DDoS Attack: Definition
A distributed denial-of-service (DDoS) attack refers to a malicious attempt that aims at disrupting normal traffic of a targeted server, network or service by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks attain effectiveness by utilizing several compromised computer systems as sources of attack traffic. Exploited machines can include networked resources such as IoT devices and computers.
Types of DDoS attacks
DDoS attacks are classified based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target. Let’s take a look at some of the common varieties of DDoS attacks:
- DNS Flood
In these attacks, DNS is used as a variant of a UDP flood. Attackers send valid but spoofed DNS request packets at an extremely high packet rate and from a huge group of source IP addresses. Since these look like valid requests, the victim's DNS servers go ahead and respond to all requests. The DNS server can be overwhelmed by the increased number of requests. This DNS attack consumes huge amounts of network resources capable of exhausting the DNS infrastructure until it goes offline, taking the victim's Internet access down with it.
- HTTP Fragmentation
In this attack, a non-spoofed attacker launches a valid HTTP connection with a web server. The attacker then proceeds to fragment genuine HTTP packets into the smallest fragments possible and sends each fragment as slow as the server time-out will permit, which ultimately holds the HTTP connection open for a prolonged span of time without raising any alarms. By opening several extended sessions per attacker, the attacker will be able to silently force a web application offline with just a handful of attacking machines.
- Excessive Verb (HTTP GET Flood)
Attackers send huge volumes of valid HTTP requests to a victim's web server. The HTTP request is mostly a GET request and is directed to the most CPU intensive process on the victim’s web server. Each attacker will be able to generate large numbers of valid GET requests allowing the attacker to use a comparatively small number of attacking machines to take a system offline. HTTP GET Floods are non-spoofed and the source IP address is the genuine public IP of the attacker machine (or NAT Firewall). The most popular variant of this attack uses GET requests, but an attacker can also use POST, PUT, OPTIONS, HEAD, or any other HTTP method to cause an outage. This attack is viewed as a low-and-slow Application-Layer attack and usually takes up little bandwidth but ultimately renders the victim's servers unresponsive.
- Fake Session Attack
In this DDoS attack, an attacker sends forged SYN packets, multiple ACK packets and then one or more FIN/RST packets. When all these packets appear together, they look like a valid TCP session from just one direction. This attack is harder to detect because several modern networks utilize asymmetric routing techniques through which outgoing packets and incoming packets traverse different internet links to improve performance and cost. This attack fakes a complete TCP communication and has been designed to confuse new attack defense tools that just monitor incoming traffic to the network and not bi-directionally monitoring server responses. One variant of this type of attack sends several SYNs, then multiple ACKs, followed by one or more FIN/RST packets. A second variant skips the original SYN and begins by sending multiple ACKs, followed by one or more FIN/RST packets. Because of the slow TCP-SYN rate, the attack becomes harder to detect than a typical SYN flood.
- NTP Flood
In NTP Floods attacks, NTP is used as a variant of a UDP flood. Valid but spoofed NTP request packets are sent by the attacker at a very high packet rate and from a very big group of source IP addresses. Since these appear to be like valid requests, the victim's NTP servers proceed to respond to all requests. The NTP server can be overwhelmed by the huge number of requests. This attack takes up huge amounts of network resources that exhaust the NTP infrastructure until it goes offline.
How to Prevent DDoS Attacks Using Comodo cWatch
It is possible to prevent DDoS attacks via manual security planning, but it will be a hundred times easier if you have your own DDoS prevention tool because DDoS attacks can occur anytime. Hence, to protect yourself from DDoS attacks, install Comodo cWatch – a whole solution providing all the essential measures to protect your website from DDoS attacks, malware infections, and several other website-related threats.
cWatch is a web security tool that has a powerful firewall and is capable of eliminating application vulnerabilities and protecting websites and web applications against advanced attacks like DDoS, SQL Injection, Cross-Site Scripting, and many more. Available with features like malware scanning, vulnerability scanning, and automatic virtual patching and hardening engines, the Comodo WAF provides strong security that is wholly managed for customers as part of the Comodo cWatch Web solution.
The Comodo cWatch web security tool also provides the following key features:
- Malware Monitoring and Remediation Detects malware, provides the methods and tools to remove it, and prevent future attacks
- Secure Content Delivery Network (CDN) A global system of distributed servers to enhance the performance of websites and web applications
- PCI Scanning Enables service providers and merchants to stay in compliance with PCI DSS
- Cyber Security Operations Center (CSOC) A team of always-on certified cybersecurity professionals providing round-the-clock surveillance and remediation services
- Web Application Firewall (WAF) Powerful, real-time edge protection for web applications and websites providing enhanced security, filtering, and intrusion protection
- Security Information and Event Management (SIEM) Advanced intelligence that can leverage current events and data from 85M+ endpoints and 100M+ domains