What is a distributed DoS attack?

One DDoSer can do a lot of damage. These denial of service attacks are called distributed because they come from many computers at once. A DDoSer controls a large number of computers that have been infected by a Trojan virus. The virus is a small application that allows remote command-and-control capabilities of the computer without the user’s knowledge.

What is a zombie and a botnet?

The virus-infected computers are called zombies – because they do whatever work the DDoSer commands them to do. A large group of zombie computers is called a robot network, or botnet. Your computer could be part of a botnet without your knowledge. You might not notice any difference, or you might notice your computer is not as fast as it used to be. That’s because it may be busy participating in a DDoS attack at the same time you are using it. Or, you might find out that your computer is infected when your Internet service provider (ISP) drops your service because your computer is sending an unusually high number of network requests.

How does a DDoS botnet work?

Zombie computers in a botnet receive instructions from a command and control server, which is an infected web server. DDoSers who have access to a command and control (C&C or CC or C2) server can recruit the botnet to launch DDoS attacks. Akamai has identified thousands command-and-control servers and more than 10 million zombies worldwide. We track them and notify law enforcement to disable them when possible.

Many types of DDoS attacks

There are many types of DDoS attacks. They target different network components – routers, appliances, firewalls, applications, ISPs, even data centers – in different ways. There is no easy way to prevent DDoS attacks, but Akamai has a proven DDoS protection approach that works to minimize the damage and let your enterprise keep working and service customers during an attack.

DDoS attackers use a variety of DDoS attack methods. The malicious hacker group Anonymous, for example, started with a tool that could launch Layer 7 DDoS attacks and Layer 3 DDoS attacks from any computer. These attacks had a common attack signature – that is, they sent common code. As a result, the attacks could be detected and mitigated (stopped) fairly easily.

It’s a game of cat and mouse. The cat learns about what the mouse is doing, so the mouse works to changes tactics to avoid getting caught. DDoSers got smarter and started randomizing their attack signatures and encrypting their code. Some even started using automated browsers to visit a web page and feed harmful code to a web application on the site.

Although application-layer DDoS attacks are more difficult to recognize, DDoS mitigation experts know what to look for – and we are always looking. Akamai’s anti-DDoS experts monitor and analyze these attacks all the time – day and night.

What are application layer 7 DDoS attacks?

Application layer 7 (L7) attacks may not create such high volumes of network traffic, but they can harm your website in a more devastating way. How an application-layer DDoS works is by activating some aspect of a web application, such as posting different user names and passwords, or targeting a shopping cart or search engine.

Many of the high profile e-commerce outages are the result of Layer 7 application attacks. The biggest issue is that Layer 7 attacks can change and randomize very fast. Anything a visitor can access an attacker can too – and it looks the same to an IT administrator. Application layer attacks can be especially tricky to mitigate, because you do not want to block legitimate users. But there are still ways to do it with DDoS mitigation software and hardware, such as rate limiting rules, CAPTCHAs, black listing IP addresses, and more. DDoS mitigation service technicians can monitor and analyze an attack while it’s happening to minimize damage.