This topic is little scary! This is the nightmare for Big companies across the World. DDos Attack is an abbreviation for Distributed Denial Of Service Attack, which means it works as DOS attack but in a vast manner. DOS attack which stands for Denial of service is an attack in which a user is unable to utilize a particular resource because the attacker had made it unavailable by means of certain attack types. This can cause the server to shut down as well.
So, you might be thinking that if both the terms means the same, how they are still different?
The answer to this very question is the wideness of the attack! In DOS attack , attacker might be a single user who wants to flood a single targeted machine or software with packets to cause interruption in the resource availability. But In DDOS attack, we are looking at the vast side in which multiple attacker probe at a big network so as to consume large bandwidth, speed and CPU processing causing shutting down of the network.Seems scary,isn’t it?DDos-attacks
Social websites are pretty big, So there’s a saying “If you can’t hack into something or it’s kinda problematic then just shut it down!”. Many DDOS attacks had been launched on social networks such as Facebook, Twitter, YouTube, LiveJournal, Google’s Blogger etc. But why would anyone do that? There can be many reasons behind that but one reason is to shut down the mouths of the people or researchers who had been the part of wars and politics. Social Network is a huge source of information. Twitter had always been under such an attack because a vast majority of activist can be found on twitter. There can be many other reasons but this one is always highlighted!
DDos attacks are easy to do and harder to determine where is it actually coming from, but why? Because Attacker have control over multiple machines with which he/she can perform such an attack. The machines working this way are called as Botnets! There is another way through which an attacker can create a DDos attacks which is known as Puppetnet. Puppetnet is different from Botnet in a lot of manner but works for the same purpose. Puppetnet uses users to perform such attacks whereas Botnet uses machines. I will be covering these two topic in separate article, but for now DDos are majorily performed by these two technique. There are many tools(Link1,Link2,Link3) also with which we can perform DDos attacks.These tools mainly helps in creation of certain type of packets which once received by the target can cause into crash or reboot of the victim. Let’s have a look at some known ways through which certain tools work.
- Ping Of Death(POD): This is the most common attack form, an attacker manipulate packets and send packets above the maximum range which is 65,535 bytes.The victim receives this large packet and attempt to reassemble this packet which causes crashing or rebooting of the system.This technique doesn’t work mostly because ISP blocks such packets.
- Teardrop: This attack is quite similar to ping of death but in this attack, the attacker manipulate the offset values of the packet which cannot be reassembled by the target machine and hence cause crash. The oversized payload can cause crashing in many operating system because it’s a bug. More:IPv4 Fragment and Assembly.
- TCP SYN flood attack/half open connection: A typical TCP connection consist of three way handshake.
- Client send SYN
- Server send SYN-ACK
- Client send ACK. In half-open connection the client never sends the last ACK packet and the connection stays half open. In this way, the victim is not able to complete the request and all its resources ties up trying to process the request.Attacker flood the victim with such packets which can cause the system to cash. More: TCP SYN Flood attack.
- Peer-to-Peer attacks: This attacks works as puppetnet. Botnet is not required instead the attacker maliciously redirects the legitimate users request to the victim systems which causes DDOS attack on the victim.
- Land attack: This attack is done by creating forged packets with same IP address as victim’s which causes confusion in the host and can cause a reboot or crash.
- UDP flood attack:Attacker flood the random ports of the victims system with IP packets having UDP datagrams.In UDP connection, Since it is connection-less protocol, the system once get request, it will check for it’s associated application and if it could not find the application, it will send “Destination unreachable”. Since, The attacker flood the system with these bogus request and the system replies to each of them, it causes the system to crash.
- DNS Amplification attack: In this attacker exploit vulnerability in DNS. Sending larger queries to the DNS server brings down the server. It is a types of reflexive attack, this is because the DNS respond to the spoofed IP address. There is something I felt like I should share on my website, Copyright holder is incapsula.com.
“Reflection attacks are even more dangerous when amplified. “Amplification” refers to eliciting a server response that is disproportionate to the original packet request sent.
To amplify a DNS attack, each DNS request can be sent using the EDNS0 DNS protocol extension, which allows for large DNS messages, or using the cryptographic feature of the DNS security extension (DNSSEC) to increase message size. Spoofed queries of the type “ANY,” which returns all known information about a DNS zone in a single request, can also be used.
Through these and other methods, a DNS request message of some 60 bytes can be configured to elicit a response message of over 4000 bytes to the target server – resulting in a 70:1 amplification factor. This markedly increases the volume of traffic the targeted server receives, and accelerates the rate at which the server’s resources will be depleted.
Moreover, DNS amplification attacks generally relay DNS requests through one or more botnets – drastically increasing the volume of traffic directed at the targeted server or servers, and making it much harder to trace the attacker’s identity.” –Source(incapsula.com)
Defense against DDos:
Though, Wikipedia article on DDos provide us really great information about mitigating the DDos, still let’s simply talk about some simple defense mechanism:
At such a situation, we need to determine what actually is going on in our network and sniffing is the best way to know. tcpdump provide the view of ongoing traffic in our network, but the problem with tcpdump during such a troublesome situation is if we see such an enormous traffic at this situation,it will cause crashing of our system. That we don’t want. So we are simple doing to use -w switch in tcpdump command line to write the data into a file so that you could read it, The files can fill fast and also we have to make sure of enough disk-space. Now let’s get back to the topic. Now that we know we are under attack, there are some things we can do for immediate relief but these doesn’t actually alleviate the attack because such a situation uses multiple resources and different attack vectors and hence cannot be stopped with a particular interface.
Rate-limiting: We can limit the amount of specific type of traffic with a predefined threshold. Switches are used to do rate limiting. Switches also stops many attack vectors using techniques such as traffic shaping, delayed binding (TCP splicing),deep packet inspection and Bogon filtering.
Black Hole Filtering: We can send the coming traffic to a non-existing interface which is known as null interface. The traffic will be dropped and thus it can reduce resource consumption.
In order to mitigate DDos entirely, we need to use a DDoS tool, such as Cisco Guard, Intruguard, and Netscreen. Such tools are expensive and are used for larger networks(ISPs) but are really effective as they divert only the malicious traffic. Most ISP offer such a service to their clients and thus consulting with them while under such an attack would help big time.
This is a wide topic and can never be completed entirely in just an article, and so I have provided some links below for further information on the same:
The more you read, the more you learn! The next article will be related to practical scenarios or application of this attack. So stay tuned!
Stay Anonymous 🙂