Pesky DDoS assaults are on the rise. DDoS kits for hackers are readily available and inexpensive, making such attacks commonplace. Hackers are hitting hard, recently exploiting a vulnerability to install DDoS malware on Amazon’s cloud server. Everyone understands that DDoS attacks are undesirable, but many misunderstand the key details of how these attacks operate and how damaging they can be. Below is a list of common misconceptions that need to be addressed.

Misconception 1: All DDoS attacks originate from botnets of hijacked PCs

“All DDoS attacks are launched from botnets.” This is considered common knowledge in the Internet security field. However, not all attacks are carried out by botnets composed of personal computers that have been hijacked by hackers. As technology has advanced, the processing performance and bandwidth of high-performance servers used by service providers have rapidly increased. Correspondingly, the development and use of traditional botnets composed of PCs have slowed. Besides the processing capability factor, PCs normally have very limited bandwidth resources, and their in-use periods fluctuate. Therefore, some hackers have begun to look to high-performance servers; these were used during Operation Ababil’s attacks on U.S. banks. In addition, attacks are not always carried out by commandeering sources; the hacking group Anonymous prefers to launch attacks using large numbers of real participants. We call this a “voluntary botnet.”

Misconception 2: The purpose of a DDoS attack is to consume network bandwidth resources

When DDoS attacks are reported in the news, the severity of the attack is often measured by the size or amount of attack traffic (e.g. number of Gigabits per second). By using only this measure, the media leads many people to mistakenly believe that all DDoS attacks are targeting bandwidth resources. In fact, DDoS attacks can also be designed to consume system and application resources as well. Thus, the size of the attack traffic is only one of several aspects that determine the severity of an attack.

All else being equal, the greater the size of the attack traffic, the greater the attack’s severity. However, the same amount of attack traffic can produce a greater or lesser impact depending on the method employed. Sometimes, people mistakenly assume that SYN flood attacks are a type of DDoS attack that targets network bandwidth resources. In fact, the primary threat posed by SYN flood attacks is their consumption of connection table resources. Even with exactly the same level of attack traffic, a SYN flood attack is more dangerous than a UDP flood attack.

Misconception 3: All DDoS attacks are rapid flood attacks

When DDoS attacks are mentioned, most people think of UDP flood attacks, SYN flood-type attacks, RST flood-type attacks and the like. Therefore, they assume that all DDoS attacks are flood-type attacks. In fact, although flood-type attacks account for a large proportion of DDoS attacks, not all DDoS attacks are flood-type attacks. In addition to flood-type attacks, there are also low-and-slow attack methods. We define the essential nature of a DDoS attack as an attack that consumes a large number of resources or occupies them for a long period of time in order to deny services to other users. Flood-type attacks are used to quickly consume a large number of resources by rapidly sending a large amount of data and requests to the target.

Low-and-slow attacks are different. They slowly but persistently send requests to the target and thus occupy resources for a long time. This activity eats away at the target’s resources bit by bit. If we view a DDoS attack as an assassination, a flood-type attack is like an assassin that uses a machine gun to take out his target at close range. A low-and-slow attack offers its target a death by a thousand cuts.

Misconception 4: Small websites and businesses are not hit by DDoS attacks

Many people assume that if you do not have your own website or online service, you do not need to worry. However, if you operate a website, even if you derive little income from it or engage in non-profit activities, the following statements are still not correct: “There are so many websites, and most are more famous than mine – a hacker wouldn’t waste their time on me” or “Our operation is just now gaining momentum, but we still don’t make much money and we are not offending anyone – there’s no reason a hacker would choose to attack us.”

This is dangerous denial. The Internet does not have an “'If you don’t hurt me, I won’t hurt you” policy. Any site can be considered fair game for profit. When cybercriminals are choosing extortion targets, they know that attacks on major websites may be more profitable, but at the same time the costs and risks are usually also greater. However, with smaller sites, their defenses are usually weaker and an attack is more likely to succeed. Furthermore, competition is one of the major reasons that spurs DDoS attacks. Newcomer businesses may attack established businesses in order to steal away customers, and established businesses may attack newcomers to remove any potential threat they may pose. Malicious retaliatory attacks might not be concerned with size and scale; they may just want to prove a point.

In summary, the fame and profitability of websites do not determine their level of attack risk. As long as a website is vulnerable, it may suffer a DDoS attack. Small businesses and their websites are not spared.

Misconception 5: Hackers are the only ones who can launch DDoS attacks

Asking “Are hackers the only ones who can launch DDoS attacks?” is like asking, “Are soldiers the only ones who can shoot guns?” The manufacture and use of weapons have long been separated, and any difficulty of use has greatly decreased. If accuracy is not mandatory, shooting a gun is no longer a specialized skill. Civilians can use a gun with just a bit of practice.

The same phenomenon has occurred with network attacks. Currently, most hackers are specialists in a certain field. Some specialize in discovering vulnerabilities, some develop tools, some are responsible for system intrusion and some are adept at processing account information. For DDoS attacks, some hackers create and maintain so-called “attack networks.” Some of them exploit botnets and some take over high-performance servers. After assembling their attack capability, they rent out their resources to a customer. It is not necessary for this hacking customer to have any specialized knowledge of the technology. Hacking services have become very convenient: engage a hacker, enter the address of the attack target and launch a full attack. DDoS attacks can be carried out by cybergangs, the business competitor across the street or a disgruntled employee. With hackers for hire, there are potential attackers everywhere.

Misconception 6: DDoS attacks are created purely for vandalism and mischief

In popular opinion, a hacker is half genius, half idiot. On one hand, they seem like omnipotent gods online. On the other hand, they are like Godzilla, wreaking havoc for no reason or benefit to themselves. DDoS attacks take some technical skill and directly result in the destruction of network service availability. This doesn’t seem to benefit hackers, suggesting that popular opinion holds true.

Hiding behind this simplistic stereotype are hackers who know the value of a bitcoin. The current generation of hackers are much more sensitive to benefit calculations than average people. They use destructive power in exchange for profit, they use destructive deterrents to avoid losses to themselves and they use destruction as leverage to shift the playing field to their advantage. Destruction is only one part of DDoS attack motivation; the true goal is almost always profit of some sort.

Misconception 7: Firewalls and IDS/IPS can mitigate DDoS attacks

Firewalls are the most common security products, but their design principles do not take DDoS attack mitigation into account. With traditional firewalls, defense is carried out through intense inspection and vigilance to detect attacks. The greater the intensity of the inspection, the higher the computing costs. Massive levels of DDoS attack traffic will significantly reduce a firewall’s performance and make it unable to effectively complete packet forwarding tasks. At the same time, traditional firewalls are generally deployed at network inlet locations. Although, in a sense, they serve to protect internal network resources, they themselves also commonly become DDoS attack targets.

Intrusion detection and defense systems are the tools with the broadest range of applications. However, when faced with a DDoS attack, these systems generally cannot satisfy user needs. Intrusion detection and defense systems generally perform rule-based application layer attack detection. These devices were initially designed to detect application layer attacks based on certain attack characteristics. However, the majority of current DDoS attacks use attack traffic consisting of legal packets. Thus, the intrusion detection and defense systems cannot effectively detect DDoS attack traffic based on its characteristics. At the same time, intrusion detection and defense systems experience the same performance issues as firewalls.

Misconception 8: System optimization and increases in bandwidth can effectively mitigate DDoS attacks

System optimization primarily refers to the adjustment of the core parameters of the system under attack. For example, increasing the number of Transmission Control Protocol (TCP) connection tables and reducing the timeout for establishing TCP connections is one adjustment. System optimization can mitigate small-scale DDoS attacks to a certain extent. However, when hackers increase DDoS attack scale and traffic volume exponentially, the effect of system optimization is negligible.

Increasing bandwidth is actually a rear-guard defense. This type of retreat strategy also includes purchasing redundant hardware and adding servers with better performance. So long as the resources consumed by a DDoS attack do not exceed the load-bearing capabilities of the current bandwidth, computing and other resources, the attack will be ineffective. However, once the resources consumed by the attack exceed the system’s capabilities, further retreat is needed to make the attack ineffective. In theory, increasing bandwidth and other such retreat strategies should be able to completely resolve the problems posed by DDoS attacks. However, in reality, these measures do not make economic sense. In fact, the costs hackers incur by increasing the scale of DDoS attacks are minimal. However, the investment required to continually increase bandwidth, server quantity and other infrastructure enhancements to mitigate DDoS attacks cannot increase without limit. Therefore, retreat strategies are not effective DDoS attack mitigation methods.

Misconception 9: Cloud-based DDoS cleaning services and local mitigation devices are interchangeable

DDoS is a name that covers a wide range of attacks. Different attacks may require different mitigation methods. Normally, cloud-based cleaning services mainly use traffic dilution and diversion and are specifically designed for traffic-type DDoS attacks. Local mitigation devices can only handle a relatively small volume of traffic, and it is easier for them to use multiple cleaning techniques in combination. They are suited to defend against system and application resource consumption DDoS attacks. Users should select suitable mitigation solutions based on their own business characteristics and the particular dangers they face.

Prepared for Battle

When it comes to DDoS attacks, one size does not fit all. They come in many shapes and sizes, and some are more dangerous than others. Hackers launch DDoS attacks for a variety of reasons, some of them financially motivated. “Non-offensive” and small websites are just as susceptible to assault as big-name companies. It is important to understand how to protect against DDoS attacks and mitigate them quickly if they do occur. Because these attacks differ in nature and scope, organizations should consider what threats they are likely to face and plan accordingly.

Xuhua Bao, Senior Researcher, Strategy Research Department of NSFOCUS, is focused on analysis of information security events, security intelligence, and security trends.

Hai Hong, Researcher, Security Research Department of NSFOCUS, is a member of the NSFOCUS Threat Response and Research (TRR) Team, focusing on research of network security technology such as vulnerability analysis, vulnerability discovery, vulnerability exploitation, network attacks, DDoS attacks and DDoS prevention and mitigation.

Zhihua Cao, Researcher, Security Research Department of NSFOCUS, focuses on DDoS attacks analysis and defense, and Botnet as well as data (packet) analysis. Cao is fond of reverse engineering and a big fan of OD, IDA and wiresharks.