A Denial of Service (DoS) or Distributed Denial of Service is a very ancient type of cyber threat which is still prevalent and is increasing day by day. Within DoS, numerous requests are generated and sent to the sophisticated server beyond its handling capacity which results into denial or suspension of services and sometimes into crashing of the server.
While in the Distributed Denial of Service, more than one server raises the DDoS attacks targeting server by sending unlimited bandwidths of request so that no new requests are accepted further. Main targets of such attacks usually are: large organizations, banks, payment gateways and root nameservers. Malware named “MyDoom” is considered to be responsible for launching the DDoS attacks.
Types of DDOS Attacks
Volume Based Attack:
Volume Based attack refers to congestion of a website’s bandwidth with overwhelming traffic. Attackers use different computer systems and internet connections to direct massive traffic to the targeted website. The attack includes UDP flood, ICMP floods, and a network or server receives huge traffic that seems legitimate produced by a botnet. The attempt to congest traffic is either performed within the network or between the target networks.
Protocol attack aims to find weakness or vulnerability in the server’s resource instead of bandwidth targeting network infrastructure or infrastructure management tool—protocol attack targets firewall and load balancers. Attackers surge bogus protocol requests to consume resources by targeting a server and the website. The strength of the protocol attack is measured in packets per second.
Application Layer Attack:
Application Layer attack aims to seek out vulnerabilities in applications. Attackers imitate users’ traffic behavior and attacks servers with too many requests to bring it down. The nature of the attack sometimes goes unobserved, and the intensity of this attack is measured in requests per second. Attackers can combine other DDoS attack types with Application Layer attack to target network and bandwidth besides applications.
Common DDoS Attacks Types
UDP (User Datagram Protocol) flood targets random ports by overwhelming the host using IP packets, and each IP packet contains a UDP diagram. UDP is a session-less network protocol where the firewall even becomes unresponsive due to UDP flooding, which results in obstructing legitimate traffic. Attackers spoof the original IP address of the UDP packets, which blocking the actual location of attackers.
ICMP (Internet Control Message Protocol) flood, also known as Ping flood attack, brings down victim’s server by overwhelming request packets from multiple devices. The network responds with reply packets equally that it receives from the IP address of a device. A network admin can disable the ability to send and receive ICMP packets and render the device insensitive to ping requests.
SYN flood makes a server unresponsive to authenticate traffic by using available server resources. The process finds a flaw in the TCP connection and sends a huge volume of SYN packets to the server with a spoofed IP address. The entry of each new packet forces to open a new port connection; when all ports are opened and used, the server cannot function normally.
Slowloris, an application layer attack, lets an attacker to bombard the server by opening similar partial HTTP connections between the target server and the attacker’s computer. The attacker intends to keep HTTP connections open for a long time and slowly utilize server resources to send requests. Such attacks are also called low and slow attacks.
NTP (Network Time Protocol) amplification is a DDoS type attack in which NTP servers are exploited and overwhelmed with UDP (User Datagram Protocol) traffic; thus, the target server becomes inaccessible for regular traffic. NTP is made to synchronize internal clocks and servers of internet-connected devices. Admin should scan the NTP server timely and upgrade it if any vulnerability is found. If the server upgradation is not possible, then stop the monlist command.
The target server is flooded with HTTP requests; thus, regular traffic cannot access the server. It is sometimes called a ‘layer-7’ attack, and such type of attack is not easy to identify either traffic is normal or malicious. Attackers utilize botnet to maximize the impact of an attack. HTTP flood attack comprises two types of attack: HTTP GET attack and HTTP POST attack.
A zero-day is a vulnerability in hardware or software causing severe problems before anyone recognizes it. Attacker releases malware before a developer fixes it with a patch. The zero-day vulnerability can be any form like SQL injection, lack of encryption and authorizations, broken algorithms, URL redirection, or bugs. This makes Zero-day hard to find vice-a-versa for both developers and hackers.
Ping of Death:
Ping of Death is a DoS type (Denial of Service) where an attacker targets the server with malicious packets with a ping. The attack finds a weakness in the targeted system. The attacker sends ICMP packets sent using ping. If the computer system is not updated, the system could not handle the larger size of ICMP packets, resulting in a crash.
Types of DDoS Amplification
The attacker here sends a small request to the victim’s DNS server using a spoofed IP address and asks him to reply with amplified requests. As a result, an attacker magnifies each request and engulfs the target server. The DNS server responds to spoofed IPs and unintentionally launch an attack on the targeted server by responding to an attacker’s requests. When an attacker spoofs an IP address, it is difficult for a victim to identify an attacker because it looks like a legitimate DNS server has attacked the victim. In contrast, the IP address of an attacker remains hidden.
A spoofed IP address also makes it impossible to trace for a security expert. However, IP spoofing is the main reason to make this attack successful. If there is no IP spoofing, a DNS reflection attack cannot be made. Attackers use DNS amplification with extensions like EDNSO, DNSSEC. These tools allow responding in a larger capacity along with response authentication to avert cache poisoning. Attacker here, study the DNS server to find valid queries that can take large replies and use DNSSEC to increase their byte size.
For example, if an attacker uses a 4096-byte response against 44bytes requests, the victim will have 10G of attack traffic; thus, the regular service will be interrupted.
Chargen (Character Generator Protocol) Reflection:
Many computers and printers are still using traditional services naming Chargen for debugging, testing, and measuring applications and networks. Chargen can be accessed by TCP and UDP protocol. If the service is accessed by these protocols, Chargen provides random data. An attacker uses a botnet that sends thousands of Chargen requests to the targeted publicly available system that offers Chargen services. The requests use UDP protocol, and bots use targeted IP addresses as sender IP addresses. Chargen service sends UDP replies to the targeted IP address instead of an attacker.
With amplification, a single byte would result in 512 bytes in size that overwhelmed the target. A 10 MBPS bandwidth would convert into a 5 Gbps attack. Thus, the entire botnets can create attacks in hundreds of GBPS. The outcome of this target would result in a complete breakdown of the internet connection.
How to Protect Yourself from Distributed Denial of Service attacks
The DDoS attack brings your business down and makes the website unresponsive for hours. As a result, several customers and revenue will be suffered. To combat DDoS attacks, companies need a proof plan along with DDoS mitigation and prevention strategy.
Create a Response Plan:
Small or large organizations should develop a DDoS prevention plan including intricate infrastructure and a vast team base. The DDoS attack requires a pre-plan to minimize the impact by enabling quick reactions. To make a successful plan, the team and data center should be prepared. A company can consider a system checklist, make a response team, define an escalation process, and make a list of internal and external contacts.
A company should think about a multi-level protection strategy that should include intrusion prevention systems and threat management. DDoS defense techniques include VPN, firewall, anti-spam, content filtration, load balancing. The strategy consists of finding traffic discrepancies and block them with higher accuracy. To avail of DDoS mitigation service, you can use a pay-per-use base model available with cloud-based solution providers. It is necessary to update infrastructure and install updated software to avert potential attacks.
DDoS protection service can be outsourced to a cloud-based service provider that could bring fewer advantages. The cloud can offer a significant amount of bandwidth besides resources. Rising DDoS attacks compel organizations to think about virtual cloud leverage. The cloud covers a wide area of resources. Even cloud-based apps can absorb lousy traffic before it gets to the targeted destination.
An organization should look at network delay in function, inconsistent internet, frequent website stoppage. If a network lacks performance and takes much time, there may be an instance of a DDoS attack, and the company should act against such activities.
An attacker tries to spike in traffic by using more bandwidth resulting in shutdown or sluggishness in a system. As a network admin, you should focus on more bandwidth to save the network in such a situation. So, if an attacker tries to consume bandwidth, you must have ample bandwidth to secure the network. However, a DDoS amplification attack could spoil your thought of having more bandwidth. For that, you need to boost the level of protection, which seems a challenging task for attackers.
Apply Anti-DDoS Hardware:
The server should equip with network and web application firewalls. Many vendors now offer software protection against DDoS attacks. For example, Apache 2.2.15v. comes with mod_reqtimeout to protect against Slowloris attack.
DNS Server Protection:
DNS server protection is quite necessary to protect it against soaring DDoS attacks. DNS servers should be located at different places, and a load balancer should be there. Cloud-based DNS provider is a good deal for organizations that could provide more bandwidth and many points-of-presence firewalls in data centers. Such cloud-based DNS offers in-built DDoS protection.
Related Posts :