Definition and Operation
DDoS (Distributed Denial of Service) attacks aim to make a service or network unavailable by overwhelming it with massive internet traffic. These attacks often leverage a network of compromised devices, called botnets, to send a huge volume of requests to the target, thereby saturating its processing capabilities. A botnet is made up of thousands, or even millions, of machines infected with malware, controlled remotely by cyberattackers. Owners of compromised devices are generally unaware that their machines are being used in a DDoS attack.
Objectives of DDoS Attacks
The motivations behind DDoS attacks can vary:
* Financial: Extortion of funds through ransoms or disruption of competition.
* Policies: Denounce a government policy or decision.
* Personal: Personal revenge or demonstration of technical power.
* Hacktivism: Promotion of an ideological or political cause.
Types of DDoS Attacks
Volumetric Attacks
These attacks aim to saturate the bandwidth of a site or network by flooding the target with massive traffic of unnecessary data. The goal is to exhaust network bandwidth capacity, preventing legitimate users from accessing services. Volumetric attacks can include:
* UDP Floods: Flooding of User Datagram Protocol (UDP) packets to saturate the network.
* ICMP Floods: Use of Internet Control Message Protocol (ICMP) packets, often pings, to overload the target’s processing capacity.
Resource Exhaustion Attacks
These attacks target system resources, such as the target’s memory, processor, or network connections. By saturating these resources, computer systems become incapable of processing legitimate requests. Examples:
* SYN Floods: Mass sending of SYN (synchronization) requests within the TCP protocol to exhaust the target’s connection tables.
* HTTP Floods: Sending complex HTTP requests to overload the web server and exhaust its processing resources.
Application Attacks
These attacks target specific aspects of web applications, exploiting vulnerabilities in the application to generate excessive load on the server. They are often harder to detect because they mimic normal user behavior. Examples:
* Slowloris: Sending partial HTTP requests to keep connections open and exhaust server resources.
* RUDY (R U Dead Yet?): Sending POST requests with very long bodies to consume the target’s resources.
Advanced Techniques Used in DDoS Attacks
Amplification and Reflection
Some DDoS attacks use amplification and reflection techniques to increase the impact of the attack. For example, a DNS Amplification attack exploits misconfigured DNS servers to send a small query and generate a much larger response directed at the target.
IoT botnets
With the proliferation of devices connected to the Internet (Internet of Things, IoT), attackers are increasingly using these devices to form botnets. IoT devices, often poorly secured, can be easily compromised and used to launch large-scale DDoS attacks.
Prevention and Mitigation
DDoS attacks are constantly evolving, making prevention and mitigation challenges ongoing. Solutions include:
* Infrastructure Scalability: Use of cloud infrastructure to absorb traffic peaks.
* Filtering Technologies: Deployment of firewalls, intrusion detection and prevention systems (IDS/IPS), and specialized DDoS mitigation services.
* Continuous Monitoring: Proactive monitoring of network traffic to quickly detect and respond to anomalies.
By understanding the various types of DDoS attacks and their mechanisms, financial institutions can better prepare and strengthen their defenses against this persistent threat.