According to a report from global security provider StormWall, the growth rate of DDoS attacks is rapidly increasing: they are becoming more numerous, increasing in power and complexity, and the algorithms cover more and more vectors.
Such dynamics in the development of threats are becoming a problem that businesses must address, focusing on IT services and digitalization and increasing the requirements for specialists involved in information security.
In this material, we will take a brief excursion into the topic of DDoS attacks and tell you how to build protection to minimize the vulnerability of your IT landscape. A cyber attack is aimed at disrupting the functioning of an IT system or its components by overloading allocated resources and capacity by sending a massive stream of requests.
For example, a DDoS attack can be aimed at:
exhaustion of server computing resources;
clogging the entire allocated Internet channel width;
overflowing the limit of simultaneous connections and user sessions in applications.
The target of such a cyber attack can be any IT system: a website, application, server, and even IP telephony, which is overloaded with a stream of false calls.
Note: A website, application, or service crash due to increased load is not always associated with a deliberate cyber attack. There is a slashdot effect (also known as the habra effect) – a failure caused by a multiple increase in organic traffic. It can happen if more real users than expected are trying to use the service simultaneously, and there are not enough available resources.
For example, when launching an application, you calculated all its components for 1000 users, and the marketing department, without coordination with the developers, carried out an advertising campaign and attracted 10,000 new clients who came and, without malicious intent, destroyed the entire system.
Table of Contents
“Four Targets”: The Primary Targets For DDoS Attacks
The primary way to separate all components and data transmission cycles is the OSI (Open System Interconnection) model. It consists of seven levels (Layers), covering all main types of communication.
However, as applied to the Internet, the OSI model is more theoretical. In practice, the TCP/IP model is used, which more accurately reflects the operation of the Internet from an application point of view concerning the network protocols used. It also implies a division into levels, but only four.
Network Access Level (L1–L2 Via OSI)
Describes how data packets are transmitted at the physical layer and defines how devices exchange information. Also, at the first level, the data transmission medium (type of cable or channel) and the principle of data transmission (for example, modulation, amplitude, frequency of signals, response waiting time, and other parameters) are described.
The main goal of attacks on infrastructure is to disrupt the regular operation of routers, firewalls, and other service or intermediate equipment.
Network Layer (L3 Over OSI)
Responsible for creating a global network from many local ones. At the same time, it is responsible for host addressing, packaging, and routing functions. IP, ARP, ICMP, and IGMP are the primary network layer protocols.
The main goal of attacks on L3 is to exhaust bandwidth at all levels and stages. L3 is an easy target for cybercriminals since DDoS does not require establishing a TCP connection to the attacked resources.
Transport Layer (L4 Over OSI)
The main transport layer protocols are TCP and UDP, which provide multi-threaded data transfer between two addresses through the use of ports. TCP also ensures reliable and stable transmission of data of various sizes.
Often, attacks on L4 affect different TCP connection cycles, which have vulnerable bottlenecks, such as the algorithms for establishing and closing a TCP connection. For example, cyber attacks on L4 can use SYN Flood, ACK Flood, TCP Connection Flood, and the like.
Application Layer (L7 Over OSI)
The application layer is responsible for creating data packets, providing access to data, and user protocols. It is at the application level that data is delivered to the user.
The main application-level protocols are FTP, HTTP, POP3, SMTP, IMAP, and DNS.
Attacks on L7 are explicitly aimed at the application and its vulnerabilities. Moreover, they can use HTTP and, for example, HTTPS, DNS, VoIP, SMTP, and FTP. Nowadays, there are more and more attacks on the application level – their number in the volume of DDoS attacks is constantly increasing. Moreover, the danger of such cyber attacks is not only in the difficulty of repelling them but also in the fact that they are often complex, including:
slow low-volume attacks (Low and Slow);
attacks using arrays of arbitrary “garbage” requests;
attacks that imitate the behavior of real users.
DDoS attacks can be carried out at each of these levels.