DDoS attacks: What they are and how to protect yourself
by Mirko Zorz - Monday, 24 June 2013.
Ameen Pishdadi is the CTO at GigeNET. In this interview he discusses the various types of DDoS attacks, tells us who is at risk, tackles information gathering during attacks, lays out the lessons that he's learned when he mitigated large DDoS attacks, and more.

While most have heard of DDoS attacks, not everyone knows that there are several types of such attacks. Can you provide an overview of the different kinds and illustrate their severity? What kind of damage can a DDoS attack do?

Well the easiest way to define DDoS is to discuss what it stands for. It really originated from DoS which was short for Denial of Service. The 2nd D stands for “Distributed.” In the late 90's to early 00's, the first true Distributed DoS attacked occurred. If I remember correctly, one of the first publicized tools for executing a DDoS was called “trinoo.” It was the first of its kind, where infected machines were able to receive commands from a central location which is called a botnet C&C (command-and-control). Botnet makers got smarter and instead of hosting the C&C from a single host, they started to use IRC (Internet Relay Chat). The compromised machine would connect to a hostname and port that were hardcoded in the botnet code and connect to a channel where a single chat entry need only entered once, but then be seen by tens of thousands of compromised machines and then execute their attack.

The first widely publicized attack was early 2000's when internet giants such as Yahoo! were taken down. The amount of bandwidth that was required for this would have to have been enormous in those days. This is when the botnet / DDoS scene began to take off.

The goal of a DDoS is to cause a 'denial of service' to the user or end users of whatever is being attacked. This can be done in a few different ways. The three most common are as follows:

1. Saturate the connections that the target has to the internet, thus preventing real users from being able to connect. This is usually done with a UDP flood, and lately a UDP reflection flood.

2. Saturate the CPU of the router or host machine by sending more packets per second then it can handle. When this occurs, pretty much anything trying to connect does not get processed by the CPU of the device nor forwarded to the destination. This is usually done with a synflood.

3. Overload the application with requests that look like real users. An example would be having a thousand servers making a request to your website’s page all at the same time. These days, since websites are primarily database driven, this effect is even greater. The webserver and database servers become overloaded quickly.

We've seen a significant rise in DDoS attacks in the past year. What are the reasons behind this trend? What type of organization is most at risk?

The significant increase is a direct result of the misuse of information for marketing purposes. While the method that was used to take down Spamhaus was fairly well known and had been around for awhile, media attention was purposefully exploited by CloudFlare for its own gain. This exposed this type of attack to a much wider audience. It basically laid out the blueprints and also broadcast how massive the DDoS could be if done right and with the proper resources.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th