Internet-facing systems are constantly in danger from a variety of threats. Of these threats is a DoS attack, which involves a single system, or a DDoS attack that involves many distributed systems, as both can disrupt the ability for a server to respond to legitimate requests.
If a server cannot respond to legitimate requests, then the target will experience an outage and be unavailable for its intended purpose. The system is rendered unusable or significantly slowed down.
Types of DoS Attacks
There are mainly two types;
- DoS – sent by a single system to a single target
- DDoS – sent by multiple systems to a single target
The purpose of DoS attacks is to prevent legitimate use of a system.
An attack may:
- Flood the network with traffic
- Disrupt connections between two machines
- Prevent a specific individual from access services
- Disrupt a service to a specific system or person
Different types of traffic can be used to flood a system. The service or system is kept busy responding to a massive amount of requests to be usable. Typically, you can also say that; DoS attacks are a last resort.
An advanced version of DoS attack, which originates from multiple systems. A coordinated attack from multiple systems, which have been compromised.
The compromised systems are considered secondary victims. They are sometimes called zombies or BOTs. Tracking the source of the attack is difficult since several IP addresses are in use and the systems under attack are considered the primary system.
DDoS attacks have even targeted nation-states, as the DDoS attacks on Estonian websites in 2007, the mammoth DDoS attack on Georgia in 2008, and the widespread attacks against South Korea’s military, banking and government websites in 2009. Although no one is yet aware of the specific origins of these attacks, these attacks show that even governments must protect their systems from a DDoS attack.
|1||DNS||DNS Reflection/Amplification||Spoofing DNS queries from the target of the attack towards DNS providers, to generate large responses that overwhelm the bandwidth of the attack target.|
|2||TCP||Connect||This flood involves a client repeatedly creating a full TCP session.|
|SYN||This flood involves a client sending synchronize packets and does not create a full TCP session; therefore, SYN floods are candidates for source IP spoofing.|
|3||UDP||UDP Flood||This flood involves a client sending UDP packets of data. UDP is connectionless and does not require a session, which makes this type of flood a perfect candidate for spoofing.|
|4||ICMP||ICMP Flood||This flood involves ICMP packets that contain data; because ICMP does not require a session, this flood type is a good candidate for spoofing.|
|5||HTTP||HTTP Flood||These floods inundate a target with HTTP requests (typically GET and POST requests).|
|Slowloris||By slowly sending HTTP requests, this attack type attempts to exploit a weakness in Web servers that waits for the completion of an HTTP request.|
|6||SSL||SSL Renegotiation||This attack type involves a client repeatedly performing an SSL handshake on an established SSL connection to consume a server’s resources.|
DdoS attacks have three parts:
- Master/handler – The attacker launcher is the master.
- Slave/secondary victim/zombie/agent/BOT/BOTNET – The slave is a compromised host controlled by the master.
- Victim/primary victim – The target system is the victim.
DDoS is done in two phases:
- The intrusion phase compromises weak systems to act as slaves.
- The DDoS attack phase initiates the slave systems to attack the primary victim.
BOT is short for web robot. It is an automated software program, which behaves intelligently.
BOTs are used to:
- Post spam messages on newsgroups
- Send spam messages through e-mail
- As remote attack tools
- Web agents that interface with web pages (spiders)
- Install themselves on computers for malicious purposes
BOTs can use different types of communication, such as:
- Instant messaging
- Internet Relay Chat (IRC)
- Web interfacing
BOTS can handle:
- Reporting weather
- Providing zip codes
- Listing sports scores
- Converting units of measure
And a group of BOT systems so called BOTNETS are used to:
- Conduct DDoS attacks
- Creation of SMTP mail relays for spam
- Internet Marketing fraud
- Application serial number theft
- Theft of login IDs
- Theft of financial information
Smurf Attacks are those in which large amounts of ICMP echo traffic sent to a broadcast IP address with a spoofed source address. A secondary victim on an IP network will perform an echo reply to an ICMP echo request.
Syn Flooding is one of the most popular flooding technique in which an attacker sends TCP connection requests faster than can be processed. In this flooding, a random source address is created for each packet. The SYN flag is set to request a new connection from the spoofed IP address.
The victim responds to the spoofed IP address and waits for a TCP confirmation that never arrives. In the meantime, the victim’s connection table continues to fill up until all new connections are ignored and the server can no longer be accessed.
Some methods to prevent SYN floods include;
- SYN cookies
- RST cookies
- Micro Blocks
- Stack Tweaking
Some common security features used to detect, halt, or prevent DoS attacks include:
- Net-ingress filtering – stops downstream networks from injecting packets with faked or spoofed addresses
- Rate-limiting network traffic – allows traffic shaping or limitation of the bandwidth some types of traffic can consume
- Intrusion detection systems – can detect attackers who are communicating with slave, master, or agent machines
- Host-auditing tools – file-scanning tools used to identify known DDoS tool client and server binaries
- Network-auditing tools – network scanning tools used to detect DDoS agents running on hosts in the network
- Automated network-tracing tools – Traces streams of packets with spoofed addresses through the network.