The technique, which can be utilised by everyone from script kiddies to professional hackers, it involves bombarding a target website or server with artificial traffic to the point that it is overloaded.
Every time a computer visits a website, it requests access to that site's content. A DDoS attack exploits this by sending more requests than a server can cope with at any given time. This can result in either long delays for other users requesting content, or a server completely failing.
Given the relatively crude nature of the attack and the fact that it's incredibly difficult to prevent or stop once discovered, DDoS continues to be an effective tool for taking down websites and will continue to do so.
A criminal doesn't need to be especially technical, as there are a number of DDoS-for-hire groups operating on the dark web. These services have spent time spreading malware to devices across the world, which can then be mobilised as a visitor to a particular website or used to issue a server request.
While these types of attacks were normally done in isolation, and often in an attempt to tarnish the reputation of or cause financial damage to a particular company, they are often used today as a smokescreen to divert attention away from a far more serious hack.
The largest-ever DDoS attack on record was launched against GitHub in February 2018, although it only managed to knock the code repository offline for 10 minutes. Far greater disruption was caused during a smaller attack on the Dyn DNS server in 2016, which took down some of the world's most popular sites, including Amazon, Netflix and Spotify.
Both of these examples are also demonstrative of the way criminals are using new technologies and exploits to carry out DDoS attacks – the Dyn attack is thought to have used an IoT-powered botnet, while the GitHub attack made use of poor authentication on memcached servers.
What's more, it's not just the big-name players on the internet who are at risk from DDoS attacks – we all are. According to March 2018 research from Kaspersky Lab, 27% of businesses caught up in such an incident think they were collateral damage, rather than being the intended target. This highlights the need for all organisations to know how to protect themselves from a DDoS attack.
Back to basics
Rather than over-provisioning, simple things such as bandwidth buffering can allow for traffic spikes including those associated with DDoS attack and give you time to both recognise the attack and react to it.
It's also probably worth putting into place other basic safeguards that can gain you a few precious minutes: rate-limiting your router, adding filters to drop obvious spoofed or malformed packets and setting lower drop thresholds for ICMP, SYN and UDP floods. All these will buy you time to try and find help.
The first thing every organisation should do when suspecting a DDoS attack is confirm it actually happened. Once you've discounted DNS errors or upstream routing problems, then your DDoS response plan can kick in.
What should be in that response plan? Contact relevant members of your incident response team, including leads from applications and operations teams, as both are likely to be impacted.
Then contact your ISP, but don't be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.
Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.
Prioritise and sacrifice to survive
Ensure the limited network resources available to you are prioritised - make this is a financially driven exercise as it helps with focus. Sacrifice low-value traffic to keep high-value applications and services alive. Remember that DDoS response plan we mentioned?
This is the kind of thing that should be in it, then these decisions aren't being taken on the fly and under time pressure. There's no point allowing equal access to high-value applications, whitelist your most trusted partners and remote employees using VPN to ensure they get priority.
Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It's all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.
The motivation behind a DDoS is irrelevant, they should all be dealt with using layered DDoS defences. These should include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.
DDoS mitigation services
It's worth considering investing in DDoS mitigation services if you're particularly likely to be a target of a DDoS attack (for example, if you're a large organisation) or at least knowing about what's out there, just in case.
One of the biggest and best known is Cloudflare, which has made headlines offering DDoS mitigation services to the likes of Wikileaks as well as working to mitigate wider attacks.
Cloudflare isn't the only game in town, though and many network and application delivery optimisation firms offer DDoS mitigation services.
Other well-known brands include Akamai, F5 Networks, Imperva and Verisign.
Some of these providers offer so-called emergency coverage, which you can buy when an attack is underway to mitigate the worst of it, while others require a more long-term contract.
If you're already using other products from any of these companies, you may want to look into adding DDoS protection to your package. Alternatively, if you use another network optimisation firm not mentioned here, it's worth seeing if it offers DDoS protection and how much it would cost. As mentioned above, your ISP may also offer some form of DDoS protection, particularly in an emergency, but it's worth seeing quite how comprehensive this would be beforehand, as well as the processes involved and of course the cost.