Cyber Security

What is a DDos attack? And how can I protect my devices against botnets?

Mark Amory, QA Cyber Security Training Delivery Manager, explains exactly what a DDoS attack is, how botnets can use compromised devices in DDoS attacks, and how you can keep your devices safe.

You may increasingly hear about DDoS attacks, or read about them in our Cyber Pulse newsletters. What are they, and how can they affect your devices – or your business?

Simply put, a DDoS is a Distributed Denial of Service; it is an attack that tries to consume a service's resources in such a way that legitimate attempts to use the service cannot be satisifed.

Let’s break it down a bit…

Take a website as an example: the web service is a piece of software that runs on a web server and, like all software, it requires resources from said server – disk space, memory, processing time, and so on.

Every time a web request comes in from the internet for a webpage, a tiny amount of that server’s resources are used to handle the request.

These requests are normally satisifed very quickly, and as such hardly register as a blip in the server’s performance.

Now let’s multiply those requests by a factor of, say, 100,000 – something quite normal for many websites to be dealing with on a regular basis. In this case, you may start to see a very small lag in server performance, but nothing to be worried about.

Now multiply by another factor of 100,000 – we might now start to see a distinct drop in performance.

Multiply that again, and we may see the server starting to hang – the term given to a process that cannot be executed. This is where we now have a denial of service.

Now, modern websites can quite easily defend against such attacks – hosting providers have various mechanisms in place to detect these sorts of increases in traffic and detect whether they are legitimate requests for services or not.

Load balancers, proxy servers, web application firewalls and cloud-hosted services are just some examples of the techniques deployed to ensure that customer services are not disrupted that easily.

However, if you have enough machines sending lots of requests per second, it could be enough to swamp even the best defences. This is the Distributed Denial of Service (DDoS).

So how are DDoS attacks launched?

In many cases, DDoS attacks are launched by devices that are in a botnet.

A what?

A botnet is a distributed network of compromised devices under the control of an attacker.

Botnets can be made up of almost any type of device that can connect to the internet. Recent botnets have been discovered that have computers, TVs, routers, webcams, mobile phones and even fridges in them, all being used to send malicious data to target machines to cause a DDoS.

One such botnet, created by a malware strain called Mirai, has been responsible for the world's biggest DDoS attacks.

In 2016, the French web host OVH was taken offline by a Mirai-instigated DDoS that saw a record-breaking 1TB of data per second hit their servers from approximately 145,000 infected devices – predominantly infected routers and webcams.

Another Mirai-instigated attack in 2016 saw the DNS provider DYN-DNS taken offline, which left a large number of US internet users unable to reach websites such as Reddit, GitHub, Airbnb, Twitter and Netflix as they couldn’t resolve the IP addresses for those domains.

In 2017, the creators of the Mirai malware – Paras Jha, Josiah White, and Dalton Norman – were arrested. Paras Jha was a student at Rutgers University in New Jersey but was also the owner of a DDoS mitigation company called ProTraf Solutions. A case of good turning to evil?

How do I protect against a DDoS attack?

As I mentioned before, many web-hosting sites offer various security mechanisms to help withstand the influx of large amounts of spurious data requests, so most sites should be well protected. However, it must be noted that these security controls do come with an associated cost, so it becomes a case of budgetary matters.

Would I know if my device was pulled into a botnet attack?

Botnets can be "programmed" to do all sorts of things – if your device was in a botnet and being "told" to be part of a DDoS, then you probably wouldn't notice anything as the data your device sends would be quite small.

However, if you were in a botnet and told to crack some passwords, or do some crypto-mining, then that would possibly slow your PC down a bit and maybe make the fans spin a bit faster (so they would be noisier then usual), but that's probably all – but would that make you think you'd been hacked?

Probably not, you'd most likely think, "There goes Windows again" and just get on with your day as always.

How do I avoid being part of the problem?

Stopping your devices from being compromised with malware and being suborned into a botnet is all about good cyber hygiene.

  • Keep the device up to date with security patches and updates
  • Ensure you use antimalware solutions
  • Ensure you have changed all default passwords
  • Try not to run the device with administrative privileges unless carrying out administrative tasks
  • Protect your network with a firewall
  • If possible, protect the device with a firewall

By keeping on top of your security, you will mitigate the risk of being infected by malware and used as a pawn in a devastating attack on another victim.

Find out about QA's Cyber Security courses and services

Related Articles