A DDoS (Distributed Denial-of-Service) attack is a malicious attempt to overwhelm a website, server, or online service with a flood of internet traffic, making it unavailable to legitimate users.

Forms/Types of DDoS

DDoS attacks come in various flavors, each aiming to overwhelm a target system in a different way, including: 

Volume-based Attacks

These types of DDoS attacks bombard the target with a massive amount of data, exceeding its capacity to handle legitimate traffic. One example would be a UDP flood. Attackers send User Datagram Protocol (UDP) packets with random data to the target. UDP is a connectionless protocol, meaning the target doesn’t send confirmation messages, wasting resources processing these invalid requests. Another is ICMP floods. These exploit the Internet Control Message Protocol (ICMP) used for network diagnostics. Attackers send a barrage of “ping” requests, overwhelming the target’s ability to respond to legitimate pings.

Protocol Attacks

These target vulnerabilities or weaknesses in network protocols to disrupt communication and crash systems, e.g. smurf attacks. Attackers spoof the target’s IP address and broadcast them to a large network of devices. These devices then send ping requests back to the target, overwhelming it.

Application-layer Attacks

These target specific weaknesses in web applications or servers, overloading them with complex requests that take a long time to process. Attackers could, for example, send a massive number of legitimate HTTP requests, such as GET or POST requests, to overwhelm the web server’s ability to process them.

How About a Metaphor for DDoS Attacks?

Imagine a highway being jammed with slow-moving traffic, preventing anyone from reaching their destination. Attackers build a network of compromised computers called a botnet. These bots can be hacked devices like personal computers, internet-connected devices (IoT), or even servers.

The bots are instructed to bombard the target with massive amounts of traffic, overwhelming the target’s capacity to handle legitimate requests. This traffic can take various forms, such as HTTP requests, data packets, or connection attempts.

The sheer volume of traffic from the botnet disrupts the target’s normal operations. Legitimate users trying to access the website or service experience slow loading times, error messages, or complete outages.

Why Should Businesses Care About DDoS? 

Nearly half of the total global DDoS attacks target the Americas, a 196% increase in 2023 from the year before. Becoming a victim of DDoS attack can have a significant impact on your bottom line, including: 

Financial Loss

A DDoS attack can take down your website or online service, preventing customers from accessing your products or services. This translates to lost sales and revenue during the outage. Recovering from a DDoS attack can also involve costs for security professionals, forensic investigations, and potential mitigation service fees. There is reputational loss to consider too: customers may perceive your business as unreliable or insecure, leading to lost trust and potential customer churn.

Business Disruption

The goal of a DDoS attack is to disrupt your business. This can affect communication, collaboration, and access to critical data and applications.If employees cannot access essential online resources due to a DDoS attack, their productivity can be hampered. Not to mention that customers who are unable to access your website or service during a DDoS attack will likely experience frustration and dissatisfaction.

Increased Security Risks

DDoS attacks can sometimes be used as a smokescreen for other malicious activities, such as data breaches. Attackers might launch a DDoS attack to distract security teams while they attempt to steal sensitive data. Depending on your industry and location, regulations might mandate specific actions in response to security incidents, including DDoS attacks. Failing to comply with these regulations can result in fines or penalties.

DDoS In the Context of Cybersecurity Frameworks

DDoS attacks pose a significant threat, which is why many recent frameworks provide a structured approach to managing and mitigating DDoS attacks. 

NIST Cybersecurity Framework (NIST CSF)

The NIST CSF emphasizes the importance of all five functions in the context of DDoS attacks:

• Identify: Identify potential DDoS threats through threat intelligence and vulnerability assessments.
• Protect: Implement DDoS mitigation strategies like traffic filtering, rate limiting, and utilizing DDoS mitigation services.
• Detect: Deploy intrusion detection and security information and event management (SIEM) systems to identify and monitor DDoS attacks in real-time.
• Respond: Develop and implement a DDoS response plan that outlines actions to contain, mitigate, and recover from an attack. This includes communication protocols and roles and responsibilities for response teams.
• Recover: Ensure the ability to restore systems and data affected by a DDoS attack efficiently. Regularly test backups and recovery procedures.

MITRE ATT&CK Framework

By mapping identified malicious activity during a DDoS attack to specific MITRE ATT&CK techniques, security teams gain valuable insights into the attacker’s methods. This knowledge helps them tailor specific mitigation strategies and improve threat detection. 

Related Systems or Technologies

Tools and systems you may come across in relation to DDoS includes: 

• Security Information and Event Management (SIEM): SIEM can identify suspicious activity patterns that might indicate a potential DDoS attack.
• Intrusion Detection and Prevention Systems (IDS/IPS): IPS systems monitor network traffic for malicious activity, including DDoS attack signatures. They can raise alerts or even block suspicious traffic to prevent an attack from gaining momentum.
• DDoS Mitigation Services: These specialized services offer comprehensive DDoS protection. They can analyze network traffic, filter out malicious traffic, and absorb large volumes of attack traffic before it reaches your infrastructure.
• Rate Limiting: This technique restricts the number of requests a user or IP address can send within a specific timeframe. This can help prevent attackers from overwhelming your systems with a flood of requests.
• Web Application Firewalls (WAF): These firewalls specifically focus on protecting web applications from various threats, including DDoS attacks that target vulnerabilities within applications.
• Blackholing: This technique involves redirecting DDoS traffic to a null route, essentially sending it to a black hole in the internet where it’s absorbed and doesn’t reach your systems.
• Scrubbing Centers: DDoS mitigation services often leverage scrubbing centers. These are geographically distributed data centers that can filter and clean attack traffic before forwarding legitimate traffic to your network.

Related Regulations or Compliance Goals 

The prevalence of DDoS attacks has prompted the development of regulations and compliance goals across various industries. These regulations emphasize the importance of organizations having a plan to mitigate and respond to DDoS incidents: 

1. PCI DSS (Payment Card Industry Data Security Standard)

A DDoS attack can disrupt access to payment processing systems, impacting online transactions and potentially delaying revenue collection. PCI DSS mandates specific security controls that indirectly relate to DDoS mitigation, such as Requirement 6 (Implement a process for identifying and responding to security incidents, which could include DDoS attacks) and  Requirement 11 (Regularly test security systems and procedures, including DDoS mitigation strategies).

2. GDPR (General Data Protection Regulation)

A DDoS attack could potentially mask a data breach attempt, allowing attackers to steal personal data while systems are overwhelmed. GDPR emphasizes data security measures, and while it doesn’t explicitly mention DDoS, it indirectly relates to DDoS mitigation through Article 32, which requires companies to implement appropriate technical and organizational measures to safeguard personal data, which could include DDoS mitigation strategies. A DDoS attack, if exploited for a data breach, might trigger reporting requirements.

3. HIPAA (Health Insurance Portability and Accountability Act)

A DDoS attack on a healthcare provider’s network could disrupt access to patient records or online appointment scheduling systems. HIPAA requires implementing appropriate safeguards to ensure the confidentiality, integrity, and security of PHI, including having a process for detecting, investigating, and correcting security incidents (Security Rule). This could encompass DDoS mitigation strategies.