A Denial-of-Service (DoS) attack is an attempt to disrupt the normal functioning of a target system, such as a website or application, making it inaccessible to regular end-users. Typically, attackers generate a large number of packets or requests that ultimately overwhelm the target system. In a Distributed Denial-of-Service (DDoS) attack, the attacker employs multiple compromised or controlled sources.
In general, DDoS attacks can be categorized based on the layer of the Open Systems Interconnection (OSI) model where the attack occurs. The most common types include attacks at the network layer (Layer 3), transport layer (Layer 4), presentation layer (Layer 6), and application layer (Layer 7).
Classification of DDoS Attacks
Considering methods to prevent such attacks, it is useful to divide them into two groups: infrastructure-level attacks (Layers 3 and 4) and application-level attacks (Layers 6 and 7).
Infrastructure-level attacks usually refer to attacks at Layers 3 and 4. These are the most common types of DDoS attacks, including vectors like SYN flood and other reflection attacks such as UDP flood. These attacks are often massive and aimed at overloading network bandwidth or application servers. However, they exhibit specific patterns, making them easier to detect.
Application-level attacks typically involve Layers 6 and 7. These attacks are less common but more complex. They are usually not as massive as infrastructure-level attacks but target specific resource-intensive parts of an application, rendering it unavailable to legitimate users. For example, HTTP request floods targeting a login page, expensive search APIs, or even XML-RPC WordPress streams (also known as WordPress Pingback attacks) are examples of application-level attacks.
Methods of DDoS Attack Protection
Reducing Attackable Surface
One of the primary methods of neutralizing DDoS attacks is minimizing the attackable surface. This approach limits the attackers’ possibilities for an attack and enables the creation of centralized protection. It is essential to ensure that access to the application or resources is not open to ports, protocols, or applications that do not require interaction. By minimizing the potential attack points, efforts can be focused on neutralizing them. In some cases, this can be achieved by placing computing resources behind Content Delivery Networks (CDNs) or load balancers and restricting direct internet traffic to specific parts of the infrastructure, such as database servers. Firewalls or Access Control Lists (ACLs) can also be used to control the traffic that reaches the applications.
Two key elements for mitigating large-scale DDoS attacks are bandwidth capacity (or transit potential) and server performance sufficient to absorb and neutralize the attacks.
- Transit Potential: When designing applications, it is essential to ensure that the hosting service provider offers redundant internet connectivity with enough bandwidth to handle significant traffic volumes. Since the ultimate goal of DDoS attacks is to impact resource or application availability, they should be hosted not only near end-users but also close to major internet exchange nodes, which can easily provide access to the application even during high traffic. Working with internet-facing applications offers even broader options. Content Delivery Networks (CDNs) and DNS-based intelligent routing services can be utilized to create an additional layer of network infrastructure for content delivery and DNS resolution, often closer to end-users.
- Server Performance: Most DDoS attacks are volumetric and resource-intensive, so it is vital to have the ability to rapidly scale computing resources up or down. This can be achieved by using redundant computing resources or specialized capabilities, such as more powerful network interfaces or enhanced network configurations that allow handling large traffic volumes. Additionally, to maintain continuous monitoring and load distribution among resources, preventing overload on any single resource, appropriate load balancers are often employed.
Understanding Typical and Atypical Traffic
Each time there is an increase in traffic volume directed at a host, a reference point can be taken as the maximum traffic volume the host can handle without degrading its availability. This concept is referred to as rate limiting. More advanced protection methods possess additional capabilities, allowing them to intelligently accept only allowed traffic by analyzing individual packets. To employ such measures, characteristics of good traffic that the target entity typically receives need to be identified, and each packet must be compared against this baseline.
Deploying Firewalls to Mitigate Complex Application-Level Attacks
For attacks attempting to exploit vulnerabilities in applications, such as SQL injection attempts or cross-site request forgery, it is recommended to use Web Application Firewalls (WAF). Moreover, due to the uniqueness of these attacks, you should be able to independently neutralize prohibited requests that may have specific characteristics, such as being different from good traffic or originating from suspicious IP addresses, unexpected geographic regions, etc. To mitigate ongoing attacks, it can sometimes be beneficial to seek support from specialists to study traffic characteristics and create tailored defenses.