Frequently Asked Questions About DDS

What is a distributed denial-of-service (DDoS) attack?

What are the motives behind DDoS attacks?

What kinds of organizations are likely to be targets?

What kind of risk does DDoS pose? What is the potential impact on my company?

What are application layer DDoS attacks?

Do firewalls and IPS protect against DDoS attacks?

What types of DDoS defense methods are there?

What steps should my company take to protect against DDoS?

How does Corero DDoS Defense System (DDS) protect against DDoS attacks?

What is a distributed denial-of-service (DDoS) attack?

Distributed denial-of-service (DDoS) attacks are designed to disrupt critical services by crippling the operation of key assets, such as web servers and DNS servers. Typically, DDoS attacks involve sending a flood of packets over the network at a high enough volume to disrupt or overload the infrastructure, essentially making service transactions impossible. DDoS attacks can impact ISP links, routers, switches, firewalls and servers, causing one or more of them to become a bottleneck, restricting or eliminating the ability of the server to deliver its service. More recently, attackers have increasingly launched more insidious, difficult to detect application layer attacks.

Most network layer DDoS attacks use vast armies of infected computers under the control of the attackers. These are known as bots (or zombies) and are employed by the thousands in concert as botnets.

Common "traditional" network-layer attacks include:

SYN Flood

A SYN flood attack takes advantage of the TCP (Transmission Control Protocol) three-way handshake process by flooding multiple TCP ports on the target system with SYN (synchronize) messages to initiate connection between the source and target system, which responds with a SYN-ACK (acknowledgement) message for each SYN message it receives and temporarily opens a communications port for each attempted connection while it waits for a final ACK message from the source in response to the SYN-ACK messages. However, the attacking source never sends the final ACK message and therefore the connection is never completed. The temporary connection eventually times out and is closed, but not before the target system is overwhelmed with uncompleted connections.

UDP Flood

A UDP (User Datagram Protocol) flood involves the attacker sending UDP packets to each of the 65,535 ports on the target system, which is overloaded while processing the packets and attempting to send reply messages to the source system.

ICMP Flood

ICMP (Internet Control Message Protocol) packets are legitimately used for network troubleshooting, but when used for DDoS attack, these tiny packets can overwhelm a target system, leaving it unable to service valid network requests in a timely fashion.

What are the motives behind DDoS attacks?

DDoS can be about bragging rights or showing off the disruption the attacker can cause. This was apparently the case in February 2000, when a wave of DDoS attacks against high-profile commercial websites, including eBay, Amazon,, Yahoo,, ZDNet and online trading sites E*Trade and Datek raised a furor. This type of wanton attack is still a concern, but the alarms soon receded and DDoS was not regarded as a serious security issue for a time.

Extortion under threat of DDoS attack changed all that. Typically, online companies will receive an email or, sometimes, a call, threatening a crippling DDoS attack unless a sum of money is transferred to an account designated by the attackers before their deadline. Often, the criminals will launch a limited DDoS attack to prove they mean business. This scenario is a cyber variation on the protection racket, in which thugs demand payment from merchants in exchange for not harming them and/or vandalizing their business. Extortion persists as a serious threat for online companies.

Unfair competitive practices are a form of cyber crime, as unscrupulous competitors use DDoS against online businesses in their market to discourage customers and drive business to their own sites.

Unfriendly governments may launch DDoS attacks against other governments, motivated by political disputes or in times of outright hostility. There is also the risk that organized terrorist groups could attack government sites.

Hacktivism is perhaps the single most important factor in the increase in DDoS attacks. These often loosely knit groups of attackers are motivated by some political or ideological dispute, and are disturbing because of their unpredictability and apparent cavalier disregard for the consequences of their actions.

What kinds of organizations are likely to be targets?

The short answer is that no organization is safe from the threat of DDoS attack. As we have seen, any prominent website can be crippled simply because someone with the means wants to show they can do it.

Any sort of eCommerce company, such as an online retailer can be victimized by extortion under threat of disrupting their business. Financial institutions, especially those engaged in high-volume real-time online transactions could suffer disastrous consequences if they ignore a threat. Online gaming sites, both gambling and video-gaming companies, are known to be particularly susceptible to both extortion and unscrupulous competitors because of their operations are so time sensitive.

Hacktivist groups, such as Anonymous and LulzSec have demonstrated repeatedly they will attack any organization whose political positions, business practices and policies, etc. offend their sense of right and wrong.

Government departments and agencies - federal, state and local - can be targeted for by hacktivists, unfriendly nation-states or cyber vandals.

What kind of risk does DDoS pose? What is the potential impact on my company?

DDoS is clearly on the rise. Gartner reported a 30% increase in 2010, with every indication of continued upward trend. A 2011 VeriSign survey of 225 US-based IT decision-makers conducted by Merrill research revealed:

  • 78% are very or extremely concerned about DDoS attacks
  • 67% expect the frequency and strength of DDoS attacks to increase or stay the same in the next two years
  • 63% sustained more than one attack in the previous year
  • 11% were hit six or more times

The risks for all types of online companies can be enormous. JP Morgan projected that 2011 eCommerce revenue would reach $680 billion, up 18.9 percent over 2010. MasterCard reported that U.S. online holiday sales totaled $36.4 billion in 2010. Successful DDoS attacks costs can be measured in:

  • Direct loss of business while a website is seriously impaired or completely unavailable
  • Permanent loss of frustrated customers, who simply turn to competitors for similar online purchase of products and services
  • Brand damage
  • Loss of trading value on the stock market
  • Employee downtime and loss of productivity
  • For government and health care organizations, disruption of essential services for citizens and patients
  • Cost of mitigation and remediation

What are application layer DDoS attacks?

Application layer attacks are a significant factor in the increase of DDoS, because they fly under the radar. They do not consume huge bandwidth, and appear for all intents and purposes to be legitimate connections to the target server. They do not require large botnets to be effective.

Although technically still taking place over the network, application layer DDoS attacks not only send network packets, but they actually complete TCP connections from the attacker to the victim server. Once the TCP connection is made, the attacking computers make repeated requests to the application in an attempt to exhaust its resources, rendering it unable to respond to all its other requests.

These intelligent attacks are harder to defend against because they create denial-of-service conditions without causing the consumption of available network bandwidth, or overloading routers, firewalls and switches. The attack traffic often looks like legitimate, routine traffic coming into a network or website. It could be something as simple as a request to display a web page or to fill out a "contact us" form. A repetitive HTTP GET request, crippling a Web application server with an overwhelming number of requests for a resource, is a common example of an application layer DDoS attacks.

Compared to a network layer attack, a successful application layer attack typically requires a much smaller botnet to overwhelm a victim server. The hijacked bots in an application layer DDoS attack go beyond simply initiating an open communications session with a victim server. Because the attacking bots are actually communicating with the victim server, more server resources must be allocated and potentially the resources of other network assets (such as a database server) that are integrated with the victim server.

Do firewalls and IPS protect against DDoS attacks?

Traditional firewalls filter traffic based on various packet attributes (or a combination of attributes) such as source IP address, source port, destination IP address and destination port. Traditional firewalls are generally easy to operate and maintain, but are also relatively unsophisticated and therefore ineffective against DDoS.

Because traditional firewalls aren't designed to inspect application content (they generally only inspect the first few bytes of a packet to minimize latency), an attack from an allowed IP address or port can often simply pass through. Application layer attacks establish legitimate connections with the victim server and therefore must be permitted by the firewall. Firewalls cannot simply block a bona fide protocol or application connection.

In fact, traditional firewalls are sometimes themselves overwhelmed. They often become the first point of failure during an attack, rendering the site offline until both the attack ceases and the firewall is reset. Worse yet, some firewalls become overwhelmed and can let more sophisticated attacks through.

Most intrusion prevention systems (IPS) maintain a very large database of known attack signatures that must be regularly updated as new threats emerge. Due to the large size of IDS/IPS databases, it is generally not practical to enable all of the available rules or signatures, as doing so would create a network bottleneck and result in unacceptable performance degradation.

Although some IDS/IPS solutions purport to address DDoS attacks, they are not designed for this purpose. IPS typically has neither the means to identify nor the ability to limit streams of DDoS attack traffic. Traditional network-based DDoS attacks utilize allowed network protocols, such as TCP and UDP. Typical IPS cannot detect and block application layer attacks because they consist of allowed connections to the target server. Sometimes, hybrid attacks use DDoS to mask a malware attack "hiding" in all that traffic, tricking and/or heavily tasking the security device.

What types of DDoS defense methods are there?

There are several familiar approaches to mitigating the risks associated with DDoS, each with its own limitations:

Over-provisioning bandwidth and CPU cycles. Additional bandwidth is a logical business solution for increased traffic loads, spikes during heavy business periods, such as eCommerce sales, or a holiday season. Businesses also need to ensure that their servers have the computing power to handle large volumes of Internet-based transactions during peak times and as their business grows.

Many businesses believe these approaches, particularly over-provisioning bandwidth, will also absorb any DDoS attacks aimed their way. This is a costly, inefficient and limited solution, because it starts an endless escalation cycle requiring businesses to not only maintain high levels of bandwidth and costly CPU cycles on target servers, but to constantly purchase more bandwidth and more computing power.

Over-provisioning is not cost effective. Instead of spending money to build the business, you are pouring it into bandwidth to try to absorb attacker traffic designed to impede or even destroy your business. it is better to find solutions with finite and predictable costs, both from a capital expense and operating expense perspective. Network over-provisioning is useless against application-layer attacks, which do not typically consume large amounts of bandwidth. Additional CPU provisioning is also ineffective, as the attack will persist until the target is overwhelmed.

Clean Pipe services, purchased from your ISP. The general idea is that the service provider monitors and inspects Internet traffic, and routes suspect traffic to a proxy that "scrubs" the pipe clean of malicious packets. Clean pipe services can be an effective weapon for combating DDoS. However, you must work closely with the service provider to help identify the traffic types and patterns that are unique to your company's policies, applications and business practices. Service providers are dealing with many customers and may tend to take a "one-size-fits-all" approach for efficiency and cost containment.

Also, if you are relying on your service provider, you are continuously paying a premium for the privilege of getting only good traffic. In fact, good traffic may be lost through "black hole" routing designed to eliminate malicious traffic. The clean pipes service may throw out the good with the bad, especially traffic patterns and types that may be peculiar to your environment. Because the solution provider is servicing many clients, they may be less discriminating they should be. Clean pipe services are not effective against application layer attacks.

Cloud-based DDoS mitigation services. Similar to the ISP clean pipe approach, the service provider scrubs traffic during a network layer attack and allows good traffic, hopefully, to flow to the client organization. Lack of context about an organization's traffic limits effectiveness against application layer attacks and does not provide visibility into outbound traffic or server responses.

A purpose-built, on-premises DDoS defense solution provides the best protection against both network and application layer DDoS attacks . This approach provides automated detection and mitigation at the point of attack, allowing business to remain up and running.

What steps should my company take to protect against DDoS?

    1. Create a DDoS Response Plan
      As with all incident response plans, advance preparation is key to rapid and effective action, avoiding an "all-hands-on-deck" scramble in the face of a DDoS attack. A DDoS response plan lists and describes the steps organizations should take if its IT infrastructure is subjected to a DDoS attack. Increasingly, DDoS attacks against high-profile targets are intelligent, determined and persistent. 
    2. Protect Your DNS Servers
      The Internet Domain Name System (DNS) is a distributed naming system that enables us to access the Internet by using recognizable and easy to remember names such as rather than numeric IP addresses (e.g. on which network infrastructure relies to route messages from one computer to another. Since DNS is distributed, many organizations use and maintain their own DNS servers to make their systems visible on the Internet. These servers are often targeted by DDoS attacks: If the attacker can disrupt DNS operations, all of the victims' services may disappear from the Internet, causing the desired denial-of-service effect. 
    3. Maintain Continuous Vigilance
      DDoS attacks are becoming increasingly smart and stealth in their methods. Waiting for an application to become unresponsive before taking action is already too late. For optimal defense, a DDoS early warning system should be part of a company's solution. Continuous and automated monitoring is required in order to recognize an attack, sound the alarm and initiate the response plan.
    4. Know Your Real Customers
      A brute-force or flooding type of DDoS attack is relatively easy to identify, though it requires high performance and sophisticated real-time analysis to recognize and block attack traffic while simultaneously allowing legitimate traffic to pass. 
      Detection of the more insidious application layer attacks requires a thorough understanding of the typical behaviors and actions of bona fide customers or employees accessing the applications being protected. In much the same way that credit card fraud detection may be automated, on-premises DDoS defense systems establish legitimate usage profiles in order to identify suspicious traffic and respond accordingly.
    5. Deploy On-Premises DDoS Defenses
      On-premises DDoS defense solutions installed immediately in front of application and database servers are required to provide a granular response to flooding type attacks, as well as to detect and deflect the increasingly frequent application layer DDoS attacks. For optimal defense, on-premises DDoS protection solutions should be deployed in concert with automated monitoring services to rapidly identify and react to evasive, sustained attacks.

    How does Corero's DDoS Defense System (DDS) protect against DDoS attacks?

    Corero's DDS combats DDoS attacks ranging from traditional network floods to newer low-and-slow application layer attacks that don't show up on bandwidth radar screens. The three dimensions of 3DP encompass patented DDoS Defense algorithms and extensive rate-based protection mechanisms, stateful firewall filtering and malicious content protection.

    Based on intelligent behavioral analysis, Corero's DDS uses an adaptive, patented DDoS defense algorithm to ensure business continues as usual — blocking malicious incoming requests while passing legitimate traffic to the company's protected servers. This system debits a DDS-maintained credit balance associated with each source IP address and blocks further requests from an IP address when the credits are depleted.

    Every client connection is assigned a positive credit balance when a session is initiated. Each connected client earns additional credits each minute for good behavior. As long as there are credits available, the client can initiate new transactions through the DDS.

    For each good request from the client, credits are debited. Good clients can make a lot of good requests, but are still constrained by policy-based rate limits.

    But bad behavior from a connected client will quickly result in that client being blocked by DDS. For example, if a client makes repeated HTTP GET requests to the same web page or server object, or multiple DNS requests that result in error responses, many credits are debited — even if requests are low and slow. Repeating such requests will result in the client credit balance going to zero, and all new transactions from that client will be blocked until new credits are earned.

    This adds extra protection for eCommerce and other business-critical web services. By tracking the behavior and evaluating the threat level associated with each client, Corero DDS automatically applies the appropriate treatment to each new transaction, allowing a business's real customers to access the desired services even during an active DDoS attack.

    DDoS Defense System benefits:

    • Automatically detects and mitigates both traditional network layer DDoS attacks and more advanced application layer attacks.
    • Protects your network, allowing legitimate communications to pass without delay even while under attack.
    • Enables business continuity, allowing your customers to keep receiving quality service.
    • Leverages Three Dimensional Protection (3DP) to provide network and application layer DDoS defense, protection against undesired access, and protection against malicious content.
    • Provides lowest latency and high throughput, even while under attack, meaning no network interruption and no service degradation.
    • Offers absolute reliability with purpose-built hardware featuring redundant power supply, a rating of 20 to 30 years mean time between failures, no rotating media, and no chip fans.
    • Advanced clustering capability and dramatically increased performance through Corero's ProtectionCluster™, which allows scalable transparent deployment in all redundant networks, even those with asymmetric routes.
    • Presents an intuitive user interface that facilitates real-time incident response.
    • Monitors outbound traffic with its bidirectional inspection and granular security policy controls.
    • Thwarts reflective DDoS attacks with its inherent stateful firewall capabilities effectively blocking mid-flow attacks.
    • Detects and mitigates specially crafted packet denial of service attacks with its inherent Stateful Protocol Analysis capabilities.
    • Detects and blocks server-targeted malware and other remote exploit attempts with its built-in protection against malicious content.