DDos Quick Start Guide

In this guide we will examine the most common types of DDoS attacks, how they are performed and how they can be prevented.

Denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In a distributed denial-of-service (DDoS) attack, the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.

The hack is done through the master computer system that communicates with, sometimes as many as hundreds of thousands, controlled end user machines. These machines, known as zombies or bots, follow the instruction from the master system and massively launch packets at the targeted site to overwhelm the targeted machine and stop it from functioning.

The usual targets for DoS or DDoS attacks typically include websites hosted on high-profile web servers (such as credit card payment gateways, banks, government bodies) and most commonly, the target machine is so overwhelmed with external communication requests that it can either respond too slow, or not at all, and is considered effectively – unavailable.

Even if such denial-of-service occurs for only a few hours, it almost always implies a significant loss of revenue for the targeted host.

DoS and DDoS attacks present a major challenge for businesses, and even governments, since they can bring websites down and make information unavailable for users.

The United States Computer Emergency Readiness Team (US-CERT) has identified symptoms of a denial-of-service attack to include:

  • unusually slow network performance (opening files or accessing web sites)
  • unavailability of a particular web site
  • inability to access any web site
  • dramatic increase in the number of spam emails received (this type of DoS attack is considered an e-mail bomb).

Attack possibilities by OSI layer

DDoS attacks can target one of the seven OSI layers. Open Systems Interconnection (OSI) model is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology.

Diagram illustrating the 7 layers of the OSI model for data transmission.
Image source

Let’s examine DDoS attacks by each layer.

Application Layer (7)

A Layer 7 DDoS attack is an attack structured to overload specific elements of an application server infrastructure.

Layer 7 attacks are especially complex, stealthy, and difficult to detect because they resemble legitimate website traffic. Even simple Layer 7 attacks–for example those targeting login pages with random user IDs and passwords, or repetitive random searches on dynamic websites–can critically overload CPUs and databases. Also, DDoS attackers can randomize or repeatedly change the signatures of a Layer 7 attack, making it more difficult to detect and mitigate.

Examples of DoS techniques:

  • PDF GET requests,
  • HTTP GET,
  • HTTP POST, = website forms
    (login, uploading photo/video,
    submitting feedback)

Potential impact of DoS attack:

  • Reach resource limits of
    services
  • Resource starvation

Mitigation options

Application monitoring is the practice of monitoring software applications using a dedicated set of algorithms, technologies, and approaches to detect zero day and application layer (Layer 7 attacks). Once identified these attacks can be stopped and traced back to a specific source more easily than other types of DDoS attacks.

Presentation Layer (6)

Examples of DoS techniques:

  • Malformed SSL Requests — Inspecting SSL encryption packets is resource intensive. Attackers use SSL to tunnel HTTP attacks to target the server.

Potential impact of DoS attack:

  • The affected systems could stop accepting SSL connections or automatically restart.

Mitigation options

To mitigate, consider options like offloading the SSL from the origin infrastructure and inspecting the application traffic for signs of attacks traffic or violations of policy at an applications delivery platform (ADP).

A good ADP will also ensure that your traffic is then re-encrypted and forwarded back to the origin infrastructure with unencrypted content only ever residing in protected memory on a secure bastion host.

Session Layer (5)

Examples of DoS techniques:

  • Telnet DDoS-attacker exploits a flaw in a Telnet server software running on the switch, rendering Telnet services unavailable.

Potential impact of DoS attack:

  • Prevents administrator from performing switch management functions.

Mitigation options

Check with your hardware provider to determine if there’s a version update or patch to mitigate the vulnerability.

Transport Layer (4)

Layer 3 and Layer 4 DDoS attacks are types of volumetric DDoS attacks on a network infrastructure. Layer 3 (network layer) and 4 (transport layer) DDoS attacks rely on extremely high volumes (floods) of data to slow down web server performance, consume bandwidth, and eventually degrade access for legitimate users.

These attack types typically include ICMP, SYN, and UDP floods.

Examples of DoS techniques:

  • SYN flood
  • Smurf attack

Potential impact of DoS attack:

  • Reach bandwidth or connection limits of hosts or networking equipment.

Mitigation options

DDoS attack blocking, commonly referred to as blackholing, is a method typically used by ISPs to stop a DDoS attack on one of its customers. This approach to block DDoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic.

Black holding is typically deployed by the ISP to protect other customers on its network from the adverse effects of DDoS attacks such as slow network performance and disrupted service.

Network Layer (3)

Examples of DoS techniques:

  • ICMP Flooding – A Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth

Potential impact of DoS attack:

  • Can affect available network bandwidth and impose extra load on the firewall

Mitigation options

Rate-limit ICMP traffic and prevent the attack from impacting bandwidth and firewall performance.

Examples of DoS techniques:

  • MAC flooding — inundates the network switch with data packets

Potential impact of DoS attack:

  • Disrupts the usual sender to recipient flow of data — blasting across all ports

Mitigation options

Many advances switches can be configured to limit the number of MAC addresses that can be learned on ports connected to end stations; allow discovered MAC addresses to be authenticated against an authentication, authorization and accounting (AAA) server and subsequently filtered.

Physical Layer (1)

Examples of DoS techniques:

  • Physical destruction, obstruction, manipulation, or malfunction of physical assets.

Potential impact of DoS attack:

  • Physical assets will become unresponsive and may need to be repaired to increase availability.

Mitigation options

Practice defense in-depth tactics, use access controls, accountability, and auditing to track and control physical assets.

Possible DDoS traffic types

HTTP Header

HTTP headers are fields which describe which resources are requested, such as URL, a form, JPEG, etc. They also inform the web server what kind of web browser is being used.

Common HTTP headers are GET, POST, ACCEPT, LANGUAGE, and USER AGENT. The requester can insert as many headers as they want and can make them communication specific. DDoS attackers can change these and many other HTTP headers to make it more difficult to identify the attack origin.

In addition, HTTP headers can be designed to manipulate caching and proxy services. For example, is it possible to ask a caching proxy to not cache the information.

SYN Flood (TCP/SYN)

SYN Flood works by establishing half-open connections to a node. When the target receives a SYN packet to an open port, the target will respond with a SYN-ACK and try to establish a connection.

However, during a SYN flood, the three-way handshake never completes because the client never responds to the server’s SYN-ACK. As a result, these “connections” remain in the half-open state until they time out.

UDP Flood

UDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is easy to generate protocol 17 (UDP) messages from many different scripting and compiled languages.

ICMP Flood

Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany TCP packets when connecting to a sever.

An ICMP flood is a layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth.

MAC Flood

A rare attack, in which the attacker sends multiple dummy Ethernet frames, each with a different MAC address, Network switches treat MAC addresses separately, and hence reserve some resources for each request. When all the memory in a switch is used up, it either shuts down or becomes unresponsive.

In a few types of routers, a MAC flood attack may cause these to drop their entire routing table, thus disrupting the whole network under its routing domain.

Mitigating large scale DoS/DDoS attacks

Table comparing firewall and router capabilities and protections.

Some DDoS mitigation actions and hardware:

  • Stateful inspection firewalls
  • Stateful SYN Proxy Mechanisms
  • Limiting the number of SYNs per second per IP
  • Limiting the number of SYNs per second per destination IP
  • Set ICMP flood SCREEN settings (thresholds) in the firewall
  • Set UDP flood SCREEN settings (thresholds) in the firewall
  • Rate limit routers adjacent to the firewall and network

The good news

Although DDoS are becoming more complex and pervasive each year, businesses can mitigate their effects by utilizing a cloud-based DDoS protection service.

By combining the most intelligent DDoS mitigation tools on the planet with an unparalleled monitoring and support apparatus, GlobalDots can eliminate these threats before you and your customers even realize that they’re there.

GlobalDots can help you protect your business from DDoS attacks of any size and intensity. Even with the most complex and sophisticated setups, GlobalDots can provide you with the technology stack that ensures that the most important aspects of your site are always up & running: deliverability, speed, availability, failover and web security (including web application protection, bot protection, DDoS protection and mitigation).

Customers like Lufthansa, Playtika, Trading View, Lamborghini, Bosch, Fiat, Rocket Internet, Benetton, Bulova and other leading brands and small-medium enterprises rely on GlobalDots services to keep their sites and applications fast & secure. Contact us today to help you out with your performance and security needs.

Latest Articles

Three Ways CISOs Can Combat Emerging Threats in 2025

73% of CISOs fear a material cyberattack in the next 12 months, with over three-quarters convinced AI is advancing too quickly for existing methods to combat it. But what can CISOs do to prepare for the coming wave – and access the resources they need to deal with this evolving threat landscape? To find out, […]

11th November, 2024
How Optimizing Kafka Can Save Costs of the Whole System

Kafka is no longer exclusively the domain of high-velocity Big Data use cases. Today, it is utilized on by workloads and companies of all sizes, supporting asynchronous communication between even small groups of microservices.  But this expanded usage has led to problems with cost creep that threaten many companies’ bottom lines. And due to the […]

29th September, 2024
Migrating Volumez RedHat VMs into Amazon Linux 2 for higher effective discounts rate of Saving Plan

A cloud data infrastructure company relied on extensive use of multiple instance types to test its products. But this made it difficult to optimize costs – a fact which had begun to impact their ability to scale the business.   The GlobalDots team helped the company identify and implement a new infrastructure configuration that both saved […]

19th September, 2024
How Yuki Achieved SOC 2 Compliance 6x Faster

Overview A fast-growing Snowflake optimization platform was missing out on customers because they didn’t have the right data security compliance. Through multiple consultations and extensive vendor-testing, the GlobalDots team selected a solution to provide both tech and human support, helping the company achieve SOC 2 compliance within just 3 months – and win new customers […]

16th September, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services