Security Awareness Training Videos
Learn best practices for cybersecurity in CompTIA's security awareness videos. Get tips on how to create passwords, how to identify fake websites and phishing emails, and more.
The IT industry has seen a major increase of Distributed Denial of Service (DDoS) attacks over the past several years. The December 2019 New Orleans cyberattack is such an example: This attack combined a classic ransomware deployment with a DDoS attack. The DDoS upward trend promises to continue.
DDoS attacks date back to the dawn of the public internet, but the force is strong with this one. According to a 2018 report from International Data Group (IDG), the median downtime caused by a DDoS attack is 7 to 12 hours. Using an estimate from Gartner of $5,600 per minute of downtime, that means the average cost of a DDoS attack is in the $2.3 million to $4 million range. These losses are incurred due to a loss of business operations and does not account for staff time or other associated costs.
As technology evolves, so do DDoS attacks. And attackers are continually using these types of attacks to achieve their objectives. This guide will help IT pros understand everything from the basics of detection to tools for combatting attacks, along with the skills one needs to develop to prepare for cybersecurity incidents of this kind.
This DDoS handbook is intended to act as a guide for IT pros from entry level to expert and can be applied across industries. Keep scrolling to read it from cover to cover, click through the table of contents in the sidebar or download the PDF to reference again and again.
Many people wonder about the meaning of DDoS, asking what exactly is a DDoS attack and what does DDoS stand for? DDoS stands for distributed denial-of-service attack. DDoS attacks occur when servers and networks are flooded with an excessive amount of traffic. The goal is to overwhelm the website or server with so many requests that the system becomes inoperable and ceases to function.
Botnets, which are vast networks of computers, are often used to wage DDoS attacks. They are usually composed of compromised computers (e.g., internet of things (IoT) devices, servers, workstations, routers, etc.) that are controlled by a central server.
DDoS attacks can also originate from tens of thousands of networked computers that are not compromised. Instead, they are either misconfigured or simply tricked into participating in a botnet, in spite of operating normally.
DDoS attacks have become increasingly problematic and IT pros need to be ready.
Even though automation, orchestration and AI are now commonplace, humans are still the ones that make final decisions on how to defend companies.
One of the realities of cybersecurity is that most attackers are moderately talented individuals who have somehow figured out how to manipulate a certain network condition or situation. Even though there is often discussion about advanced persistent threats (APT) and increasingly sophisticated hackers, the reality is often far more mundane.
For example, most DDoS attackers simply find a particular protocol. They’ll discover that they can manipulate the transmission control protocol (TCP) handshake to create a SYN flood or a particular type of server, such as the memory cache daemon (memcached). Or they’ll discover that they can compromise IoT devices, such as webcams or baby monitors. But today, attackers have more help.
Recent advancements have given rise to AI and connective capabilities that have unprecedented potential. Like legitimate systems administrators, attackers now have voice recognition, machine learning and a digital roadmap that can allow them to manipulate integrated devices in your home or office, such as smart thermostats, appliances and home security systems.
There are two primary ways a DDoS attack can take form.
Bombardment (volumetric): This strategy involves a coordinated attack on the targeted system from a collective of devices. Another term for this type of attack is volumetric, coined as such because of the sheer volume of network
traffic used to bombard systems. This type of traffic focuses on Layer 3 of the open systems interconnection/reference model (OSI/RM), for the most part and is usually measured in packets per second (PPS) or megabits per second (Mbps).
Volumetric attacks can be long term or burst:
Despite being very quick, burst attacks can still be extremely damaging. With the advent of IoT-based devices and increasingly powerful computing devices, it is possible to generate more volumetric traffic than ever before. As a result, attackers can create higher volumes of traffic in a very short period of time. This attack is often advantageous for the attacker because it is more difficult to trace.
Technological Infection: In this strategy, attackers manipulate applications. They are often called Layer 7 attacks, because attackers and botnets co-opt applications to do their bidding. These applications then become unwitting DDoS attack vectors.
This could involve using IoT-connected devices – such as baby monitors, phones or hubs – to send traffic at the target. This strategy can be more easily understood when you think of the Borg, assimilating others against their will to be part of a larger system of attackers.
Layer 7 attacks can also disable critical web and cloud applications on a massive scale. Today, more companies are using microservices and container-based applications. Layer 7 DDoS attacks are also increasingly popular against cloud-based resources; simply migrating to a cloud provider won’t solve the problem.
As the world moves to containers, Kubernetes and more cloud-based services, it’s expected that DDoS attack methods will naturally move to and exploit these elements.
DDoS and other attacks arise as a result of three vulnerabilities: monocultures, technical debt and system complexity.
Monocultures: The first vulnerability is created because of our interest in automating and replicating systems. In this age of the cloud and hyper-virtualization, it is a common practice for IT departments to create once and deploy often. This means that once you have created a particular service, such as an Amazon Web Services (AWS) workspace, or a web server, you will replicate it and use it multiple times. This creates a monoculture, or a situation where dozens, or even hundreds, of the same instance exists.
Attackers focus on these types of situations because they can exploit a small vulnerability to achieve maximum damage. This is ideal for attackers because one piece of malware can be used to target many systems.
Technical Debt: Companies often skip development steps as they implement a new business solution – a piece of software, a cloud implementation or a new web server. The IT industry long ago identified critical steps that organizations should take to create secure software and services. But these steps take time. Too often, organizations neglect security best practices in the interests of saving time and money.
Whenever a company skips essential steps, they are said to incur a technical debt. The resulting software represents an obligation that the organization eventually needs to re-pay. If an organization doesn’t pay this debt back by fixing the software or properly configuring and securing a critical service, that organization will suffer consequences that range from lost business to becoming the target of a successful cyberattack. One example of technical debt can be found in IoT devices that have powerful networking ability, but no default password. As a result, attackers have been able to easily enlist these devices into their botnets or other DDoS schemes. What makes this situation particularly disturbing is that consumers end up paying the price for a technical debt.
Complexity: Complex systems are difficult to manage and monitor, especially if these systems are hastily created. Sophistication is often good and necessary, but, as we create more interconnected systems, this complexity can cause us to lose control of our information. In many cases, issues occur because essential steps of the software development lifecycle or the platform development lifecycle are skipped. It’s one thing to create buggy software, but when that software connects to multiple cloud instances, it creates a larger, more scalable problem.
DDoS traffic comes in quite a few different varieties. Understanding the types of traffic will help you select proactive measures for identification and mitigation. Click on the red plus signs to learn more about each type of DDoS traffic.
The most effective DDoS attacks are highly coordinated. The best analogy for a coordinated attack involves comparing a DDoS botnet to a colony of fire ants. When a fire ant colony decides to strike, they first take a position and ready themselves for the attack. Acting under a single directive and without obvious warning, they wait for the signal and then act simultaneously.
Whenever a compromised system calls home to a C&C server, it is said to be beaconing. This traffic passing between a botnet member and its controller often has specific, unique patterns and behaviors. As a result, it is possible for security analysts to identify this traffic and treat it as a signature. If this is the case, analysts can then identify compromised systems, as well as manage or block this type of traffic and even trace this traffic to isolate and eradicate botnet infections.
Memcached is an often-used service that distributes memory caching on multiple systems. It is used to help speed up websites by caching information in Random Access Memory. Botnets have often exploited Memcached implementations that are not properly secured.
Atypical traffic involves using strategies such as reflection and amplification.
A collection of similarly configured systems that all contain the same flaw. Here are some examples of compromised monocultures:
Modern attacks combine different attack strategies, including Layer 7, volumetric and even ransomware. In fact, these three attack types have become something of a trifecta in the DDoS attack world.
Botnets are often used as malicious tools to help conduct the work of a DDoS attack. It’s essential that IT pros equip themselves with the knowledge of how that occurs to help them stay ahead of the onslaught.
There are two models that can help provide insight:
As an IT pro, knowing how to approach a DDoS attack is of vital importance. Security analysts and threat hunters often use the ATT&CK model and the Mitre ATT&CK Navigator to help identify botnets. It is very likely that your organization may have to deal with an attack of one variety or another.
One way to raise awareness about DDoS attacks is to understand who is committing these hacks, why they are targeting organizations and how they are accomplishing their goals.
Let’s begin with a short list of major DDoS attacks, the motivations behind them and the lasting impact they have on our digital world. Click on the red plus signs to learn more about each of these major DDoS attacks.
In 2008, the Republic of Georgia experienced a massive DDoS attack, mere weeks before it was invaded by Russia. The attack appeared to be aimed at the Georgian president, taking down several government websites. It was later believed that these attacks were an attempt to diminish the efforts to communicate with Georgia sympathizers. Not long thereafter, Georgia fell victim to Russian invasion.
This attack is considered to be the textbook example of a coordinated cyberattack with physical warfare. It is studied around the world by cybersecurity professionals and military groups to understand how digital attacks can work in tandem with physical efforts.
Infamously known as the “Attack that Almost Broke the Internet,” the Spamhaus incident was, at the time, the largest DDoS attack in internet history.
The attack was prompted when a group named Cyberbunk was added to a blacklist by Spamhaus. In retaliation, the group targeted the anti-spam organization that was curtailing their current spamming efforts with a DDoS attack that eventually grew to a data stream of 300 Gbps.
The attack was so compromising that it even took down Cloudflare, an internet security company designed to combat these attacks, for a brief time.
The DDoS attacks that occurred during Occupy Central were an effort to cripple the pro-democracy protests that were occurring in Hong Kong in 2014. Two independent news sites, Apple Daily and PopVote, were known for releasing content in support of the pro-democracy groups.
Much larger than the Spamhaus attack, Occupy Central pushed data streams of 500 Gbps. This attack was able to circumvent detection by disguising junk packets as legitimate traffic. Many speculate the attack was launched by the Chinese government in an effort to squash pro-democracy sentiments.
A massive DDoS attack was launched against the DNS provider Dyn. The attack targeted the company’s servers using the Mirai botnet, taking down thousands of websites. This attack affected stock prices and was a wake-up call to the vulnerabilities in IoT devices.
The Mirai botnet comprised a collection of IoT-connected devices. The botnet was assembled by exploiting the default login credential on the IoT consumer devices which were never changed by end users. The attack impacted the services of 69 companies, including powerhouses such and Amazon, CNN and Visa.
One of the largest DDoS attacks in history was launched against GitHub, viewed by many as the most prominent developer platform. At the time, this was the largest DDoS attack in history. However, due to precautionary measures, the platform was only taken offline for a matter of minutes.
Attackers spoofed GitHub’s IP address, gaining access to memcaching instances to boost the traffic volumes aimed at the platform. The organization quickly alerted support, and traffic was routed through scrubbing centers to limit the damage. GitHub was back up and running within 10 minutes.
You often see images of nefarious, dark-hooded individuals to symbolize the malicious threat actor. In reality, these groups of attackers are often well known to authorities and use DDoS tactics to gain influence, disrupt government and military operations or cause people to lose confidence in a market sector, company brand or long-established institution.
Regardless of the motivations that power these attacks, hackers can easily be hired to help launch a DDoS attack. Individuals or entire commercial groups are available for hire on the dark web, often under a service model, similar to that of infrastructure as a service (IaaS) or software as a service (SaaS). Understanding motivation can help uncover causes, but perpetrators are often simply guns for hire.
In fact, in December 2019, two Russian hackers were indicted for unleashing a DDoS attack on a U.S.-based bank that were allegedly operating on a DDoS-for-hire model. The attack is being touted as “one of the biggest bank robbery schemes of the past decade.”
Attackers have long used IP spoofing to avoid attacks. Most IT professionals know that the IPv4 protocol has no inherent safeguards against spoofing. Most implementations of Ipv6 don’t fully use the protocol, which invites spoofing attacks.
Attackers are now using another method to hide their activity: Fast Flux DNS. By manipulating DNS traffic, DDoS botnets use multiple IP addresses assigned to a resource. The botnets then swap IP addresses at random, which occurs very quickly. As a result, it is more difficult for incident responders to trace attack traffic.
A variation of Fast Flux DNS is Double Flux DNS, which involves the use of multiple DNS names and manipulating the HTTP GET commands. This strategy is extremely effective for avoiding detection.
In order to thwart DDoS attacks, it’s important to understand what motivates an attack. These motivations often spur a cyber threat.
As of late, DDoS attackers have the following motives:
Attackers use several devices to target organizations. These are some common tools for DDoS attacks:
Attackers use various methods to glean useful information. Understanding these approaches will help you calculate how susceptible your organization is to an attack. Information gathering involves direct and indirect forms of reconnaissance.
Attackers can use tools such as Nmap to assess a network. Nmap is used to identify any connected devices and reveals a detailed assessment of any local and remote networks. Using Nmap is also effective for identifying applications which are listening for open ports. Mapping the network provides attackers with a comprehensive picture of connected devices.
Physical recon can also be very beneficial for attackers. Surprisingly, much of the initial information gathering takes place offline. Details obtained in real-world settings can be very valuable. Items such as addresses, phone numbers, pet names, family members, birthdays and passwords are all useful when planning an attack.
Indirect recon is undertaken as an effort to understand the target. Similar to how a salesperson would study consumer behavior to develop effective sales tactics, attackers take inventory of targets to ascertain a method of attack.
They identify things, such as the following:
Once a DDoS attacker discovers a good attack surface and finds a monoculture, they can then wage an attack. DDoS attacks are usually much more successful when attackers conduct their research.
A common name given to indirect recon is open-source intelligence (OSINT). Indirect reconnaissance tools do not leave the same traces as active tools.
Attackers can use network profiling techniques, such as ping and port scan, to uncover network vulnerabilities. Hackers utilize AI-driven scans to detect weaknesses they can exploit. This can vary by existing network conditions and is constant evolving.
There are multiple resources for IT pros to gain information about cyber threats. Some of these resources include:
|Thread Feeds||CVE Feeds||Multi-Engine Virus Scanning Sites|
|The FBI’s InfraGard Portal||CVE List||VirusTotal|
|The Department of Homeland Security’s Automated Indicator Sharing||National Vulnerability Database||VirSCAN|
|SANS: Internet Storm Center||Malwarebytes|
Increasingly, attackers are using the same systems that defenders use. Sites such as VirusTotal are completely legitimate. It is used to amalgamate all antivirus vendor tools. Legitimate IT and security workers can use this site to see if certain files contain threat vectors (e.g., botnet code, etc.).
But attackers will often use legitimate tools such as VirusTotal to actually create vectors that evade antivirus vendors. They upload the evil code that they’ve created to VirusTotal. If VirusTotal flags the malware, then they continue to make changes to the malware code they’ve created until VirusTotal no longer detects the attack.
Attackers will launch this code and attack victims. Because VirusTotal uploads are also usually available to the public, it is possible for anyone (including attackers and other companies) to view the files that have been uploaded. Such uploads can reveal information about networks and companies that have been attacked. Some companies may not want to provide even indirect information about attacks on their network.
Attackers also use the benefits of innovation to their advantage. It stands to reason that with more sophisticated technology come more advanced attacks.
Certain systems are particularly vulnerable to DDoS attacks. Attackers will target the following devices in an attempt to gain control of your network.
While organizations in any industry are vulnerable, these sectors are attacked the most often:
Preparation and quick response are of vital importance when facing a DDoS attack. Knowing what to look for and where to find information can help you mitigate damage.
Look for these DDoS attack warning signs:
To find help with tracking and locating DDoS attacks in real time, use resources like Digital Attack Map, Botnet Connection Dashboard , Threatbutt Internet Hacking Attack Attribution Map and Is It Down Right Now?
Many traffic monitoring applications exist. Here are a few examples.
|ntop||Provides detailed network traffic and usage statistics.|
|Wireshark||The de facto standard packet capturing app.|
|Capinfos||Prints statistics from pcap files.|
|Snort||Open-source intrusion detection system (IDS).|
|Cisco IOS Netflow||Like Ntop – detailed network usage statistics.|
|Endpoint Protection||Software can include products from Tanium, Symantec, Sophos and many others.|
|Spreadsheets||Don’t laugh. Security analysts spend hours poring over spreadsheets created by IDS and security information and event management (SIEM) tools.|
|Security Information and Event Management (SIEM) software||Many SIEM products exist, including AlienVault, Splunk Enterprise Security and RSA NetWitness.|
|Third-Party Security Providers||Managed service providers and vendors that track and help manage the conditions that lead to successful DDoS attacks.|
Tactically, IT professionals spend considerable time tracing spoofed traffic to its actual source. Here are some commonly used applications:
When it comes to DDoS threats, a little prep work can go a long way. Try these tactics to practice preventative measures.
|Network Reconfiguration||Tabletop Exercises and Simulations|
|Examining how your network is configured can help reveal weaknesses before attackers can exploit the holes. Perform consistent audits internally and externally to help cover all your bases. Additionally, Border Gateway Protocol (BGP) can help reroute network traffic before it reaches its intended target.Reconfiguration can be manual, where an IT pro manually changes network assets and configurations or automatically using AI or pre-determined orchestration tools.||These are two options you can utilize for staff training on cybersecurity incidents:
|Staff Training||Executive Buy-In|
|All staff need to be trained to learn to recognize the warning signs of a possible attack. This should not only fall to IT departments or third-party providers. It is vital that all personnel understand who to report to and what information needs to be provided to help limit the damage of an incident.+||As with any coordinated organization-wide effort, you’ll need executive buy-in. It’s essential that leadership recognize the value of cybersecurity awareness and preparation and that they allocate the necessary resources and stress the importance to staff.|
DDoS attacks can be damaging if not identified and handled in a timely manner. Use these steps to strategically defend your organization.
As with any cyber threat, there are multiple services and tools available to IT pros to help mitigate possible damage.
Examples of Layer 7 methods for managing DDoS attacks include:
There are also several DDoS mitigation service vendors available to help manage an attack.
Use the steps in the following table to prepare for a DDoS attack.
DDoS Mitigation Vendor
Offers protection against layer 3 and layer 4 attacks. Available to all customers at no extra charge. Additional protection for Layer 7 attacks are available for a fee.
Solutions include cloud-based, on-premise and hybrid DDoS protection.
Layer 3, 4, and 7 services for free, as well as more sophisticated services for a fee.
|Akamai||Highly respected service for help against volumetric attacks. Owns many sites around the world to help identify and filter traffic.|
|AppTrana||Focuses on Layer 7, as well as volumetric (Layer 3 and 4) traffic.|
|Alibaba DDoS||Specializes in mitigating volumetric attacks.|
Click the red plus signs for more details on the eight ways you can prepare for a DDoS attack.
Identify key endpoint and server assets, including the following:
Have full copies of mission-critical information to allow your organization to reduce mean time to recovery and mean time to respond.
Larger organizations will want to have multiple ISPs ready in case one becomes flooded with traffic or can’t provide an essential filtering service in time. Another option is obtaining a third-party scrubbing service that filters out DDoS traffic.
It is important to back up server resources, as well as workstations and other devices.
A DDoS preparation scheme will always identify the risk involved when specific resources become compromised.
The last thing an organization wants to do is assign responsibility for DDoS response during or after an actual attack. Assign responsibility before an attack happens.
Never assume that an untested set of procedures is adequate. In the same way an untested backup is no backup at all, an untested DDoS response plan is no plan at all.
When dealing with a DDoS attack, there are certain best practices that can help keep a situation under control. Observe these DDoS attack do’s and don’ts.
As an IT pro, you can take steps to help ready yourself for a DDoS attack. Check out the following skills and tools that can help you successfully manage an incident.
Employers will want to know that you are armed with the skills necessary for combatting a DDoS attack. Adding these skills to your toolset will help illustrate your ability to thwart attacks.
Standards such as the U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 provide a helpful foundation for knowing how to respond to attacks of various types. The IT industry also uses the ISO/IEC 27035-1:2016 standard as a guideline for incident response procedures. As a general rule, organizations with a reputation for responding well to incidents tend to use such standards as helpful guidelines, rather than absolute rules to follow.
IT pros can also benefit from seeing demonstrations of attacks to learn how data behaves in particular situations. Take the time to view demonstrations of the following attacks:
Ongoing education is essential for any IT pro. Technology advances every day, and IT pros that stagnate will eventually be deemed unnecessary as legacy systems die off and new platforms take their place. To remain relevant, it’s important to continue educating yourself.
The standards and practices taught in the industry will also help you and your organization respond to DDoS attacks. One way to obtain the appropriate level of knowledge is to learn the standards and best practices covered by the IT certifications found in the CompTIA Cybersecurity Pathway.
|Endpoints||Cloud||Servers||Red Team||Blue Team||Network Security|
Download the exam objectives for the above CompTIA exams to see what’s covered and decide which one is right for you.
Want to know more about DDoS attacks and stay up to date on the latest in cybersecurity? Subscribe to CompTIA’s IT Career News for weekly digests and a monthly newsletter dedicated to cybersecurity, cloud computing, computer networking, tech support and more.
Read more about Cybersecurity.