Distributed denial-of-service (DDoS) is the most serious type of denial-of-service (DoS) attack, which is an attempt by attackers to prevent legitimate end users from using a service or accessing a system. But before we dive in, let’s talk about the differences between DoS and DDos attacks. A DoS attack generally involves a single computer using a single internet connection to target and flood a server with TCP / UDP packets, thus overloading the victim server’s bandwidth and other infrastructure resources. On the other hand, a DDoS attack involves many – sometimes countless – computers and connections from all over the world. This is often referred to as a “botnet.” In this case, the single victim server is attacked by hundreds or even thousands of requests from all directions, rather than simply a larger-than-normal amount coming from a single source.
In a DDoS attack, incoming traffic from a multitude of sources floods and/or incapacitates an organization’s network or systems. In some cases the sources of the traffic can number in the hundreds of thousands.
Such an incident effectively renders it impossible to stop the flood of traffic by blocking a single IP address. The victims of a DDoS attack include not only the organization with the targeted end systems, but all the systems that are maliciously used and controlled by the attackers as part of the assault.
With DDoS or DoS, it’s difficult to tell the difference between legitimate network traffic from attack-related traffic, because it is spread across many points of origin. To carry out the attack, cyber criminals or hackers forge IP sender addresses via IP address spoofing so as to mask the identity of the location of the attacking machines. This is what makes the attack difficult to defend against.
There are several different types of DDoS attacks, including traffic attacks in which traffic flooding sends a large volume of packets to the target; bandwidth attacks in which the target is overwhelmed with massive volumes of data that cause the loss of network bandwidth and equipment; and application attacks, in which application-layer data messages deplete resources in the application layer, making systems unavailable.
As time more and more devices go online and add to the Internet of Things (IoT), DDoS attacks are becoming stronger and more difficult to prevent. DDoS attacks are getting more sophisticated, developing into a variety of types of targets and attacks. First up are DDoS attacks that operate by “flooding.” User Dataprogram Protocol (UDP) is a type of sessionless networking protocol. A UDP flood involves targeting random ports on the target server, and sending as many packets as possible to the ports, which then listen for applications and report back with an ICMP packet. Then, attackers can flood via synchronization (or “SYN”) messages, largely associated with the three-way handshake of TCP connections. In a SYN flood, a SYN message is sent to the host machine to start a “conversation.” The target server responds to the request with an “acknowledgement,” which also sends a flag to the initiating machine. Finally, the connection is completed with the initiating machine closes the connection. When spoofed in bulk, these useless handshake requests exhaust the server resources.
Then there are zero day DDoS attacks which involve a discovered vulnerability in a program, web site, or application that doesn’t have any known patches. These zero day vulnerabilities are exploiting as much and as quickly as possible until the organization discovers the gap and releases a patch to all involved parties.
Another common DDoS attack is a reflected attack. In this scenario, an attacker forges packets and sends them to as many computers as possible. Once they receive the packets, the computers respond to the spoofed packet address, which is the actual DDoS target. When the target server receives the flood of “responses,” it becomes overloaded and exhausts its resources until it’s completely overwhelmed.
Ping of death (POD), also known as “boink,” “bonk,” and “teardrop,” is a denial of service attack that exploits IP protocol by dividing up large packets (i.e., larger than the standard 65,535 bytes (established maximum under IPv4) across multiple, fragment IP packets. Once the server reassembles the smaller packets into a packet that is larger than 65,535 bytes, the server is forced to crash or reboot entirely. While this attack isn’t so common anymore, it was a prolific attack in the mid-90s era of the Internet.
Slowloris is a type of DDoS attack that requires a very small amount of a target server’s resources. In this scenario, the attacker opens connection using only partial requests. These requests are allowed to be kept open for the maximum amount of time allowed by the server. However, the attacker also sends HTTP headers at precise intervals, thus keeping the connection open without ever completing them. The target website is unable to handle the constant, open connections while taking on new requests and eventually crashes.
The scope of DDoS attacks continue to increase, Consulting firm Deloitte in a 2017 report predicts that DDoS attacks will become larger in scale, harder to mitigate and more frequent. Over the past few years, the firm said, it has been “a game of cat and mouse in which neither side has become too powerful, but this might change in 2017 due to the abundance of insecure IoT [Internet of Things] devices and the fact that large-scale attacks which exploit IoT devices’ vulnerabilities have become simpler to execute.”
The Open Web Application Security Project (OWASP) recently published its Automated Threat Handbook for Web Applications. In it, the group outlines a few helpful symptoms to help alert you to the fact that an attack might be underway. For example, a DDoS victim may notice spikes in CPU, memory, and network utilization. Furthermore, the unavailability of part of all of the application or web site, a rise in user account lockouts, a rise in complaints about poor performance, and a reduction in web site or application performance and/or service degradation..
Deloitte Global’s “Technology, Media and Telecommunications Predictions 2017” forecasted that there will be 10 million DDoS attacks in 2017, with an average size of 1.25 Gbps to 1.5 Gbps. It predicts there will be one 1 Tbps-level DDoS attack per month during the year. Any organizations that relying increasingly on the Internet to do business should be aware of the potential impact of such an attacks, the report said.
To overcome the issue, you may consider fingerprinting the user agent and any associated unique characteristics of your traffic and users. You may also consider identifying and restricting automated usage by reputation methods, and also rate monitoring and limiting. Additionally, you may consider blocking or delaying application access by individual users or groups of users based on behaviour and/or session, and/or IP address/range and/or geolocation once rate monitoring has identified a real attack, or other anomalous behaviour that has identified the user(s) as an attacker(s). Furthermore, you can consider disabling at resource intensive functions progressively to maintain availability of other aspects.
But what of App Dos (or Application Denial of Service)? In contrast to DDoS, an application denial of service occurs when bots programmatically abuse the business logic of your website. This happens at layer 7 (the application layer), so your firewall and load balancer continue to function just fine. Rather, it’s the web application and backend that keel over.