How to Stop a DDoS Attack: Mitigation Steps for Each OSI Layer
Distributed denial of service (or DDoS) attacks occur when cybercriminals employ multiple machines to simultaneously carry out a denial of service (DoS) attack, which increases its effectiveness. DDoS attacks can target both the network and application OSI layers to overwhelm different resources. Due to the distributed nature of the requests coming into the targeted website, mobile application, or API, DDoS attacks are difficult to detect and block—and are much more likely to bypass traditional DoS protections through brute force.
DDoS attacks are becoming increasingly commonplace and more threatening than ever. Just in the first half of 2023, almost 8 million DDoS attacks were launched around the web—a 31% YOY increase. Wireless telecommunication networks are also seeing major increases in DDoS attacks on their infrastructure, with a 294% increase in attacks in just the APAC region.
The global COVID-19 pandemic has forced more people to work remotely over the internet, effectively increasing the potential attack surface for DDoS attacks, among other factors. But the bottom line is, we can no longer underestimate DDoS attacks. And they are no longer an issue exclusive to huge enterprises and websites.
Recognizing the Signs of a DDoS Attack
There are many different types of DDoS attacks with various symptoms and impacts. So, identifying and stopping the different types of DDoS attacks may vary depending on the technique used and other factors.
The most obvious symptom of a DDoS attack is when a website or application (or other internet services) suddenly slows down or totally crashes. However, similar issues can be caused by reasons other than DDoS attacks, like spikes in legitimate traffic, issues in hardware infrastructure, and countless other factors.
It’s best to use a traffic analytics tool (e.g. Google Analytics) to check for the following signs:
- A sudden spike in traffic from clients who share common signatures, like similar web browser versions, country of origin (geolocation), device type, and behavioral profile.
- A sudden, unprecedented, and unexplained spike in requests to an endpoint (e.g. a single page on the website).
- A massive amount of traffic from a single IP address (or IP range).
- Peculiar patterns in traffic, for example, regular spikes every 10 minutes, spikes at only specific hours of the day, and so on.
It’s crucial to understand that by the time a DDoS attack is identifiable, the damage is already done and can only be minimized. However, it is still important to identify and stop a DDoS attack as early as possible to minimize the damage.
The best approach is to prevent the DDoS attack instead of stopping it during an ongoing attack.
Analyze your website for DDoS threats.
DDoS Attack Prevention Strategies
1. Look Out for the Warning Signs
As mentioned above, a DDoS attack’s first warning sign is when a website or application suddenly slows down or crashes. You can monitor sophisticated threats and suspicious traffic to your website with something as simple as a free trial of advanced threat protection. Another option is to use a traffic analytics tool like Google Analytics to look for the following:
- A sudden spike of traffic from clients with similar signatures.
- A sudden spike of traffic to a specific endpoint.
- A huge amount of traffic from one IP address or IP range.
- Strange patterns in traffic spikes, such as every 10 minutes or only at specific times of day.
2. Invest in a Sophisticated Bot Management Solution
Most DDoS attacks, particularly on layer 7 (the application layer), will be performed automatically by bots. Attackers may even utilize botnets to leverage thousands of unique IP addresses, making IP blocking useless in stopping the attack. The only way to prevent layer 7 DDoS attacks is to implement a solution that analyzes all traffic and blocks bots at the edge before they can even connect.
DataDome’s bot management solution takes less than 2 milliseconds to decide whether every single request made to a protected mobile app, website, or API is made by a bot or a human. DDoS attack attempts are blocked before they even begin, and the DataDome dashboard will alert you to attempted attacks immediately.
3. Partner With the Right ISP or Hosting Provider
If you don’t host your own web service or application, it’s very important to choose the right internet service provider (ISP) or hosting provider with adequate security best practices and a response plan for stopping DDoS attacks.
In fact, having your website or application hosted in a secure hosting center has benefits over hosting it yourself. Hosting centers (data centers) tend to have far higher bandwidth and larger capacity in their hardware infrastructures than what most companies have.
Also, a good ISP should employ staff that is experienced in stopping DDoS attacks. So, in the event that you identify symptoms of a DDoS attack, you can simply call your ISP or hosting provider to ask for help. Depending on the strength of the DDoS attack, your ISP might have detected and stopped it before you.
4. Protect Your Network Perimeter
On your own, you can establish a few technical measures to at least partially mitigate the effect of any DDoS attack, especially upon early detection.
You can:
- More aggressively time out half-open connections whenever possible.
- Drop malformed and spoofed packages as early as possible.
- Rate limit your router to prevent volumetric DDoS attacks.
- Set lower thresholds for SYN, ICMP, and UDP floods.
- Establish a botnet detection system to detect botnet activity as early as possible.
5. Increase Your Bandwidth
One of the keys to protecting your web services from DDoS attacks is having more bandwidth.
By having more bandwidth than you are likely to need, you can accommodate unexpected spikes and buy yourself more time to mitigate any DDoS attempts. However, increasing your bandwidth for possible spikes is not always the most cost-effective solution.
6. Develop a DDoS Response Plan
By the time you identify a DDoS attack, in most cases, it’s already too late.
Thus, the best way to stop a DDoS attack is to create a detailed response plan that comprehensively lists the required, pre-planned response steps when an attack is detected.
Your plan should include:
- Who to call (ISP provider, DDoS mitigation service, etc.).
- What steps each member of IT and security teams should take.
- Whether or not you will need to communicate to your customers, vendors, and third-party stakeholders, and the exact steps to do so.
DDoS attacks can last a long time, so the response plan for stopping a DDoS attack should especially detail how to manage communications internally and externally during this time.
The 7 OSI Layers
The open system interconnection (OSI) model is a conceptual model developed by the ISO (International Standards Organization) that standardizes the communication functions of a computing/network system. The OSI model consists of seven different “layers” with distinct functions:
Layer 1: Physical Layer
Layer 1 refers to the hardware aspect, responsible for transmitting and receiving raw data between physical hardware and a physical transmission medium. In short, this layer is responsible for controlling the physical connection between devices.
Layer 2: Data-Link Layer
This layer is responsible for controlling the node-to-node delivery of data, making sure data transfer is error-free over the physical layer.
Layer 3: Network Layer
Layer 3 is responsible for controlling the transmission of data from two hosts located in different networks, which includes:
- Routing: Determines which route is the most ideal from source to destination.
- Logical Addressing: Defines an addressing scheme to accurately identify all devices on different networks.
Layer 4: Transport Layer
Moves data between layer 3 and layer 5. Data in the transport layer is referred to as segments because it is segmented before being reassembled to ensure end-to-end delivery. The transport layer also verifies whether data transmission is successful and retransmits the data if an error is found.
Layer 5: Session Layer
The main function of layer 5 is maintaining sessions and reliable connections. Also responsible for synchronization authentication to ensure security.
Layer 6: Presentation Layer
Also referred to as the translation layer, the main function of this layer is translating or converting data (i.e. from EBCDIC to ASCII), as well as performing encryption/decryption and compression to ensure the reliable presentation of complete data.
Layer 7: Application Layer
At the very top of the OSI model, this layer facilitates interface interactions between end-users and the application using network functionalities. This layer is also responsible for:
- Managing how the application works while using the network’s resources.
- Providing error messages to end-users when required.
We can illustrate the OSI layers by sending a letter inside a closed envelope as follows:
- The content of the letter is the raw data (layers 5, 6, and 7).
- The letter is put inside a standardized envelope according to the transmission standard (layer 4).
- To make sure the letter is sent properly, we must define the address of the recipient and the recipient’s identity (layer 3).
- We send the letter through a postman (layer 2), and the postman will deliver the letter to a physical recipient (layer 1).
DDoS Attack Mitigation Techniques for Each OSI Layer
Cybercriminals can launch different types of DDoS attacks to target different OSI layers that will affect the layers in different ways. Below, we explore examples of DDoS techniques at each layer, their potential impacts, and available mitigation options:
Layer 1: Physical
Layer 1 is not a target for DDoS attacks, but can be a target of physical manipulation, obstruction, or even destruction. This will cause failure on physical assets, which may, in turn, produce an effect similar to DDoS attacks: preventing the application from servicing users.
Mitigation: Audit, track, and protect physical assets.
Layer 2: Data-Link
Media access control (MAC) flooding is a type of DDoS attack designed to overwhelm the network switch with data packets. MAC flooding will disrupt layer 2’s usual flow of sender-recipient data transmission, causing the data flow to blast across all ports, confusing the whole network.
Mitigation: Use advanced network switches that can be configured to limit the number of MAC addresses that can be learned on the network ports. Another option is to authenticate discovered MAC addresses against an authentication, authorization, and accounting (AAA) server to filter out possible MAC flooding attempts.
Layer 3: Network
A very common type of DDoS attack targeting the OSI layer 3 is Internet Control Message Protocol (ICMP) flooding, which utilizes ICMP to overload the network’s bandwidth. An ICMP flooding attack may also cause extra load on the firewall, opening vulnerabilities to other types of attacks (including non-DDoS attacks).
Mitigation: Rate limiting ICMP traffic is the most common and effective mitigation method.
Layer 4: Transport
There are two popular DDoS attacks targeting the transport layer: The smurf attack and the SYN flood.
A smurf attack uses the DDoS.Smurf malware and is quite similar to the ICMP flooding attack but much more amplified. SYN flood (or TCP SYN flood) attacks, on the other hand, send rapid connection requests to a server without finalizing the connection, causing confusion and potentially leading to a need to fix server overload.
Mitigation: ISPs might perform blackholing, which is blocking all incoming traffic to a website affected by layer 4 attacks. Blackholing is performed to protect other customers of the ISPs from being affected by the attack.
Layer 5: Session
Attackers may launch tailored DDoS attacks targeting software running on the network switch. This may prevent system administrators from performing switch management functions, which can render the whole software unavailable.
Mitigation: Varies depending on the network switch and the software solution controlling the switch. Make sure the software and firmware of the switch are up-to-date with the latest security patches at all times.
Layer 6: Presentation
Attackers can use malformed SSL requests to attack OSI layer 6. Inspecting individual SSL encryption packets is resource-intensive, and attackers exploit this issue by using SSL attacks to tunnel HTTP attacks targeting the network server. Malformed SSL requests can cause the affected system to stop accepting SSL connections or automatically crash/restart.
Mitigation: A viable option is to offload the SSL traffic and then inspect it for signs of attacks at an application delivery platform (ADP). The ADP should also ensure that your traffic is re-encrypted and forwarded back to the source. This way, unencrypted data will only be available in protected memory and secure hosts.
Layer 7: Application
On the top layer of the OSI model, attackers can use layer 7 DDoS attacks like abusing PDF GET requests, HTTP GET, and HTTP POST floods to overwhelm the application so it can’t access any more resources and, at the same time, won’t be able to provide services to its end-users.
Mitigation: Advanced bot management and layer 7 DDoS protection software are necessary for preventing layer 7 attacks by monitoring software applications to detect attack attempts as soon as possible. Once detected, attack attempts can be stopped and traced back to a specific source. While detection of layer 7 DDoS attacks is challenging, once detected, it’s easier to trace the traffic back to a specific source compared to other types of DDoS attacks.
While there are seven different OSI layers, DDoS attacks are more commonly targeted to layer 3, layer 4, and layer 7 due to the relative ease of implementation and yet potentially massive impacts:
Layer 3 & Layer 4 DDoS Attacks
Also called volumetric DDoS attacks, attacks on layers three and four typically rely on extremely high volumes of requests (also called floods). These attacks typically involve SYN, ICMP, and UDP floods.
The basic idea is that by overwhelming the network layer and transport layer, the attack will slow down the server’s performance, consume bandwidth, and ultimately prevent legitimate users from accessing the website or application.
Layer 7 DDoS Attacks
Layer 7 attacks are designed to attack specific elements of an application’s infrastructure.
Layer 7 attacks resemble legitimate user traffic, so they are very difficult to detect and mitigate. Advanced attackers can also use sophisticated bots that can randomize or repeatedly change their signatures, making it even more difficult to detect layer 7 attack attempts.
As discussed, advanced monitoring and detection solutions are required to monitor the application for potential layer 7 attacks.
Common DDoS Traffic Types
Many types of DDoS attacks utilize HTTP headers.
“Headers” in HTTP are fields that describe which resources are requested by the client: website URL, JPEG image, forms, and so on. HTTP headers also provide information about what kind of web browser and operating system (OS) are used by the client (via USER AGENT header).
Besides USER AGENT, other common HTTP headers are GET, POST, LANGUAGE, and ACCEPT. In DDoS attacks, the attacker can use and modify headers to:
- Overwhelm the web server.
- Ask the identity of the attacker.
- Trick a caching proxy not to cache the information, so it’s harder to trace the attacker.
Here’s a list of common DDoS traffic types based on HTTP headers:
- HTTP POST Request: This header submits data to be processed by the server to confuse and overwhelm the server. For example, the POST request may extract data in a form database, encode it, then post the content to the server, overwhelming the server.
- HTTP POST Flood: Attackers use a high volume of POST requests, so the server cannot respond to all of them. HTTP POST flood attack will overwhelm the server, causing high usage of system resources that slows down or even crash the server.
- HTTPS POST Request: Similar to above, this is an encrypted version of an HTTP POST request. The data transferred back and forth with this type of traffic is encrypted, so inspection and detection are also more difficult.
- HTTPS POST Flood: Another version of HTTP POST flood sent over an SSL (HTTPS) encryption. Using SSL means that before we can inspect the attack, we must first decrypt the request, so inspection is more resource heavy.
- HTTP GET Request: A header that makes a request for information to the server. With a GET request, a client asks the server for resources such as an image that will be rendered by your browser.
- HTTP GET Flood: HTTP GET Flood is a type of layer 7 (application layer) DDoS attack technique that sends a massive volume of GET requests to the server to overwhelm it so it cannot respond to legitimate user requests.
- HTTPS GET Request: An HTTP GET request that is sent over an SSL session. The traffic must be decrypted first before it can be inspected.
- HTTPS GET Flood: A HTTP GET Flood set over an SSL encryption. Similar to other HTTPS-based attacks, we have to first decrypt the request before we can mitigate the attack.
- ICMP Flood: A protocol used mainly in error messages, rarely to exchange data between systems. In an ICMP flood, the attacker targets the layer 3 OSI by using a massive amount of ICMP messages to overload the server’s bandwidth, denying its service to legitimate users.
- UDP Flood: A common technique used to attack servers with a larger bandwidth. We don’t need to make any connection, and it’s fairly easy to generate UDP (protocol 17) messages using various different programming languages. So, launching a UDP flood is fairly easy and affordable.
- MAC Flood: A relatively rare type of layer 2 DDoS attack in which the attacker sends multiple fake Ethernet frames with different MAC addresses. Network switches are designed to treat MAC addresses separately, so they reserve some resources for each request. In MAC flooding, all the memory in a network switch is used up, overwhelming it and causing it to become unresponsive. In certain cases, a MAC flood attack may completely disable the router, disrupting the whole network.
Fight DDoS Attacks With DataDome
DDoS attacks can be very difficult to detect and stop, and the potential damage can be devastating.
Any business with an online presence needs to understand the different types of DDoS attacks, their potential impacts, and especially how to stop them.
Developing a DDoS response plan is crucial. Attack effects can be partially mitigated by choosing an ISP provider with enough bandwidth. Still, the best defense is to invest in bot mitigation software that can constantly monitor and analyze traffic to stop DDoS attacks before they begin. DataDome’s solution includes layer 7 DDoS protection software, meaning your websites and applications are shielded from bot attacks.
Frequently Asked Questions
Can DDoS attacks be stopped?
The best way to stop DDoS attacks is by preventing them in the first place. If a DDoS attack is already in progress, its effects can only be mitigated, as the damage may be already done.
How can DDoS attacks be stopped?
The method you use to stop a DDoS attack depends on what layer the attack is targeting. Layer 7 attacks are the most difficult to catch because the bot traffic can resemble human traffic. Defending against layer 7 DDoS attacks requires an advanced solution that can constantly monitor all of your traffic.
Stopping DDoS attacks on other OSI layers varies by the targeted layer:
- Layer 2 requires limiting or authenticating MAC addresses.
- Layer 3 requires rate limiting.
- Layer 4 is usually protected with blackholing.
- Layer 6 requires using an ADP to offload SSL traffic and inspect it before allowing the connection.
How long do DDoS attacks last for?
If left unchecked, DDoS attacks can last as long as the cybercriminal has the desire and resources to keep it going. There are some extremely short DDoS attacks that send enough traffic in a handful of minutes to shut down a web server entirely, at which point the attack cannot continue.
Responding quickly to an ongoing DDoS attack can cut the duration into less than a day—or less if you have a very solid DDoS response plan and a reactive hosting provider.
What is the best solution for DDoS attacks?
The best strategy is to implement DDoS prevention strategies. Alongside partnering with the right hosting provider, protecting your network perimeter, and developing a response plan, using an advanced bot management solution can help mitigate bot-powered DDoS attacks, especially on layer 7. Your advanced bot mitigation software should analyze and inspect all traffic at the edge, stopping bots before they can connect to your web resources.
Analyze your website for DDoS threats.
*** This is a Security Bloggers Network syndicated blog from DataDome authored by DataDome. Read the original post at: https://datadome.co/learning-center/how-to-stop-ddos-attacks/