Table of Contents
DDoS assaults are closely tied with botnets, in which hackers acquire command and control of thousands of Internet-connected devices and then instruct all of those devices to make requests to the target at the same time in coordinated attacks. However, in recent years, hacktivist groups and criminal organizations have increasingly begun to deploy attack tools that are easy to get and use. These DDoS assault apps, such as WebHive LOIC, began as tools for cybersecurity experts to use to do “stresser” testing on websites. They can’t launch a significant DDoS assault when running in a solitary instance. When several stressor apps are coordinated together, whether through a botnet or a cloud service, these attack tools may knock down big commercial websites for extended periods of time.
The cryptocurrency space is not strange to such cyber-attacks, and more than one platform has fallen prey. To better understand how these attacks transpire, let’s take a look.
What Exactly Is a DDoS Attack?
A Distributed Denial-of-Service (DDoS) attack is a sort of cyberattack that floods a system, such as a network or a web server, with requests in an attempt to bring it down. When traffic exceeds the server’s capacity, it is unable to respond to valid requests from legitimate users, resulting in “denial of service.”
DDoS attacks use multiple devices cooperating on a network to overwhelm the server with traffic that exceeds its capability. They are frequently carried out by bad actors on large businesses on which people rely for important services, such as banks, news websites, and, in certain cases, power plants. The true objective might also range from robbery and extortion during system outages and downtime to the initiation of subsequent assaults such as phishing and ransomware, reputation harm, or simply inciting anarchy.
How DDoS Attacks Work
In order to carry out a DDoS assault, the attackers need a network of machines that work together under their control. A botnet is a collection of infected devices that sends a flood of malicious traffic to a designated destination.
Laptops, mobile devices, PCs, servers, and Internet of Things (IoT) devices are examples of machines that might be dispersed across a broad radius. In a botnet, these devices may number in the tens of thousands or even hundreds of thousands. By exploiting security flaws and injecting malware into the devices, attackers may have gained access to the users’ personal information without their knowledge.
The 2016 Dyn assault, which took down much of the internet service in the United States and crippled sites including Twitter, the Guardian, and Netflix, was one of the largest and most well-known DDoS attacks. A botnet of Internet of Things (IoT) devices, including cameras, televisions, printers, and even baby monitors, was utilized in this operation to deploy the Mirai malware.
A DDoS attack is launched in the following manner. To begin with, malware infects a device, allowing an attacker to gain control of it. Once a botnet has been set up, customized attack instructions may be delivered to each bot through the web. When a network or web server is the target, each bot sends requests to the server’s IP address.
Since each bot is a genuine device on the internet, traffic from the bot seems regular and, therefore, difficult to differentiate from real traffic to the server.
The Different Types of DDoS Attacks
Despite their simplicity, DDoS attacks can come in numerous kinds depending on the tactic utilized. DDoS attacks often fall into one of the following categories.
Networking layer or Protocol attacks
These DDoS attacks are aimed at the infrastructure of the network itself. They may, for example, transmit slow pings, faulty pings, and incomplete packets to sections of the network responsible for confirming network connections. Security measures such as firewalls are not sufficient to protect against this form of DDoS.
Furthermore, firewalls may be installed further into the network, which implies routers might be compromised before traffic reaches the firewall. Common forms of network layer attacks include the Smurf DDoS and SYN flood attack, which makes a TCP/IP connection request without finishing it and keeps the server waiting for an acknowledgment (ACK) packet which doesn’t arrive. The severity of the networking layer or protocol attacks is measured in packets per second as they depend on the number of packets of information that are sent rather than the actual bits.
Application layer attacks
A DDoS attack of this sort is aimed at disrupting the functionality of applications rather than the infrastructure that supports them. They can be launched over HTTP, HTTPS, DNS, or SMTP and attack the L7 layer of the Open Systems Interconnection Model (OSI). The attacks are aimed against the layer of the server that generates and delivers web pages in response to HTTP requests. Examples of application layer attacks are HTTP flood, Low and Slow, and BGP hijacking. These are evaluated in requests per second since the intensity of the attacks relies on how frequently or continuously the botnet traffic seeks access to the app services.
Volume-based traffic attacks
Volume-based DDoS attacks rely on overwhelming the network’s capacity with data. Frequent volumetric attacks include floods of the User Datagram Protocol (UDP) and ICMP messages. In UDP flood attacks, attackers exploit the UDP format to circumvent integrity checks and perform amplification and reflection attacks.
Volumetric DDoS attacks can include DNS amplification attacks, in which the attacker sends a request to a DNS server with an IP spoofing address (of the target server) in order to amplify traffic to that server. Attackers use ICMP floods to disable network nodes by flooding them with bogus error requests. The attacker’s objective here is to submit as many queries as possible in a short period of time from as many infected devices as feasible.
DDoS attacks can also be classified by their desired consequences. Some are designed to flood, while others are designed to crash.
Flooding DDoS attacks
The objective of these attacks would be to bring down a server by flooding it with massive amounts of data. Data packets are sent in an attempt to take down a network of computers, such as an ICMP flood or ping flood. The SYN flood mentioned above under networking layer attack acts similarly.
Crashing DDoS attack
In this sort of DDoS attack, the attacker transmits bugs to a hacked system in order to exploit flaws in the system’s infrastructure. An unpatched router or firewall is vulnerable to attack and crashes the system, exposing the faults that can be exploited.
Techniques to Prevent DDoS Attacks
Reduce Attack Surface Area
One of the initial strategies to reduce DDoS attacks is to decrease the surface area that may be attacked, thereby reducing the opportunities for attackers and allowing you to implement defenses in a single spot. In other words, we don’t want our application or resources to be exposed to ports, protocols, or other apps from which no contact is expected. We may now focus our mitigation efforts on reducing the number of probable attack points. Using Content Distribution Networks (CDNs) or Load Balancers, you may be able to limit direct Internet traffic to specific sections of your infrastructure, such as your database servers, in some instances. To restrict access to your apps in such instances, you can employ the usage of firewalls or Access Control Lists (ACLs).
Plan for Scale
The ability of bandwidth (or transit) and server capacity to absorb and mitigate large-scale volumetric DDoS attacks are the two most important aspects of mitigating these attacks.
Transit capacity
When designing your apps, be sure your hosting provider has enough bandwidth to handle big levels of traffic. Since the ultimate purpose of DDoS attacks is to disrupt the availability of your resources/applications, you should place them not only adjacent to your end users but also to significant Internet exchanges, which will provide your users easy access to your application even during high levels of traffic. As an additional layer of network infrastructure, web applications may leverage Content Distribution Networks (CDNs) and smart DNS resolution services to serve content and resolve DNS requests from locations closer to your end-users.
Server capacity
Most DDoS attacks are volumetric, which means they consume a large number of resources. Being able to increase or decrease compute resources swiftly is therefore critical. Greater computing resources or those with capabilities like more extensive network interfaces or better networking supporting larger volumes can also be used for this. Additionally, load balancers are used to constantly monitor and redistribute loads amongst resources so that no one resource is overloaded at any given time.
Know what is normal and abnormal traffic
Many tech firms have a basic policy to only allow as much traffic as a host can manage without negatively impacting availability during periods of heavy traffic. This is known as rate limiting, and it’s a common practice. A step further in protection can be taken by evaluating individual packets and only accepting traffic that is valid. To accomplish this, you must be familiar with the characteristics of good traffic that the target typically receives and be able to compare every packet to this baseline.
Deploy Firewalls for Sophisticated Application attacks
You should employ a Web Application Firewall (WAF) to prevent attacks such as SQL injection and cross-site request forgery from exploiting vulnerabilities in your application. You should also be able to simply develop bespoke mitigations against malicious requests that may disguise themselves as legitimate traffic, come from rogue IPs, or unexpected locations. It may also help mitigate attacks by studying traffic trends and creating tailored defenses with skilled support.
Closing note
DDoS attacks have been shown to be a reliable method of bringing down web-based services. Although mitigation and prevention methods have improved, DDoS attacks will continue to be a problem for enterprises of every size. An excellent place to start is a mindset of privacy and security, starting with encrypted email and adopting good online security/privacy practices. This decreases the risk of your devices converting into a bot that contributes to DDOS attacks.
Disclaimer: Cryptocurrency is not a legal tender and is currently unregulated. Kindly ensure that you undertake sufficient risk assessment when trading cryptocurrencies as they are often subject to high price volatility. The information provided in this section doesn't represent any investment advice or WazirX's official position. WazirX reserves the right in its sole discretion to amend or change this blog post at any time and for any reasons without prior notice.