DDoS attacks

A common form of DoS is known as “distributed denial of service” (DDoS). Instead of just using one single computer, cyber criminals overload systems with requests from many computers, which are combined together to form gigantic botnets. By using such computer networks, more traffic is generated than with simple DoS attacks, which are only carried out from a single system. DDoS attacks have drastic effects on those involved and hope of locating the source of the attack is generally quite bleak. Attackers that plant botnets of this kind place special software agents on insufficiently protected computers. These computers are then used to control them without the owner’s knowledge. An “infection” sometimes happens months before the actual DDoS attacks are carried out.

Unlike other cybercriminal invasions, DoS and DDoS attacks don’t try to infiltrate a system; instead, they are often part of a larger attack. For example, when a system has been paralyzed, the attacks can be used to distract server operators of the fact that an attack is happening elsewhere on another system. If a system’s responsiveness is delayed due to a DoS or a DDoS attack, hackers have the opportunity to change requests to the overloaded system through manipulated responses. The strategies underlying such attacks can be divided into three categories:

• bandwidth overload
• system resource overload
• exploitation of software errors and security gaps

The aim of overloading the bandwidth is to make a computer inaccessible. DoS and DDoS attacks directly target networks and their respective connecting device. A router can only process a certain amount of data at once. If this capacity is exceeded due to an attack, the corresponding services will no longer be available to other users. A typical DDoS attack designed for overloading bandwidth is the Smurf attack.

Smurf attack: this DDoS attack takes advantage of the Internet Control Message Protocol (ICMP), which helps the exchange of information and error reports in computer networks. The attacker sends manipulated ICMP Echo Request packets (Ping) to the broadcast address of a network and uses the target’s IP address as the sender address. The broadcast request is then forwarded from the network router to all connected devices, which causes them all to send a response to the sender address (Pong). A large network with many devices connected to it can therefore massively impair the target’s bandwidth.

A DDoS attack targets the resources of a system; this way, attackers exploit the fact that the web server can only establish a limited number of connections. If these are used for invalid requests, the server will be effectively blocked for regular users. This is known as flooding. Classic DDoS attack patterns on system resources are ping flood, SYN flood, and UDP flood.

• HTTP flood: this is the simplest DDoS resource overload attack variant. The attacker floods the target’s web server with a large number of HTTP requests. To do this, they simply have to access any pages of the target project until the server collapses from the amount of requests.

• Ping flood: when it comes to this type of attack, cyber criminals overload the server with ICMP Echo Request packets. These requests are usually sent by botnets on a massive scale. Since these requests (ping) have to be answered with a data packet from the target system (pong), slow systems end up being thwarted by a ping flood.

• SYN flood: this attack abuses the TCP three-way handshake connection. TCP (Transmission Control Protocol) is a network protocol that, together with an IP, ensures smooth data traffic flow over the internet. A TCP connection is always made in a three-step authentication process, which starts with the client sending the server a synchronization packet (SYN). This is then received by the server, which acknowledges the request with its own synchronization packet (SYN) as well as a confirmation (ACK). The connection process is then ended with a client-side confirmation (ACK). If this last step fails to happen, the system will be paralyzed since the server doesn’t have a final confirmed connection to store in the working memory. If a large number of these half-opened connections meet due to SYN flooding, the available server resources will be completely used up.
   
• UDP flood: with these attacks, cyber criminals rely on the connectionless User Datagram Protocol (UDP). Unlike transmission over the TCP protocol, data can be transferred via UDP without needing an established connection. In regards to DoS and DDoS attacks, UDP packets are sent to random ports on the target system. The system tries unsuccessfully to determine which applications are waiting for the transferred data, and then, as a result, sends an ICMP packet back to the sender along with the message “destination unreachable”. If a system is feeling the strain of numerous requests of this kind, the resource overload can cause limited availability for regular users.

If a hacker finds certain security gaps in an operating system or program, they can plan DoS or DDoS attacks so that the requests trigger a system crash. Examples of this type of attack include the ping of death and LAND (Local Area Network Denial) attacks.

• Ping of death: the aim of this attack is to cause a system crash. Hackers take advantage of implementation errors in the internet protocol (IP). IP packets are generally sent as fragments. If incorrect information is sent for the packet assembly, many operating systems can be tricked into thinking that the IP packet is bigger than the maximum allowance of 64 KB. This can lead to a buffer overflow, which is where a program tries to store more data in a buffer than it can handle. The extra information has to go somewhere and flows into adjacent buffers, leading to any information stored there to be overwritten or corrupted.
   
• LAND attack: during this type of attack an attacker sends a SYN packet in line with the TCP three-way handshake (see above). The SYN packet has the same target and sender address as the corresponding server that is to be attacked. The server then responds to the request by sending itself a response in the form of a SYN/ACK packet. This can be interpreted as a new connection request that again needs to be answered with a SYN/ACK packet. This leads to a capacity overload since the system keeps repeatedly responding to requests, which can then crash the system.

Various security measures have been developed to stop IT systems being overloaded by DoS and DDoS attacks. One approach is that they identify critical IP addresses as well as close any known security gaps. In addition, making hardware and software resources available can compensate for smaller attacks.

• IP blacklist: blacklists make it possible to identify critical IP addresses and to reject data packets. These security measures can be implemented manually or automatized through dynamic blacklists via a Firewall.  

• Filtration: in order to filter out irregular data packets, you can define limits for data volumes in a specified period. You should pay attention to proxies, which can mean that many clients are registered with the same IP address on the server and can potentially be blocked.    

• SYN cookies: SYN cookies focus on security gaps in the TCP connection. If these safety measures are implemented, information about the SYN packet won’t be saved on the server anymore, but rather sent as a crypto cookie to the client. SYN flood attacks take up some computer capacity, but don’t overload the memory of the target system.  

• Load balancing: an effective counter measure against overloading is to distribute the load onto different systems, which is made possible through load balancing. Here the hardware capacity of the available service is spread across several physical machines. This is how DoS and DDoS attacks can be intercepted to a certain degree.