What is DDoS?
A DDoS or Distributed-Denial-of-Service attack is an unauthorized attempt to increase the traffic of a targeted server or network by staggering the target or its surrounding infrastructure with a huge amount of internet traffic. A DDoS attack achieves effectiveness by using multiple computer systems as the source of the traffic. In short, a DDoS attack is when hackers attempt to make a website or computer unavailable by flooding or crashing the website with too much traffic.
How does a DDoS attack work?
A DDoS attack happens when an attacker takes control of a network of online machines in order to carry out an attack. This network is called a botnet which comprises of bots. These bots are infected machines which were initially infected using malware by the attacker. When the IP address is provided to the bots via a remote connection, each bot will respond by sending requests to the targeted server or network which results in a denial of service to normal traffic. Each bot in the botnet is considered as a legitimate internet device which makes it difficult to separate the attack traffic from the normal traffic.
Network connections on the internet comprise of different layers of the OSI Model and different DDoS attacks focus on particular layers. For example:
- Layer 3, Network Layer. Attacks are known as ICMP floods, Smurf Attacks and IP/ICMP fragmentation
- Layer 4, the Transport layer. Attacks include SYN Floods, UDP Floods, and TCP Connection Exhaustion.
- Layer 7, the Application layer. Mainly, HTTP-encrypted attacks.
Application Layer attack
Layer 7 DDoS attacks mainly focus on exhausting the resources of the target. The attack takes place where the web pages are generated on the server and are delivered as HTTP requests. This is difficult to defend as the traffic is difficult to be considered as malicious. Usually when a request is made the server often loads multiple files and run database queries in order to create a web page but when there are multiple requests the exhaustion of resources takes place.
HTTP Flood: Is similar to pressing refresh in a web browser over and over from many different computers at once resulting in a large number of HTTP requests flood the server and causing a denial-of-service.
Protocol attacks uses the weaknesses in layer 3 and layer 4 of the OSI model and makes the target inaccessible. These attacks consumes all the available state table capacity of web application servers or intermediate resources like firewalls which causes a service disruption.
SYN Flood: This attack exploits the TCP handshake by sending a target a high number of “Initial Connection Request” SYN packets with spoofed source IP addresses. The target machine responds to all the connection requests and wait for the final step of the handshake which never occur which in turn exhausts the target’s resources.
Consuming all available bandwidth by creating a congestion between the target and the internet falls under this category of attacks. Large amounts of data are sent to a target by using a form of amplification or other methods which creates massive traffic such as requests from a botnet.
DNS amplification: A request is made to an open DNS server with a spoofed IP address and then the target IP address receives a response from the server. The hacker structures the request such that the response from the DNS server to the target will contain large amounts of data. As a result the target receives an amplified amount of data that of the initial request from the attacker.
How to mitigate a DDoS attack?
The main concern in mitigation of a DDoS attack is to differentiate the attacking traffic from normal traffic. In order to do this, the defensive response use a combination of attack detection, response and traffic classification tools which blocks the illegitimate traffic and allows the normal traffic to go through. In this article we will discuss the main mitigation tools.
Application front-end hardware
These are intelligent hardware placed on the network before any traffic reaches the servers. They analyze the data packets as they enter the system and organizes them as priority, regular or dangerous. These are used on networks integrated with the routers and switches.
Blackholing and Sinkholing
Blackholing is when all the traffic attacking a specific IP is redirected to a non-existing server aka a black hole. This will be more efficient and to avoid network connectivity it can be managed by the ISP.
Sinkholing is not efficient for most severe attacks because in sinkholing the traffic is sent to a valid IP address which analyzes and rejects the bad packets.
Before entering the server all traffic is passed through a “cleaning center” or “a scrubbing center” through different methods like proxies, tunnels or digital cross connectors which filters bad traffic (DDoS and other common internet attacks) and passes through only the good traffic. In this method the provider needs to have central connectivity to the internet in order to manage this kind of service.
DDS based defense
A DoS defense system (DDS) can block connection-based DoS attacks and legitimate content but bad intentions. A DDS can protect against both protocol attacks (ping of death and teardrop) and rate-based attacks (ICMP floods ad SYN floods).
In the case of a simple attack it is possible to deny all the incoming traffic from attackers based on protocols, ports or the origination IP address. But more complex attacks will be hard to block with simple rules.