In February 2020, Amazon's Amazon Web Services (AWS) Shield service mitigated the largest distributed denial of service (DDoS) attack in history. At its peak, the attack threw 2.3 terabytes of traffic at an undisclosed AWS customer's network every second, ZDNet reported. Just how much is that? According to Amazon's threat landscape report from the first quarter of 2020, the February attack was approximately 44% larger than any network volumetric event previously detected by AWS.
The who, what, how and why of a DDoS attack
A DDoS attack is an amplified version of a denial of service (DoS) attack. In a DoS attack, a single source, usually a computer, maliciously floods a targeted resource—a web server, a network server or a computer—with more traffic than it can handle. Verizon's 2020 DBIR showed that DOS attacks were the number one attack vector in the tens of thousands of security incidents analyzed; more than half of all incidents had a DoS component at the center.
In a DDoS attack, the attack is distributed—meaning the attackers have multiplied the malicious traffic by using multiple compromised systems—which could include computers, servers, smartphones and other networked resources, such as Internet of Things devices—as attack sources. DDoS attacks can generate tremendous amounts of traffic, snarling the targeted server, service or network until it chokes.
Most DDoS attacks come from cybercriminals, but they can also come from nation-states, business competitors or would-be hackers testing their skills. Usually, attackers are after one of three goals: shutting down enterprise networks, services or applications; extorting money; or winning bragging rights.
Most attacks are small: Amazon reported that in the first quarter of 2020, 99 percent of attacks were smaller than 43 gigabytes per second. But high-profile attacks are getting bigger and bolder. In 2016, the Mirai botnet nearly toppled the internet, crashing major websites and crippling services such as PayPal and Netflix. And in March 2020, the Paris hospital authority was able to fend off an attack that sought to disable hospital services.
Identifying a DDoS attack in network security
The problem is that DDoS attacks' most common symptoms—traffic spikes and interrupted service—don't immediately register as suspicious. But analyzing those traffic spikes uncovers telltale attack markers, such as unusual or unnatural traffic patterns and suspicious traffic from a single IP address or device type.
It's easier to identify a DoS attack than it is a DDoS attack. A DoS attack can be identified by most intrusion detection systems and can be stymied with a firewall. Detection systems and firewall rules can sniff out a DDoS attack, but detection must be part of a broader strategy that includes prevention and defense.