Distributed denial of service (DDoS) attack
Distributed denial-of-service (DDoS)
attack is an attempt to make a machine or network resource unavailable
to its intended users.
Although the means to carry out, the
motives for, and targets of a DoS attack vary, it generally consists of
efforts to temporarily or indefinitely interrupt or suspend services of a
host connected to the Internet.
In a denial-of-service (DoS) attack, an
attacker attempts to prevent legitimate users from accessing information
or services. By targeting your computer and its network connection, or
the computers and network of the sites you are trying to use, an
attacker may be able to prevent you from accessing email, websites,
online accounts (banking, etc.), or other services that rely on the
affected computer.
DDoS, short for distributed
denial-of-service, is a type of cyber-attack that overwhelms and
eventually shuts down access to a network, effectively keeping others
from reaching it. The most common way to do this is the attacker
gathering “zombie” computers that they can direct in botnets to flood
the target network. Sometimes this is done through pure brute force,
sometimes by targeting a weaker layer of a website and exploiting
features. Sometimes it is both of those things to make it harder to
stop. The end result is usually the same: the business is offline, and
there’s no way to know for sure when the DDoS attack will end. Between
the frantic IT staff trying to block the wave of bad traffic, the
apologies and frustrations of affected companies, and the online
complaints of clients, the affect of an attack can be substantial and
often a devastating loss for a company, adding up to hundreds of
thousands of dollars in profit loss and collateral damage from the
attack.
The reasons that a DDoS attack can occur
are as multiple as the people it affects. There really is no particular
type of business that isn’t a target for a DDoS attack. They can happen
to government services just as easily as to a video game voice chat.
The DDoS attacker might be doing it for fun or as a statement against
their target. They could do it for a ransom against the company they’re
keeping from doing business, or be a competitor trying to take the
credibility out of their opposition. They could also be doing it as a
distraction to cover up another type of cyberattack.
What we do know is ways to stop the damaging flood and to be prepared for the next time. Staminus is here to help you.
The most common and obvious type of DoS
attack occurs when an attacker “floods” a network with information. When
you type a URL for a particular website into your browser, you are
sending a request to that site’s computer server to view the page. The
server can only process a certain number of requests at once, so if an
attacker overloads the server with requests, it can’t process your
request. This is a “denial of service” because you can’t access that
site.
An attacker can use spam email messages
to launch a similar attack on your email account. Whether you have an
email account supplied by your employer or one available through a free
service such as Yahoo or Hotmail, you are assigned a specific quota,
which limits the amount of data you can have in your account at any
given time. By sending many, or large, email messages to the account, an
attacker can consume your quota, preventing you from receiving
legitimate messages.
On the Internet, a distributed
denial-of-service (DDoS) attack is one in which a multitude of
compromised systems attack a single target, thereby causing denial of
service for users of the targeted system.
Perpetrators of DoS attacks typically
target sites or services hosted on high-profile web servers such as
banks, credit card payment gateways, and even root nameservers.
Denial-of-service threats are also common in business,and are sometimes responsible for website attacks.
This technique has now seen extensive
use in certain games, used by server owners, or disgruntled competitors
on games, such as popular Minecraft servers.
Increasingly,
DoS attacks have also been used as a form of resistance. Richard
Stallman has stated that DoS is a form of ‘Internet Street Protests’.The
term is generally used relating to computer networks, but is not
limited to this field; for example, it is also used in reference to CPU
resource management.
One common method of attack involves
saturating the target machine with external communications requests, so
much so that it cannot respond to legitimate traffic, or responds so
slowly as to be rendered essentially unavailable. Such attacks usually
lead to a server overload. In general terms, DoS attacks are implemented
by either forcing the targeted computer(s) to reset, or consuming its
resources so that it can no longer provide its intended service or
obstructing the communication media between the intended users and the
victim so that they can no longer communicate adequately.
Denial-of-service attacks are considered
violations of the Internet Architecture Board’s Internet proper use
policy, and also violate the acceptable use policies of virtually all
Internet service providers. They also commonly constitute violations of
the laws of individual nations.[citation needed]
Specific DDoS Attacks Types
Some specific and particularly popular and dangerous types of DDoS attacks include:
UDP Flood
This DDoS attack leverages the User
Datagram Protocol (UDP), a sessionless networking protocol. This type of
attack floods random ports on a remote host with numerous UDP packets,
causing the host to repeatedly check for the application listening at
that port, and (when no application is found) reply with an ICMP
Destination Unreachable packet. This process saps host resources, and
can ultimately lead to inaccessibility.
ICMP (Ping) Flood
ICMP (Ping) Flood
Similar in principle to the UDP flood
attack, an ICMP flood overwhelms the target resource with ICMP Echo
Request (ping) packets, generally sending packets as fast as possible
without waiting for replies. This type of attack can consume both
outgoing and incoming bandwidth, since the victim’s servers will often
attempt to respond with ICMP Echo Reply packets, resulting a significant
overall system slowdown.
SYN Flood
SYN Flood
A SYN flood DDoS attack exploits a known
weakness in the TCP connection sequence (the “three-way handshake”),
wherein a SYN request to initiate a TCP connection with a host must be
answered by a SYN-ACK response from that host, and then confirmed by an
ACK response from the requester. In a SYN flood scenario, the requester
sends multiple SYN requests, but either does not respond to the host’s
SYN-ACK response, or sends the SYN requests from a spoofed IP address.
Either way, the host system continues to wait for acknowledgement for
each of the requests, binding resources until no new connections can be
made, and ultimately resulting in denial of service.
Ping of Death
Ping of Death
A ping of death (“POD”) attack involves
the attacker sending multiple malformed or malicious pings to a
computer. The maximum packet length of an IP packet (including header)
is 65,535 bytes. However, the Data Link Layer usually poses limits to
the maximum frame size – for example 1500 bytes over an Ethernet
network. In this case, a large IP packet is split across multiple IP
packets (known as fragments), and the recipient host reassembles the IP
fragments into the complete packet. In a Ping of Death scenario,
following malicious manipulation of fragment content, the recipient ends
up with an IP packet which is larger than 65,535 bytes when
reassembled. This can overflow memory buffers allocated for the packet,
causing denial of service for legitimate packets.
Slowloris
Slowloris
Slowloris is a highly-targeted attack,
enabling one web server to take down another server, without affecting
other services or ports on the target network. Slowloris does this by
holding as many connections to the target web server open for as long as
possible. It accomplishes this by creating connections to the target
server, but sending only a partial request. Slowloris constantly sends
more HTTP headers, but never completes a request. The targeted server
keeps each of these false connections open. This eventually overflows
the maximum concurrent connection pool, and leads to denial of
additional connections from legitimate clients.
Zero-day DDoS
Zero-day DDoS
“Zero-day” are simply unknown or new
attacks, exploiting vulnerabilities for which no patch has yet been
released. The term is well-known amongst the members of the hacker
community, where the practice of trading Zero-day vulnerabilities has
become a popular activity.
DDOS is a type of DOS attack where multiple compromised systems — which are usually infected with a Trojan — are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.
According to this report on
eSecurityPlanet, in a DDoS attack, the incoming traffic flooding the
victim originates from many different sources – potentially hundreds of
thousands or more. This effectively makes it impossible to stop the
attack simply by blocking a single IP address; plus, it is very
difficult to distinguish legitimate user traffic from attack traffic
when spread across so many points of origin.
