Distributed Denial of Service (DDoS)
1. Definition
Distributed Denial of Service (DDoS) is an availability attack where multiple compromised computer systems (a Botnet) attack a target, such as a server, website, or other network resource, causing a denial of service for legitimate users.
The âDistributedâ aspect makes it difficult to stop, as blocking a single source is insufficient.
2. Technical Explanation
DDoS attacks target different layers of the OSI model:
- Volumetric Attacks (Layer 3/4): Saturate bandwidth. Examples: UDP Flood, ICMP Flood, DNS/NTP Amplification.
- Protocol Attacks (Layer 3/4): Consume server resources (firewall connection tables, load balancers). Examples: SYN Flood (exploiting the TCP handshake).
- Application Layer Attacks (Layer 7): Target specific heavy web applications. Examples: HTTP Flood, Slowloris (keeping connections open with partial requests).
3. Attack Flow (Mirai Botnet Style)
flowchart TD
C2[Attacker C2 Server]
subgraph Botnet
IoT1[Infected Camera]
IoT2[Infected Router]
IoT3[Infected DVR]
end
Target[Target Web Server]
C2 --"Cmd: Attack Target IP"--> Botnet
IoT1 --"UDP Flood"--> Target
IoT2 --"TCP SYN Flood"--> Target
IoT3 --"HTTP GET /"--> Target
Note right of Target: Bandwidth Saturated<br/>CPU at 100%<br/>Legitimate users dropped4. Real-World Case Study: Dyn DNS Attack (2016)
Target: Dyn (Major DNS Provider). Attack Type: Massive Volumetric IoT Botnet (Mirai). Volume: Estimated 1.2 Terabits per second (Tbps).
The Attack: The Mirai botnet scanned the internet for IoT devices (cameras, routers) with default passwords (like admin/admin). It infected hundreds of thousands of devices. On October 21, 2016, these devices were commanded to flood Dynâs DNS infrastructure with TCP and UDP packets on port 53.
Impact: Because Dyn provided DNS for major sites, the attack effectively âbroke the internetâ for millions of users. Netflix, Twitter, Reddit, CNN, and GitHub became inaccessible across North America and Europe, not because their servers were down, but because browsers couldnât resolve their domain names.
5. Detailed Defense Strategies
A. Anycast Network Routing
Use an Anycast network (provided by CDNs like Cloudflare, AWS CloudFront, or Akamai).
- Mechanism: The same IP address is announced from multiple global locations.
- Defense: Attack traffic is naturally dispersed to the closest data center, preventing any single point from being overwhelmed. The âfloodâ is diluted across the global network.
B. WAF and Rate Limiting (Layer 7)
For Application attacks:
- Challenge: Distinguish bots from humans using CAPTCHAs or JS challenges (Browser Integrity Check).
- Rate Limiting: Restrict requests per IP (e.g., 100 requests/minute).
- WAF Rules: Block known bot user-agents or malicious patterns.
C. Scrubbing Centers (Layer 3/4)
For Volumetric attacks:
- Route BGP traffic through a specialized âScrubbing Centerâ when an attack is detected.
- The center filters out malicious packets (malformed UDP, SYN without ACK) and passes only clean traffic to the origin server.
D. Reduce Surface Area
- Do not expose origin server IPs directly.
- Use a whitelist to only accept traffic from your CDN providerâs IP ranges.
- Close all unnecessary ports (SSH/FTP) or restrict them to VPN access.