DataDome

How to Stop a DDoS Attack: The Ultimate Guide

Table of contents
DDoS
Paige Tester, Director of Content Marketing
7 Aug, 2021
|
min

DDoS attacks are becoming increasingly commonplace and more threatening than ever. The number of massive DDoS attacks with over 100GB/s in volume increased by a whopping 776% in Q1 2020 alone.

The global COVID-19 pandemic has forced more people to work remotely over the internet, effectively increasing the potential attack surface for DDoS attacks, among other factors. But the bottom line is, we can no longer underestimate DDoS attacks as they are now no longer an issue exclusive to bigger enterprises and large websites.

What Is a DDoS Attack?

A DoS, or Denial of Service attack is a type of cybersecurity attack that is attempted to disrupt the traffic of a targeted service/application, server, or network. A DoS attack is typically done by flooding the target or its surrounding infrastructure with a massive volume of requests and traffic, overwhelming the target as a result.

A Distributed Denial of Service attack, or DDoS, is an amplification of the standard DoS attack of which the attack is performed by more than one device/computer.

Typically a DDoS attack is executed with the help of a botnet, a group of devices/computer systems that have been infected by malware and are now under the control of cyber criminals performing the DDoS attacks. These compromised devices inside the botnet can be traditional computers and smartphones, but nowadays wearables and IoT devices can also be used to launch DDoS attacks.

A DDoS attack can affect different aspects of a network or system, and each may produce a different impact, as we will discuss below.

Potential DDoS Attack Impacts By OSI Layers

OSI Model: An Overview

The Open System Connection (OSI) model is a standardized protocol model developed by the ISO (International Standards Organization). It is a conceptual model that standardizes the communication functions of a computing/network system, that consists of 7 different “layers” with distinct functions:

  • Layer 1: Physical Layer

The hardware aspect, responsible for the transmission and reception of raw data between physical hardware and a physical transmission medium. In short, this layer is responsible for controlling the physical connection between devices.

  • Layer 2: Data-link Layer

This layer is responsible for controlling the node-to-node delivery of data, making sure data transfer is error-free over the physical layer.

  • Layer 3: Network Layer

Responsible for controlling the transmission of data from two hosts located in different networks. Responsible for routing: determining which route is the most ideal from source to destination, and logical addressing: defining an addressing scheme to accurately identify all devices on different networks.

  • Layer 4: Transport Layer

Literally connecting (transporting data) between layer 3 and layer 5. Data in the transport layer is referred to as segments because it is segmented before being reassembled to ensure end-to-end delivery. The transport layer also verifies whether data transmission is successful and re-transmit the data if an error is found.

  • Layer 5: Session Layer

The main function of this layer is to maintain sessions and reliable connections. Also responsible for synchronization authentication to ensure security.

  • Layer 6: Presentation Layer

Also referred to as the translation layer, the main function of this layer is to translate or convert data (i.e. from EBCDIC to ASCII) and also perform encryption/decryption and compression to ensure the reliable presentation of complete data.

  • Layer 7: Application Layer

At the very top of the OSI model, this layer facilitates interface interactions between end-users and the application using network functionalities. This layer is also responsible for managing how the application works while using the network’s resources, and providing error messages to the end-users when required.

We can illustrate the OSI layers with the act of sending a letter inside a closed envelope as follows:

  • The content of the letter is the raw data (layers 5, 6, and 7).
  • This letter is put inside a standardized envelope according to the transmission standard (layer 4).
  • To make sure this letter is sent properly, we have to define the address of the recipient and the recipient’s identity (layer 3)
  • We send this letter to a postman (layer 2), and this postman will deliver this letter to a physical recipient (layer 1)

Different Types of DDoS Attacks for Different OSI Layers

Cybercriminals can launch different types of DDoS attacks (more on this later) to target different OSI layers, which in turn will affect these different layers in different ways.

Below we will discuss the examples of DDoS techniques at each layer, their potential impacts, and available mitigation options:

  • Layer 1: Physical

Layer 1 is not a target for DDoS attacks but can be a target of physical manipulation, obstruction, or even destruction. This will cause failure on physical assets, which may, in turn, produce an effect similar to DDoS attacks: preventing the application from servicing the users.

Mitigation: audit, track, and protect physical assets.

  • Layer 2: Data-link

MAC flooding, a type of DDoS attack designed to overwhelm the network switch with data packets. This type of DDoS attack will disrupt the layer’s usual flow of sender-recipient data transmission, which will instead cause the data flow to blast across all ports, confusing the whole network.

Mitigation: using advanced network switches that can be configured to limit the number of MAC addresses that can be learned on the network ports. Another option is to authenticate discovered MAC addresses against an AAA (Authentication, Authorization, and Accounting) server to filter out possible MAC flooding attempts.

  • Layer 3: Network

A very common type of DDoS attack targeting the OSI layer 3 is ICMP flooding.

This type of attack utilizes Internet Control Message Protocol (ICMP) to overload the network’s bandwidth. The attack may also cause extra load on the firewall, opening vulnerabilities to other types of attacks (including non-DDoS attacks)

Mitigation: rate-limiting ICMP traffic is the most common and effective mitigation method.

  • Layer 4: Transport

There are two popular DDoS attacks targeting the transport layer: The Smurf attack and the SYN flood.

Smurf attack uses the DDoS.Smurf malware, and is quite similar to the ICMP flooding attack but is much more amplified. An SYN flood (or TCP SYN flood) attack, on the other hand, sends a rapid connection request to a server without finalizing the connection, causing confusion.

Mitigation: to counter layer 4 attacks, ISPs might perform blackholing, which is blocking all incoming traffic to a website affected by layer 4 attacks. This is performed to protect other customers of the ISPs from being affected by the attack.

  • Layer 5: Session

Attackers may launch tailored DDoS attacks targeting software running on the network switch. This may prevent system administrators from performing switch management functions, and render the whole software unavailable.

Mitigation: will vary depending on the network switch and the software solution controlling the switch. Make sure the software and firmware of the switch are up-to-date with the latest security patch at all times.

  • Layer 6: Presentation

Attackers can use malformed SSL requests to attack OSI layer 6. Inspecting individual SSL encryption packets is resource-intensive, and attackers exploit this issue by using SSL attacks to tunnel HTTP attacks to target the network server. Malformed SSL requests can cause the affected system to stop accepting SSL connections or automatically crashes/restart.

Mitigation: a viable option is to offload the SSL traffic then inspect it for signs of attacks at an ADP (Application Delivery Platform). The ADP should also ensure that your traffic is re-encrypted and forwarded back to the source. This way, unencrypted data will only be available in protected memory and secure hosts.

  • Layer 7: Application

On the top layer of the OSI model, attackers can use layer-7 DDoS attacks like abusing PDF GET requests, HTTP GET, and HTTP POST floods to overwhelm the application so it can’t access any more resources and at the same time won’t be able to provide services to its end-users.

Mitigation: Advanced bot management and Layer 7 DDoS protection software is necessary to protect the system against layer-7 attacks by monitoring software applications to detect attack attempts as soon as possible. Once detected, these attempts can be stopped and traced back to a specific source. While detection of layer-7 DDoS attacks is challenging, once detected it’s easier to trace the traffic back to a specific source compared to other types of DDoS attacks.

While there are seven different OSI layers, DDoS attacks are more commonly targeted to layer 3, layer 4, and layer 7 due to the relative ease of implementation and yet potentially massive impacts:

Layer 3 and Layer 4 DDoS Attacks

Also called volumetric DDoS attacks, attacks on layer 3 and layer 4 typically rely on extremely high volumes of requests (also called floods). These attacks typically involve SYN, ICMP, and UDP floods.

The basic idea is that by overwhelming the network layer and transport layer, the attack will slow down the server’s performance, consume bandwidth, and ultimately prevent legitimate users from accessing the website or application.

Layer 7 DDoS Attacks

Layer 7 attacks are designed to attack specific elements of an application infrastructure.

Layer 7 attacks resemble legitimate user traffic, so they are very difficult to detect and mitigate. Advanced attackers can also use sophisticated bots that can randomize or repeatedly change their signatures, making it even more difficult to detect these layer-7 attack attempts.

As discussed, advanced monitoring and detection solutions are required to monitor the application for potential layer-7 attacks.

Common DDoS Traffic Types

Many types of DDoS attacks utilize HTTP headers to launch the attacks.

“Headers” in HTTP are fields that describe which resources are requested by the client: website URL, JPEG image, forms, and so on. HTTP headers will also provide information about what kind of web browser and operating system (OS) are used by the client (via USER AGENT header).

Besides USER AGENT, other common HTTP headers are GET, POST, LANGUAGE, and ACCEPT. In DDoS attacks, the attacker can use these headers to overwhelm the web server, and they can be modified to mask the identity of the attacker. Attackers can also modify the HTTP headers so that they can trick a caching proxy not to cache the information, so it’s harder to trace the attacker.

Below we’ll discuss come common DDoS traffic types based on HTTP headers:

  • HTTP POST Request: this header submits data to be processed by the server, confusing and overwhelming the server. For example, the POST request may extract data in a form database, encode it, then post the content to the server, which will overwhelm the server.
  • HTTP POST Flood: the attackers use a high volume of POST requests so the server cannot respond to all of them. HTTP POST flood attack will overwhelm the server which will, in turn, cause high usage of system resources that may slow down or even crash the server.
  • HTTPS POST Request: similar to the above, this is an encrypted version of an HTTP POST request. The data transferred back and forth with this type of traffic is encrypted, so inspection and detection are also more difficult.
      • HTTPS POST Flood: another version of HTTP POST flood sent over an SSL (HTTPS) encryption. By using SSL, before we can inspect this attack we have to first decrypt this request, so inspection is more resource-heavy.
  • HTTP GET Request: A header that makes a request for information for the server. With a GET request, a client asks the server for resources such as an image that will be rendered by your browser.
  • HTTP GET Flood: HTTP GET Flood is a type of layer-7 (Application layer) DDoS attack technique that sends a massive volume of GET requests to the server, overwhelming the server so it cannot respond to legitimate user requests.
  • HTTPS GET Request: technically an HTTP GET request that is sent over an SSL session. The traffic must be decrypted first before it can be inspected.
  • HTTPS GET Flood: A HTTP GET Flood set over an SSL encryption. Similar to other HTTPS-based attacks, we have to first decrypt the request before we can mitigate the attack.
  • ICMP Flood: ICMP stands for Internet Control Message Protocol, which is a protocol used mainly in error messages and rarely exchange data between systems. In an ICMP flood, the attacker targets the layer 3 OSI by using a massive amount of ICMP messages to overload the server’s bandwidth, denying its service to legitimate users.
  • UDP Flood: a common technique used to attack servers with a larger bandwidth. We don’t need to make any connection, and it’s fairly easy to generate UDP (protocol 17) messages using various different programming languages. So, launching a UDP flood is fairly easy and affordable.
  • MAC Flood: a relatively rare type of layer-2 DDoS attack, in this method the attacker sends multiple fake Ethernet frames with different MAC addresses. Network switches are designed to treat MAC addresses separately, so they will reserve some resources for each request. In MAC flossing, all the memory in a network switch is used up, overwhelming it and causing it to become unresponsive. In certain cases, a MAC flood attack may completely disable the routers, disrupting the whole network under the router.

How To Identify a DDoS Attack

As we can see, there are various different types of DDoS attacks with various symptoms and impacts. So, identifying and stopping these different types of DDoS attacks may vary depending on the technique itself and other factors.

However, the most obvious symptom of a DDoS attack is when a website or application (or other internet services) suddenly slows down or totally crashes. However, these issues can also be caused by various reasons other than DDoS attacks, like a legitimate spike in traffic, issues in hardware infrastructure, and others.

So, it’s best to use a traffic analytics tool (i.e. Google Analytics bot filtering) to check for the following signs:

  • A sudden spike in traffic from clients who share common signatures like similar web browser versions, country of origin (geolocation), device type, and behavioral profile.
  • A sudden, unprecedented, and unexplained spike in requests to an endpoint (i.e. a single page on the website).
  • A massive amount of traffic from a single IP address (or IP range)
  • Peculiar patterns in traffic, for example, regular spikes every 10 minutes, spikes at only specific hours of the day, and so on.

It’s crucial to understand, however, that by the time a DDoS attack is identifiable, the damage is already done and we can only minimize it. It is still important, however, to identify and stop a DDoS attack as early as possible to minimize the damage.

This is why it’s crucial to prevent the DDoS attack instead of stopping it after it’s identified, as we’ll discuss in the next section.

How To Prevent and Stop a DDoS Attack

Partner With The Right ISP or Hosting Provider

Assuming you don’t host your own web service or application, then it’s very important to choose the right ISP or hosting provider with adequate security best practices and a response plan for stopping DDoS attacks.

In fact, having your website or application hosted in a secure hosting center has its benefits when compared to hosting it yourself. Hosting centers (data centers) will likely have far higher bandwidth and larger capacity in their hardware infrastructures than what your company is currently having (unless you are a giant enterprise).

Also, a good ISP provider should have staff that is more experienced in stopping DDoS attacks. So, in the event that you’ve identified symptoms of a DDoS attack, you can simply call your ISP or hosting provider and ask for their help. Depending on the strength of the DDoS attack, they might have detected and stopped it before you.

Protect Your Network Perimeter

On your own, you can establish a few technical measures to at least partially mitigate the effect of any DDoS attack, especially on early detection. Implementing dedicated DDoS protection solutions can significantly reduce your vulnerability by filtering malicious traffic and absorbing attack volumes before they reach your servers.

You can :

  • More aggressively time out half-open connections whenever possible
  • Drop malformed and spoofed packages as early as possible
  • Rate limit your router to prevent volumetric DDoS attacks
  • Set lower thresholds for SYN, ICMP, and UDP flood
  • Establish a botnet detection system to detect any botnet attack as early as possible

Increase your bandwidth

One of the key aspects of protecting and stopping your web services from DDoS attacks is about having more bandwidth.

By having more bandwidth (than you are likely to need), you can accommodate unexpected spikes due to DDoS attempts and buy you more time as you take the necessary mitigation efforts.

Develop a DDoS Response Plan

As discussed, when you’ve identified the DDoS attack, most likely it’s already too late.

This is why the best way to stop a DDoS attack is to create a detailed response plan that comprehensively lists the required, pre-planned response steps when an attack is detected.

This plan should include:

  • Who to call (ISP provider, DDoS mitigation service, etc.)
  • What steps should be taken by each member of IT and security teams
  • Will you need to communicate it to your customers, vendors, and third-party stakeholders? And what’s the exact steps

DDoS attacks can last a long time, so the response plan for stopping a DDoS attack should especially detail how to manage communications internally and externally during this time.

Conclusion

DDoS attacks can be very difficult to detect and stop, and yet the potential damage can be devastating.

It’s crucial for any business with an online presence to understand the different types of DDoS attacks, their potential impacts, and especially how to stop these attacks.

Developing a DDoS response plan is crucial, as well as investing in the necessary security infrastructure like bot mitigation software, ISP providers with large enough bandwidth, and others.

DataDome
Paige Tester
Director of Content Marketing
Paige is the Director of Content Marketing for DataDome. With over a decade of expertise in content creation, she leads the development of in-depth, strategic content that highlights advanced bot detection and online fraud prevention techniques. Her work empowers cybersecurity professionals with actionable insights and cutting-edge knowledge, ensuring they stay ahead of emerging threats.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo