Understanding Distributed Denial of Service (DDoS) Attacks

Cyber-attacks have become part of our life, with data breaches of high profile companies and businesses making headline news almost on a daily basis. Distributed Denial of Service (DDoS) attacks are among the most common types of cyber-attacks. As its name implies, DDoS renders websites and other online resources unavailable to legitimate users. Unlike other types of cyber-attacks, which are usually launched to establish a long term position and steal sensitive information, DDoS do not attempt to breach your security perimeter. Rather, it attempts to make your website and services unavailable to intended users. In some cases, however, denial of service is also used as a cover for other mischievous activities, and to take down security applications (e.g. web applications firewalls).

DDoS attacks usually last for days, weeks or even month, making them very destructive to any online business. They can erode consumer trust, cause loss of revenues, force business to spend a lot of money in compensations and cause you to suffer long term reputation damage.

 

What is a DDoS Attack?

Distributed Denial of Service (DDoS) attack is an attempt by an attacker to exhaust the resources available to a network, services or application so that legitimate users cannot gain access. They target a wide variety of important resources, from news websites to financial institutions, and present a major challenge to making sure people can publish and access vital information.

The difference between DDoS and DoS are substantive and worth noting. For example, in a DoS attack, an attacker uses a single internet connection to either flood a target with fake requests or exploits software vulnerability, usually in an attempt to exhaust server resources (e.g. CPU and RAM).

DDoS attacks are usually launched from several connected devices that are distributed across the internet. These multi-device barrages are usually difficult to deflect, mostly due to the high number of devices involved. Unlike single source DoS assaults, DDoS attacks tend to target the network infrastructure in an attempt to flood it with huge volumes of traffic.

 

Why are DDoS Attacks Dangerous?

DDoS attacks represent a major threat to business survival. As businesses have grown more dependent on the internet and web based services and applications, availability has become as important as electricity. Distribution Denial of Service is not only a threat to financial services, mining pools, gaming companies and retailers with an obvious need for availability. DDoS attacks also target very important applications that your business relies on to manage daily operations, such as CRM, email, sales force automation and many others. What’s more, other industries, such as healthcare and manufacturing have internal web properties that the supply chain and other business parties depend on for daily business operations. All of these are major targets for today’s attackers.

 

Types of DDoS Attacks

Distributed Denial of Service attacks vary greatly, and there are several different ways an attack can be carried out, but an attack vector will usually fall into the following categories:

 

Volumetric Attacks

Volumetric attack is an attempt to consume the bandwidth either between the target service/network, or within the target service/network and the rest of the internet. This attack is usually created to cause congestion.

 

TCP State Exhaustion Attacks

TCP State Exhaustion Attacks attempt to use up all the available connections to infrastructure devices such as firewalls, application serves, and load balancers. These attacks can take down any device including devices capable of maintaining state on millions of connections.

 

Application Layer Attacks

Application Attacks attempt to overpower a specific aspect of a service or application and can be effective even with very few attacking systems generating a low traffic rate (this makes these attacks extremely difficult to detect and mitigate). Application Attacks have come to prevalence over the past few years and simple layer attacks (HTTP GET flood etc.) have been one of the major DDoS attacks seen in the wild.

Nowadays attackers are blending application layer attacks, state exhaustion attacks and volumetric attacks against organization devices all in a single, continuous attack. These attacks are common because they are difficult to defend against and usually highly effective.

 

Finding the Right DDoS Mitigation Strategy

The first thing to do in preparing your business to deal with a DDoS attack is to assess your risk. Some of the most important questions to ask yourself include which business assets need protection? What are the single points, or soft spots of failure? What is required to take them down? How and when will you know you are targeted? Will it be too late to act? What are the effects (financial and otherwise) of an extended attack?

If you are able to find solutions to these questions, it’s then time to prioritize your concerns, examining different mitigation options within the framework of your security budget. If you are running an online application or a commercial website, you are probably going to want 24/7 protection. A large law firm, on the other hand, may be more interested in safeguarding its infrastructure, including FTP servers, email servers, and back office platforms than its website. It therefore makes sense that a large law firm may opt for an on-demand solution.

The next step is to choose the method of deployment. The most recommended and effective way to deploy on demand Distribution Denial of Service protection for your vital infrastructure services across an entire subnet is through boarder gateway protocol routing. It’s important to note that this technique will only work on demand, requiring you to physically activate the security solution in case of a DDoS attack.

Therefore, if you are in need of an always on Distribution Denial of Service protection for your website application, you should try DNS redirection to re-route all website traffic through your DDoS protection provider’s network. The best thing about this strategy is that most CDNs offer on call scalability to absorb volumetric attacks, and minimize latency and accelerate content delivery.

 

Mitigating Application Layer Attacks

Mitigation of these attacks depend on traffic profiling solutions that can scale on-demand, while also being capable to differentiate between legitimate website visitors and malicious bots.

When it comes to traffic profiling, the best practice require signature based and behavior based heuristics, combined with a progressive use of security challenges and IP reputation scoring. Together, these correctly filter out malicious bot traffic, protecting your systems against application layer attacks without any effect to your genuine users.

 

Mitigating Network Layer Attacks

When dealing with network layer attacks, you are required to have some additional scalability, beyond what your own network can offer. Consequently, in the event of an attack, a BGP announcement is made to make sure that all the incoming traffic is routed through a set of scrubbing centers. Each of these has the power to handle thousands of Gbps worth of traffic. Scrubbing centers have servers that are powerful enough to filter out malicious packets, and forward the clean traffic to the origin server through a GRE tunnel.

This process provides protection against direct to IP attacks and is often compatible with all types of communication protocols and infrastructure.

 

Mining Pool DDoS

Distribution Denial of Service attacks has posed an increasingly serious problem for mining pools and crypto-currency exchanges in past years. Last year, several major mining pools suffered debilitating DDoS attacks that resulted in significant delays, frustration for miners and lost mining time. In extreme situations, some pools received ransom messages from attackers demanding payoffs in exchange for stopping their attacks.

BW.com, CKPool, AntPool, Ghash.io and NiceHash are among a number of BitCoin mining pools and operations that have been hit by DDoS (Distribution Denial of Service) attacks in recent days. These occurrences appear to have begun in the first week of March, 2015. For instance, the 11th of March 2015, Bitmain, AntPool owner sent an email to customers disclosing the Distribution Denial of Service attacks and requesting external pool users to set up foolproof pools in the event of an outage.

According to several other mining pool companies affected by the DDoS, those behind the attacks demanded payment in Bitcoin in return for stopping the DDoS attacks. BW.com alerted their customers through their official website about the possible service disruptions owing to DDoS attacks, but they didn’t clarify whether or not a ransom notice had been sent. Other mining pools companies took to Bitcoin Talk to warn their customers about the DDoS attacks.

The alleged source of the Distribution Denial of Service attacks, operating under the name DD4BC, is believed to be behind a number of DDoS attacks on digital currency websites in the past years. Cases tied to this group include a DDoS attack in 2013 on the digital currency exchange Bitalo that lead to the posting of a 100 BTC bounty.

Affected mining pool companies say that they have moved to boost in-house defense strategies in light of the DDoS attacks, but some warned that the future outages may likely occur. Mining pools that were affected refused to pay the ransoms and continued keeping their pools open despite the risk of future DDoS attacks.

Some of the mining pools believe that resolving the situation will be difficult owing to the power believed to be possessed by the attackers. The attacks appear to be orderly and it remains unclear when the situation will be completely resolved.

Distribution Denial of Service attack on a mining pool can create serious headaches for pool administrators and miners. The immediate effect is that the pool malfunctions and miners, who may not even know what is happening, stop receiving their payouts.

Depending on the seriousness of the attack, including whether or not the attackers actually infiltrate the database of the mining pool, the damage done to the servers can result in even longer disruptions. DDoS attacks can also damage the reputation of the mining pool greatly. Miners may fear that their pool is no longer safe and will start looking for work elsewhere.

While most mining pool software allows configuration for backup, concerns over future DDoS attacks, and the corresponding loss of revenue, may be enough to deter a mining pool from returning.

 

Why Do Mining Pools Often Get DDoS Attacked?

There are several groups of individuals that could have incentives to DDoS mining pools:

Owners of other pools: Mining pools generate proceeds from the blocks mined by their miners. It therefore makes sense for other mining pools owners to attack their competitors to encourage users to abandon the pool and possibly find a new home at theirs.

People mining at other mining pools: When a miner is mining at a certain pool that has problems, there is a high probability that their shares would be lost. This means that there is a likelihood that the mining pool under attack will no longer be able to locate blocks and so the hash power of its users will be lost, causing new blocks to be found less frequently. This can be profitable to folks mining at other mining pools because this will result in the difficulty being lowered, giving them a higher probability of finding new blocks. Remember, more blocks mean more profit.

Opposers of Bitcoin: Opposers of Bitcoin are not necessarily governments, but can also include banks, payment services like Visa, MasterCard or PayPal. Bitcoin is exceptionally innovative as a payment service and has the potential to take over a huge part of the online payment industry. What’s more, Bitcoin abolishes the centralized concept of money, from which financial institutions make proceeds. So they all have several reasons not wanting to see Bitcoin succeed as a prosperous currency and payment method.

 

The Bottom Line

Distribution Denial of Service (DDoS) attacks can seriously damage a whole network, not just a single server. This can make opening files very slow. The attack is also capable of damaging the capacity of a router and even resources for the network stack. When DDoS attack happens, it usually breaks a lot of servers in multiple locations. Consequently, this leads to bandwidth collapse. Luckily, these network problems being experienced can be solved tactically and even strategically through application of DDoS protection systems. Today, a lot of mining pools, companies and website owners find it worth to invest in DDoS protection system.

Edward Martinez

Computer and Technology Enthusiast

Leave a Reply