Have you ever been browsing your favorite website or watching your favorite online video stream only to have your access suddenly slowed to a crawl or cut off? We're not talking about a frustrated parent, spouse, child or pet yanking the cord. Then you realize that every other site is working fine. Well, your initial response might be: "Those guys need to upgrade their network connection and servers," which may actually be the case.
However, another likely scenario is that the site is undergoing a Distributed Denial of Service, or DDoS attack. These nuisances come in many forms: amplification attacks, nukes, teardrops, smurfs, etc., but most operate in pretty much the same manner. By utilizing a large network of remote PCs called a botnet, the attackers overwhelm another system's connection or processing capacity, thus causing it to deny service to the legitimate traffic it's receiving.
The computer security community is more accustomed to DDoS attacks against big businesses rather than startups. There have been incidents where the entire infrastructures of multinational corporations went down because of targeted, well-orchestrated server bombarding with automatically generated requests. And yet, the trend of black hat cyber actors hitting ambitious players on the startup arena is on the rise.
The offenders' motivation is twofold. In most cases, it's all about unhealthy competition in a particular niche. Some ill-disposed individuals may hire an army of zombie machines on the black market in order to flood their rivals with the amount of traffic that their servers can't handle. When pulling off these attacks, the adversary obviously wants to call forth customer churn due to reputational issues and the competitors' inability to operate properly.
There is also an extortion facet of the matter. Scammers and ransomware authors may DDoS the web services of startups in a bid to make them pay for the cessation of the onslaught. In other words, the affected parties have to submit a certain amount of money to get their business up and running again.
The first type of attack could be considered the standard Blitzkrieg type because it attempts to directly overwhelm a system, often by plugging all of its ports with garbage streams like incessant pings, or endlessly fragmented packets without rebuilding instructions. It's pretty much the equivalent of a kid in the backseat asking, "Are we there yet? Are we there yet? Are we there yet?" - leaving absolutely no dead air to actually respond and say, "For the last time no, we're not there yet."
Next up are attacks that cause further bandwidth and processing congestion by forcing the server to actually respond to their nonsense. Cybercrooks can do it in a number of ways: by forcing a website to handshake endlessly with new systems or attempt to validate spam port connection requests before eventually giving out an ICMP destination error. Another instance is GET request attacks triggering this sort of large-scale file transfers that only happen naturally when Taylor Swift releases a new single on iTunes.
The third type of attack, the most deadly move in the DDoS arsenal, is the DNS server amplification attack. This technique uses an individual PC's ability to act as its own domain name server to request the same sort of junk from the other DNS servers, then forward it to a target, amplifying the severity of the attack as much as seventy fold. This technique has apparently allowed ne'er-do-wells to attack on the scale of four hundred gigabits per second recently. That's fifty times more than in the largest previously recorded attack ten years ago at eight gigabits per second.
But why would anyone set their mind on doing this? Good question. And there's a wide range of motivations, from hacktivist groups trying to block access to terrorist recruitment websites, to gamers targeting opponents to increase their ping times for a competitive edge, to folks who apparently just want to watch the world burn. That's beside the aforementioned mercantile motivations of cyber-extortionists and unethical competitors.
But the good news is protection against these sorts of attacks is getting easier and more affordable than ever with techniques like running data through a high-capacity server or using scrubbing filters that prevent huge amounts of fake traffic from causing more than just a momentary slowdown.
Another applicable countermeasure is what's called the out-of-band connection. Essentially, this is a backup connection that you can use in case the main network goes down. Just request one from your hosting provider and rest assured that your service remains accessible even in the worst-case scenario. An early warning system is a complementary component that notifies the administrator if an unnatural spike of incoming traffic is encountered. It's also a good idea to use a content delivery network (CDN) for the most frequently visited pages. This will decrease the page load time and reduce the adverse effect of a possible DDoS attack.