County Innovation Network (COIN)

Guest Editorial

Cybersecurity: Distributed Denial of Services (DDoS) Attacks

By: Jerryl Guy, CISSP, MCSE, IT Manager at National Association of Counties

Start/Join the Conversation

A denial of service (DoS) attack is a malicious attempt on a computer system to prevent it from providing the service for which it was intended. A distributed denial of service (DDoS) attack is a common form of a DoS attack, which utilizes multiple computer systems to simultaneously attack a single computer system. The terms DoS and DDoS are sometimes used interchangeably because most DoS attacks are of the DDoS variety. DDoS is often the hacker's preferred attack, because it uses multiple systems, which result in a larger, more effective attack. This brief will provide an overview of DDoS attacks and highlight a few methods for preventing them.

How does it work?
DDoS generally occurs by sending very large amounts of simultaneous requests to the targeted system, with the intent of overwhelming the target's resources and preventing it from providing service to legitimate customers. This generally involves the attacker hacking and controlling multiple computers, and installing predatory programs designed to participate in a coordinated attack on the targeted system.

The combination of commandeered computers in DDoS attacks forms a nefarious network called a botnet. The term botnet stems from the terms bot and network, where bot (short for robot) is an automated program designed to inflict harm on other systems. Bots are usually spread from computer to computer in the same ways as viruses and other malware, which include email attachments, downloads from infected websites, and other similar means.

Anatomy of a DDoS Attack
One common DDoS attach is called Ping of Death. Ping is actually a legitimate network diagnostic tool which involves sending small data packets from one computer to another. There are specific standards in the way ping packets must be structured to be processed properly by receiving computers. In a Ping of Death attack, these standards are exploited by using malformed packets as a means of performing a DDoS attack. Malformed packets create a processing burden resulting in a backlog in all system processing. This can tie up the processor and essentially bring system processing to a halt.

Other Types of DDoS attacks include:

  • SYN Flood: This involves bombarding a computer with multiple requests for connections, but the attacker never actually completes the connections. These multiple incomplete connections often lead to the computer crashing.
  • UDP Flood: Attackers work by flooding the target computer's ports (virtual point of entry to a computer system) with data packets that make the machine listen for applications on those ports and respond with similar data packets. The high volume can overwhelm the target computer.
  • A spoofed attack is one where data requests are sent to vast amounts of computers, but the requesting computer's address is faked to appear as that of the target computer. So the multiple computers send a response to the target computer which could overwhelm and crash the target.
  • Zero Day DDoS attack: Predators exploit newly discovered unpatched vulnerabilities in the target system and use them for a variety of DDoS attacks against those systems.

Why do DDoS attacks occur?
DDoS attacks occur largely for the same reasons that other types of cyber attacks are perpetrated. Many attackers do it simply for bragging rights within their hacking communities. Other attack reasons include:

  • To prevent the availability of the service provided by the targeted system
  • For profit by driving business to a competing website
  • Hostility towards the target for philosophical or personal reasons
  • Social activism, often referred to a hactivism
  • Financial blackmail, where systems are hijacked with demands for ransom

What is at risk?
Any system that is connected to the Internet is essentially at risk for a DDoS attack. Websites, which are one of the most visible parts of companies' online presence, are very tempting targets for attackers. For example, Ecommerce websites are often targeted since their disruption can bring one's entire online business operation to a halt. Many other computerized systems, including those that manage public utilities and critical infrastructure, and perform other major governmental and business functions, can become prey.

These attacks can target many system components including:

  • Servers
  • Network Bandwidth
  • Specific Applications
  • Firewalls
  • Load Balancers
  • Specific components and functions

The Cost of a DDoS Attack
A recent example of the potential damage of DDoS attacks was seen in the attack on the Bitcoin Currency Exchange. This attack, which occurred in February 2014, caused significant disruption to the exchange, leading to many incomplete and inaccurate trades, and largely brought trading activity to a halt. Reports from Forbes Magazine indicate that Bitcoin lost nearly 30 percent of its value in a matter of days as a direct result of this attack. Some sources indicate that the total loss in value topped 300 million dollars.

Preventing a DDoS Attack
The list of actions that can be taken to prevent a DDoS is endless. Here is just a short basic list:

  • Create a DDoS response plan that clearly details what steps should be taken in the event of a DDoS attack.
  • Perform the required analyses to make sure the cyber staff has a good understanding of your business and what appropriate traffic looks like. That way, anomalies and malicious traffic will be easier to recognize.
  • Have an automated on-premise, or cloud-based, multi-threat, DDoS prevention system in place to stand between your systems and the internet.
  • Domain Name System (DNS) servers must be protected since DDoS attacks against them can end one's internet presence (DNS is an internet naming system that translates complicated computer names into easily recognizable names like www.DHS.gov).
  • Understand your internal capabilities and seek the tools and expertise that you do not posses. Proactively engaging your ISP is a good option since they stand between you and the cyber world, and usually have the tools needed to protect you.

Most DDoS attacks are directed towards businesses and large organizations. However, anyone can be a victim of an attack. If an individual has any reason to believe that he or she is a victim of a DDoS, this document can be a valuable resource to help protect oneself and one's organization. If this document does not provide the confidence to defend against DDoS attacks, one should seek assistance from one's ISP or some other competent, trusted technology service. Individuals are their own main source of online protection, so it is imperative they remain vigilant to stay safe online.

Start/Join the Conversation

Back to Cybersecurity