DDoS attack What is a DDoS (Distributed Denial of Service) attack?
A DDoS or Distributed Denial of Service attack is a cyberattack in which multiple compromised systems, often orchestrated as a botnet, flood a targeted network, server, or online service with an overwhelming volume of traffic. This surge in traffic can slow down the target’s systems or even cause them to crash, denying legitimate users access. DDoS attacks are one of the most disruptive forms of cyberthreats, capable of inflicting significant downtime, financial losses, and reputational harm. As cloud-based services and online operations continue to grow, the risk and impact of DDoS attacks have escalated across industries.
- DoS vs DDoS attacks
- What are the types of DDoS attacks?
- How to mitigate a DDoS attack
- HPE Aruba Networking and DDoS protection
DoS vs DDoS attacks
A Denial of Service (DoS) attack and a DDoS attack both aim to disrupt the availability of a service, but they differ significantly in approach and scale. A DoS attack is typically launched from a single source, sending a flood of requests to overwhelm a server or network resource until it is unable to function properly. While impactful, DoS attacks are usually easier to detect and mitigate because they originate from one location.
In contrast, DDoS attacks rely on multiple sources—often spread across various geographical regions—to execute an attack. These sources, typically infected devices controlled by an attacker, form a botnet. The attacker directs the botnet to overwhelm a target, such as a website or application, with a flood of requests that exhaust its resources and make it unresponsive. This distributed nature makes DDoS attacks much harder to block, as they appear to come from many different IP addresses and geographic locations. Consequently, DDoS attacks can be far more challenging to counter, requiring advanced, multi-layered defenses to handle the sheer volume of traffic and to distinguish legitimate users from malicious ones.
What are the types of DDoS attacks?
DDoS attacks exploit vulnerabilities at different layers of the OSI model. By targeting specific layers, attackers can impact various aspects of network performance and disrupt service availability. The main types of DDoS attacks fall into three categories: volume-based, protocol-based, and application layer attacks.
Volume-based attacks
Volume-based attacks focus on overwhelming a target’s bandwidth, often targeting the network layer (Layer 3) to flood the network with data. The goal is to consume all available bandwidth, blocking legitimate traffic from reaching the server.
- UDP floods: In a UDP flood, large numbers of User Datagram Protocol (UDP) packets target random ports on the server, overwhelming the network and exhausting bandwidth. UDP floods can cause servers to respond with ICMP unreachable destination error messages if the targeted ports are closed, compounding network traffic and intensifying the attack.
- ICMP flood (ping flood): An ICMP flood, also known as a ping flood, sends a large number of ICMP echo requests (pings) to the target server. The server tries to reply to each ping, consuming network resources and causing latency, or in extreme cases, server downtime.
- Amplification attacks: This type of attack exploits vulnerable protocols like DNS to amplify traffic directed at the target server. For example, DNS amplification uses open DNS resolvers to send large volumes of response data to the target, causing significant congestion in the network.
Protocol-based attacks
Protocol-based DDoS attacks exploit weaknesses in protocols at the network (layer 3) and transport (layer 4) layers. These attacks exhaust server resources such as memory or connection tables, making it difficult for legitimate users to connect.
- SYN flood (layer 4): SYN floods target the TCP handshake process by sending numerous SYN requests to the target but never completing the handshake. This depletes the server’s memory resources as it holds multiple incomplete connections, eventually blocking new connections.
Normally to establish a TCP connection, a client sends a SYN request to a server, which the server acknowledges by sending back a SYN-ACK request, then the client establishes the connection by responding with an ACK. In case of a SYN flood attack, the attacker overwhelms the server with SYN requests while spoofing the source IP address, so the server is unable to send back SYN-ACK responses to the client. - Ping of death (layer 3): A ping of death sends oversized ICMP packets that exceed the size limit defined by IP protocol. When the target tries to reassemble the packet, it may crash or freeze due to the unusually large data size, disrupting service.
- Smurf attack (layer 3): In a Smurf attack, attackers send a spoofed ICMP request to a broadcast address, which causes multiple devices on the network to respond to the spoofed address. This overwhelms the target with a flood of ICMP responses and saturates the network.
- IP spoofing (layers 3 and 4): IP spoofing disguises the source IP address of packets, making it appear as though the attack traffic is coming from legitimate or trusted sources. IP spoofing often enhances the effectiveness of other protocol-based attacks, making it challenging to identify and block the true source of the attack.
Application-layer attacks
Application-layer (layer 7) attacks focus on disrupting specific application services by overloading the target with requests. These attacks are highly effective because they mimic legitimate traffic patterns, making them challenging to detect and mitigate.
- HTTP flood: An HTTP flood sends numerous HTTP GET or POST requests to a web server, consuming its resources. By targeting specific, resource-intensive URLs, HTTP floods can exhaust server processing capacity and bandwidth.
- Slowloris: Slowloris keeps multiple connections to the target server open by sending partial HTTP requests without completing them. This consumes the server’s resources as it tries to maintain each open connection, eventually causing a denial of service for legitimate users.
- DNS query floods: Attackers flood the DNS server with excessive DNS queries, consuming its resources and making it unresponsive to legitimate requests. By attacking the DNS infrastructure, attackers can disrupt the availability of services associated with a specific domain.
- Bot-based attacks: Botnets, or networks of infected devices, can send high volumes of legitimate-seeming requests to a server. These requests resemble typical user behavior, making it difficult to differentiate between normal and malicious traffic.
How to mitigate a DDoS attack
Mitigating a DDoS attack effectively requires a combination of defensive strategies that can filter, detect, and respond to malicious traffic. Here are some widely used methods:
- Rate limiting: By setting limits on the number of requests allowed from a single IP address, organizations can prevent DDoS attacks from overwhelming their servers. Rate limiting can leverage machine learning to automatically adjust thresholds for the number of requests, enabling dynamic and precise control during a DDoS attack. Rate limiting also helps distinguish legitimate requests from malicious ones by filtering suspicious traffic. Advanced secure SD-WAN solutions may integrate this functionality to protect organizations against DDoS attacks.
- Zero Trust Network Access (ZTNA): ZTNA limits access to network resources based on user identity, enforcing the principle of least privilege. This reduces the chances of malicious actors gaining unauthorized access to critical systems, making it harder for DDoS attacks to reach sensitive parts of the network.
- Firewalls: Web Application Firewalls (WAF) act as a reverse proxy between a network and its users, inspecting incoming requests to detect and block malicious traffic. WAFs are particularly useful against application layer attacks. Alternatively, Next Generation Firewalls (NGFW) with IDS/IPS capabilities add an extra layer of protection by detecting and responding to known attack signatures and abnormal traffic behaviors, proactively stopping suspicious requests that may signal a DDoS attempt.
- Black hole routing: This technique is used to direct traffic to a null route, where it is effectively discarded. When a DDoS attack targets a specific IP address, the network administrator can configure the routing to drop all traffic to that IP. Additionally, an SD-WAN solution can dynamically route traffic over unaffected network links, helping maintain connectivity to other parts of the network.
- Content Delivery Networks (CDNs): CDNs distribute network traffic across multiple servers located in various geographical regions, minimizing the risk of overload. By balancing the load across the CDN infrastructure, they help absorb and disperse DDoS traffic.
Effective DDoS mitigation typically involves layering several of these techniques to provide comprehensive protection. Proactive monitoring and regular testing also help ensure defenses remain effective against evolving DDoS tactics.
HPE Aruba Networking and DDoS protection
HPE Aruba Networking DDoS protection, integrated within its Secure Access Service Edge (SASE) platform, offers advanced tools to defend against DDoS attacks by combining secure SD-WAN capabilities with ML-based adaptive DDoS protection and Zero Trust Network Access (ZTNA).
HPE Aruba Networking SASE, through its secure EdgeConnect SD-WAN, uses machine learning to adjust DoS thresholds dynamically in real time based on current network behavior. This adaptive DDoS capability includes two core features—Auto Rate-Limiting and Smart Burst—for improved defense management. Auto Rate-Limiting sets minimum thresholds for traffic based on analyzing network patterns with machine learning, while Smart Burst handles legitimate traffic bursts to limit malicious traffic from consuming the network’s bandwidth, by distributing unused flow capacity across firewall zones. Together, these features help prevent disruption from malicious traffic while allowing business-critical applications to continue operating smoothly.
Additionally, the solution provides an array of real-time analytics and reporting tools that allow administrators to monitor threshold violations, view top traffic sources, and analyze DDoS events. This visibility helps network teams make informed adjustments, keeping network security in step with emerging threats. EdgeConnect SD-WAN built-in next-generation firewall further protects the network with features like IDS/IPS and role-based segmentation. IDS/IPS detects attack patterns and segmentation limits lateral movement within the network.
HPE Aruba Networking ZTNA follows a 'never trust, always verify' approach, keeping internal services hidden from the internet and removing entry points for DDoS attacks. Only authenticated and authorized devices can access specific resources, preventing attackers from directly targeting services. Unlike VPNs, ZTNA doesn’t grant broad access, thus reducing the attack surface and containing threats by enforcing strict, unique connections to authorized resources through application segmentation. By continually verifying identities, HPE Aruba Networking ZTNA allows only legitimate traffic to reach authorized applications, minimizing the risk of network resource overload and making large-scale attacks less feasible.
In addition to SD-WAN and ZTNA, HPE Aruba Networking SASE incorporates SWG (Secure Web Gateway) to protect users and devices against web-based threats and CASB (Cloud Access Security Broker) to secure access to SaaS applications, monitoring usage and protecting against data loss.
By integrating these technologies, HPE Aruba Networking SASE offers a multi-layered approach to DDoS defense, helping organizations reduce the impact of DDoS attacks while protecting network integrity and maintaining secure business operations.