agent can step up the attack by telling their botnet — a multitude of infected computers and IoT devices — to send out requests sized 64 bytes each to any online resource. In response to each botnet request, the resource server will return replies sized 300 bytes each, targeting the DDoS attack victim. When this back-and-forth snowballs to tens of thousands of requests per second from entirely different servers, we get our basic DDoS attack, like the one described above. To draw an analogy, the mounting of the attack is achieved by asking someone to “say a few words about themselves” and getting upwards of 40 words in the reply. This method of maxing out an attack is called amplification.
Thus far, we have only expanded our pipes and installed the first filter out of three. We taste the water only to realize that we must spend more and get another filter with a more delicate processing action.
ATTACKS ON THE TRANSPORT LAYER
Now we have come to address what is probably the worst bottleneck most susceptible to DDoS attacks: the second filter, which would typically mollify our water and purge heavy metals out of it.
In the network world, this is where most fighting takes place over processor resources and firewall and server memory and where the most sophisticated network solutions are deployed to filter and separate legitimate traffic from malicious traffic during DDoS attacks.
Any lists would be powerless here: we have already used up our lists. From this point on, everything we receive is supposed to be coming from legitimate internet users. The other, self-evident reason why the lists are redundant now is that any given IP address may stand for not one but dozens of users and hundreds of devices, only one of which is infected.
Imagine that you have opened an awful lot of tabs in your browser… okay?
Now multiply these tabs by ten. You don’t need much technical expertise to figure out what would happen to your PC: it would either lapse to the blue “screen of death” or freeze hard.
Now think about what will happen when the server, which is essentially a computer, starts getting an avalanche (say, a million or more per second) of requests for one of the pages stored on it. Each request has to be processed, and the contents of the website returned to the requester.
This is a DDoS attack wherein only 10,000 requests will be bona fide. Our task is to set up a good protection system to filter out the bulk of the malicious traffic.
Before setting up such a system for this layer, it is essential to delve deeper into the technical aspects of data transmission on the internet.
The Transmission Control Protocol or TCP is a technology that comes with embedded solutions to coordinate connection and make sure all data has been delivered, any missing packets have been resent, and the exchange has ended in a proper act of connection termination.
The TCP connection control method is called a Three-Way HandShake: the data sharing will not commence until your computer, and the server have exchanged three data packets, which means they have “shaken hands.”
It is a full-duplex (two-way) connection in which both sides synchronize (SYN) and acknowledge (ACK) each other.
Once your computer and the server have exchanged the three packets (SYN SYN-ACK and ACK) and a connection has been established, the data sharing (e.g., the loading of a website page) will commence.
This flowchart is sufficient for us to understand that the client and the server have to know each other’s IP addresses to “shake hands.” This means that no malicious agent would be able to pull off the kind of sender’s address substitution mentioned earlier.
But this is not to say that a DDoS attack would be impossible: when a sender address is substituted, we get what we call a TCP Half Open.
We get requests to establish a connection, we reply, but we never receive the last packet (ACK). This clogs our server’s resources in that it has to store the connection data in its memory pending an answer that will never come, which puts a strain on our servers.
The figure below shows the flow chart of such an attack.
ATTACKS ON THE APPLICATION LAYER AND DEFENSE AGAINST THEM
Now we come to the final filter, which would be the one responsible for removing chlorine, extraneous odors, and pesticides from the water in real life.
Suppose there is a drain dumping chemical waste into the river one kilometer upstream from where you live, polluting the underground waters. Since no standard water filter would be of any use, you call a professional, a chemistry expert, to take soil and water samples on your property. It will take an itinerary of lab tests to devise a solution that will meet your specific needs.
A multitude of different attacks can happen, targeting all kinds of vulnerabilities. It is no secret that the attacks evolve with the defenses, becoming ever more sophisticated, so the means of detection and counteraction have to be constantly upgraded.
Attacks on this layer are not as frequent as those targeting the three layers described above precisely because they require a more nuanced approach from the malicious agent.
No address substitution is possible here: the handshake process has to be completed before any request can be sent and an attack launched on the targeted website.
The bots deployed for the attack have to possess the Full Browser Stack, which means they cannot simply send random requests but imitate a genuine client browser.
Now let’s see how an attack happens on this layer:
Think of a regular night at home, when all the chores have been done. You go to your favorite online theater website, hit the search bar, select “comedy” and “not previously viewed,” and set a filter to sort by ranking. Then you leaf through pages of films, opening the ones you like in separate tabs. Fifteen to thirty minutes later, you make up your mind about the movie you wish to watch and proceed to watch it.
Unlike you, a malicious agent will sic its botnet on the same website to overload it by opening different pages and sections at random and confusing the search engine by setting multiple search parameters.
To get into the server’s shoes, compare how hard it is to answer these two different questions: name the most popular jailbreak movie you know, and name all jailbreak movies you know. The processes in your head are similar to those occurring on the server that hosts your favorite movie search website. The website can get exhausted too, you know, so go easy on it.
The tech team supporting such a website or app ought to train the Web Application Firewall, with the aid of machine learning, so well that it can sort through the 100,000 or so requests that have made it past the filters, separating bona fide content seekers from ill-intentioned website-resource wasters by behavior alone.
It is interesting to note that this layer’s equipment has a learning capability. We place it on the route between the user and the website to observe what goes on simply. After a time, the equipment will come up with the appropriate procedures on its own. However, this method has its downside, and many people prefer not to entrust security matters to the machine.
One way or another, the thing to bear in mind is that if and when a relatively sizeable DDoS attack does happen, it will be like a tsunami that will leave nothing of your defenses, your house, your neighbor’s house, the nearest town, or even the chemical factory that used to bother you.
Your only salvation when this happens is to evacuate as urgently as you can:
(1) Temporarily migrate all infrastructure to the cloud according to a pre-tested action plan, which is what FunCorp did.
(2) as an alternative, use Project Shield, the free Google facility offering a safe haven to those subjected to a censorship storm in the form of a DDoS attack on their resources.
It would be my pleasure to inform you that things will get better with DDoS attacks, but to my regret, there are no signs of this happening any time soon. On the contrary, too many factors augur the reverse.
It is easy to see that the cost of a DDoS attack is unlikely to change much, while their scale and the cost and complexity of infrastructural defenses are guaranteed to rise.
We must not entertain the illusion that the advent of gigabit internet to every home and every mobile gadget with the arrival of the 5G (and its successor 6G, which is already in the works) will improve anything in this regard.
You can see hundreds of connected devices around you anywhere you look: from cell phones and toasters to lathes and motor vehicles. Each of them could be part of one or several botnets.
Wrapping up, there isn’t much to add. The only way we can change the situation globally is by doing our due diligence on digital hygiene. Do not fail to run antivirus software on your home and work devices, update your routers and firewalls regularly, and keep up the hope that your neighbor will do likewise. Better yet, remind your neighbor to do all of this, and teach them if they don’t know-how.
The old commandment is as relevant as ever: “If you wish to change the world, start by changing yourself.” In this case, we’re about a whole new digital world.