Distributed Denial of Service Attack is a malicious attempt to disrupt the normal traffic of a server or network, by crushing the target or surrounding infrastructure with a massive traffic flow. We can compare a DDoS attack to an unexpected traffic jam that blocks the highway and disrupts the normal flow of traffic, preventing vehicles from reaching their destination.
DDoS attacks use multiple compromised computer systems as a source — from which they can carry out their attacks, and thus provide effectiveness. It may include other network resources such as exploited machines, computers and IoT devices.
DDoS attacks are carried out by networks of machines connected to the internet.
These networks consist of computers and other devices that are infected with malware and allow an attacker to infiltrate. These devices are called bots (or zombies), and a group of bots is called a botnet.
After the bots get together and create the botnet, the attacker sends instructions to each of these bots remotely, directing the attack (just like pawns). When a victim’s server or network is targeted by a botnet, each bot sends countless and meaningless requests to the target’s IP address, potentially causing the server or network to become overloaded, blocking normal traffic from service. Moreover, since bots are legitimate internet entities, it can be difficult to distinguish attack traffic from regular traffic.
The vast majority of DDoS attacks occur at Layer 7, the application layer. In this layer, web pages are created on servers and are given in response to HTTP requests. The purpose of Layer 7 DDoS attacks is to consume the target’s resources to create a denial of service. It is difficult to defend against Layer 7 attacks, as it can be difficult to distinguish malicious traffic from legitimate traffic at this layer.
One of the most popular DDoS attacks at Layer 7 is HTTP flooding. The behavior created by this attack on the web page is similar to pressing F5 constantly on many different computers at the same time, causing a denial of service by flooding the server with many HTTP requests.
The type of attack ranges from simple to complex. Simpler attacks may be aimed at accessing a single URL with IP addresses and agents attacking in the same range. More complex versions can target many different URLs using multiple IP addresses, random referrers, and random agents.
The most obvious indicator of a DDoS attack is that the site or service suddenly slows down or become unavailable. But since this slowdown or being unavailable situation can be caused by other harmless conditions, so further investigation is required. In this situation, traffic analysis tools such as WAFs will help to understand the DDoS attack.
WAF acts as a reverse proxy. It notifies, alerts, and protects your apps against suspicious amounts of traffic from a single IP address or IP range, floods of traffic from a single user profile, and strange traffic patterns.