A Distributed Denial of Service (DDoS) is a type of Denial of Service (DoS) attack in which the attack comes from multiple hosts as opposed to one, making them very difficult to block. As with any DoS attack, the objective is to make a target unavailable by overloading it in some way.
Generally, a DDoS attack entails a number of computers, or bots. During the attack each computer maliciously sends requests to overload the target. Typical targets are web servers and websites, including WordPress websites. As a result, users are unable to access the website or service. This happens because the server is forced to use its resources to handle these requests exclusively.
It is important for WordPress admins to understand and be prepared for DDoS attacks. They can occur at any time. In this article we’ll explore DDoS in-depth and provide you with some tips to help keep your WordPress site protected.
DDoS is an attack aimed at disruption and not a hack
It’s important to understand that a DDoS attack isn’t a malicious WordPress hack in the traditional sense. Hacking implies an unauthorized user gaining access to a server or website that they shouldn’t have.
An example of a traditional hack is when an attacker exploits a vulnerability in the code, or when they use a packet sniffer to steal WordPress passwords. Once the hacker has the credentials, they can steal data or control the website.
DDoS serves a different purpose and doesn’t require privileged access. DDoS simply aims to disrupt normal operations of the target. With traditional hacks, the attacker may want to go unnoticed for a while. With DDoS, if the attacker is successful, you’ll know almost immediately.
Different types of Distributed Denial of Service attacks
DDoS isn’t just one single type of attack. There are several different variants and they all work a little differently under the hood. Under the DDoS category, there are several subcategories that attacks can be classified into. Listed below are the most common ones.
Volumetric DDoS attacks
Volumetric DDoS attacks are technically straightforward: attackers flood a target with requests to overload bandwidth capacity. These attacks don’t target WordPress directly. Instead they target the underlying operating system and web server. Nonetheless, these attacks are very relevant to WordPress websites. If the attackers are successful, your WordPress site won’t serve pages to legitimate visitors during the duration of the attack.
Specific DDoS attacks that fall into this category include:
- NTP amplification
- UDP floods
Application layer DDoS attacks
Application layer DDoS attacks focus on layer 7, the application layer. This means they focus on your Apache or NGINX web server, and your WordPress website. Layer 7 attacks get more bang for their buck when it comes to the damage done relative to bandwidth spent.
To understand why that is the case, let’s walk through an example of a DDoS attack on the WordPress REST API. The attack starts with an HTTP request, like an HTTP GET or HTTP POST from one of the host machines. This HTTP request uses a relatively trivial amount of resources on the host. However, on the target server it may trigger several operations. For example, the server has to check credentials, read from the database, and return a webpage.
In this case, we have a big discrepancy between the bandwidth the attacker used and resources the server consumed. This disparity is typically exploited during an attack. Specific DDoS attacks that fall into this category include:
- HTTP floods
- Slow Post attacks
Protocol-based DDoS attacks
Protocol-based DDoS attacks follow the same exhaust resources model as the other DDoS attacks. However, generally they focus on the network and transport layers, as opposed the service or application.
These attacks attempt to deny service by targeting appliances like firewalls or the underlying TCP\IP stack running on your server. They exploit vulnerabilities in how the server’s network stack handles network packets, or how TCP communication works. Examples of protocol-based DDoS attacks include:
- Syn floods
- Ping of death
Multi-Vector DDoS attacks
As you might expect, attackers don’t limit themselves to just one type of attack. It is becoming increasingly common for DDoS attacks to take a multi-vector approach. Multi-vector DDoS attacks are just what you’d expect: DDoS attacks that use multiple techniques to knock a target offline.
Understanding reflection and amplification in DDoS
Two terms that come up frequently with DDoS attacks are reflection and amplification. Both of these are techniques attackers use to make DDoS attacks more effective.
Reflection is a technique where the attacker sends a request with a spoofed IP address to a 3rd party server. The spoofed IP address is the address of the target. During these type of attacks attackers typically use a variety of UDP protocols. Here is how it works:
- The attacker sends a UDP request with the spoofed IP address, say the IP of your WordPress site to a large number of servers called reflectors.
- The reflectors receive the request and reply to your WordPress site’s IP all at the same time.
- The reflectors´responses flood your WordPress site, potentially overloading it and making it unavailable.
Amplification works similar to reflection. Though it requires less bandwidth and resources, because the requests sent to the reflectors are much smaller than the responses the reflectors send to the target. It works similar to what we saw with application layer Distributed Denial of Service attacks.
The role of botnets in DDoS attacks
Ever wondered from where attackers get the resources to coordinate the attacks?
The answer is botnets. A botnet is a network or devices that have been compromised by malware. This could be a PC, server, network or smart device. The malware enables attackers to remotely control each individual compromised host.
When used for DDoS, botnets carry out a coordinated Denial of Service attack against a given target host, or group of hosts. In short: botnets enable attackers to leverage resources on infected computers to carry out attacks. For example, this was the case when over 20,000 WordPress sites were used to carry out DDoS attacks against other WordPress sites in 2018 (read more)..
The motivation behind Distributed Denial of Service attacks
“Why do people carry out DDoS attacks?” is a good question to ask at this point. We’ve reviewed why a malicious hacker would target your WordPress site in the past, but only one of those points really applies to DDoS: hactivism. If someone doesn’t agree with your point of view, they may want to silence your voice. DDoS provides a means to do so.
Looking past hactivisim, state-level cyber warfare or industrial attacks with commercial motivations are possible drivers of DDoS as well. And quite common are also mischievous attackers, teenagers having fun and using DDoS to create some chaos.
Of course, one of the biggest motivators is money. Attackers may request a ransom to stop attacking your WordPress website. It could be that they benefit commercially if your site is down. Taking this a step further, there have been DDoS for hire services!
Real-world examples of Distributed Denial of Service
How severe can Distributed Denial of Service attacks be? Let’s take a look at some famous DDoS attacks of the last few years.
GitHub (twice!): GitHub suffered a massive Denial of Service Attack in 1015. It seemed that the attacks were aimed at two anti-censorship projects on the platform. The attacks impacted GitHub’s performance and availability for a number of days.
Then in 2018, GitHub was again the target of a DDoS attack. This time the attackers used an attack based on memcaching. They leveraged the amplification and reflection methods. Despite the size of the attack, attackers only brought GitHub down for about 10 minutes.
The nation of Estonia: April 2007 marked the first known cyber-attack against an entire nation. Shortly after the Estonian government decided to move the Bronze Soldier statue from the center of Tallinn to a military cemetery, riots and looting occurred. At the same time attackers launched a number of Distributed Denial of Service attacks that lasted weeks. They impacted online banking, media, and government services in the country.
Dyn DNS: On October 21st in 2016 Dyn suffered a large scale DDoS attack. Because of the attack, the Dyn DNS services could not resolve user queries. As a result, thousands of high traffic websites, including Airbnb, Amazon.com, CNN, Twitter, HBO and VISA were unavailable. The attack was coordinated through a large number of IoT devices, including web cams and baby monitors.
WordPress tips for protecting against DDoS attacks
As an individual WordPress administrator you do not have the resources and infrastructure to fend off a DDoS attack. Though many WordPress web hosts offer some sort of DDoS attack mitigation. So ask about it when choosing a hosting provider for your WordPress website. You can also use a WordPress / web application firewall (WAF) & Content Delivery Network (CDN). We’ve coupled WAFs & CDNs into one entry as there are providers, like Sucuri, which provide them both in a single solution.
When you use a WAF or CDN, traffic is first routed and filtered by the service before hitting your website. This setup can head many attacks off at the pass while limiting the damage of others. Some CDNs offer benefits that enable detection and response to DDoS attacks. Since they can benefit from economies of scale in the cloud, CDNs and online WAFs can offload attacks. They redirect them to networks that have plenty of bandwidth and the right tools to handle them.
Deterring hackers & DDoS attacks
However, as have seen with the WordPress BruteForce Botnet, there are several security best practices you can implement on your WordPress website so it does not attract attackers’ attention and possibly DDoS attacks:
- Keep your WordPress site updated: keeping your WordPress core, plugins, themes and all other software that you use up to date mitigates the risk of a known vulnerability being used against you. Keeping your site updated also reduces chances of it becoming part of a botnet.
- Use a scanner to check for vulnerabilities: some DoS attacks exploit issues like Slowloris. This and and other security flaws can be detected by vulnerability scanners. So when you scan your website and web server often you identify vulnerabilities DDoS attacks may exploit. There are a variety of scanners you can use. We use the non-intrusive WPScan Security Scanner to WordPress administrators.
- Review logs to improve security & identify problems: WordPress audit logs and other logs can help identify malicious behavior early on. Through logs you can identify problems that may be caused by DDoS attacks, like specific HTTP error codes. Logs also allow you to drill down and analyze the source of an attack. There are several log files WordPress administrators can use to better manage and secure their website.
- Harden user authentication: this might be the last best practice, but it is as important as all the others. Implement strong WordPress password policies to ensure your website users use strong passwords. On top of that, install a two-factor authentication plugin and implement policies to make two-factor authentication mandatory.