DoS: attack patterns and countermeasures

When an online service isn’t available, it’s known in the IT world as ‘denial of service’ (DoS). A denial of service normally comes about when individual IT infrastructure components are overloaded. If this is caused deliberately by external parties, it’s referred to as a DoS attack. This occurs when an attacker floods a target URL with so many requests that the server can no longer process them all. This means that network devices, operating systems, and individual server services are only able to respond to requests in a delayed manner, if at all. An especially effective approach is one where a system is inundated with requests from various computers. This is known as a DDoS attack, which differs from a DoS attack since thousands of “botnets” are used, rather than one.

DDoS attacks on a large scale

A common form of DoS is known as “distributed denial of service” (DDoS). Instead of just using one single computer, cyber criminals overload systems with requests from many computers, which are combined together to form gigantic botnets. By using such computer networks, more traffic is generated than with simple DoS attacks, which are only carried out from a single system. DDoS attacks have drastic effects on those involved and hope of locating the source of the attack is generally quite bleak. Attackers that plant botnets of this kind place special software agents on insufficiently protected computers. These computers are then used to control them without the owner’s knowledge. An “infection” sometimes happens months before the actual DDoS attacks are carried out.

Definition: DDoS (Distributed Denial of Service)

DDoS (Distributed Denial of Service) in information technology describes the unavailability of a service due to a very high number of requests. A service failure like this is usually due to a concentrated attack, also known as a DDoS attack. DDoS can also result from a temporary, unintentional resource overload.

What does a DDoS attack look like?

The basis of every DDoS attack is a larger network of computers. In theory, this group can actually be owned by the attacker. In practice, however, it is usually the aforementioned bot networks, consisting of hundreds of thousands of computers. Corresponding computers are infected with malware that allows cybercriminals remote access without the computer owner noticing. In the recent past, IoT (Internet of Things) devices such as routers, surveillance cameras, or digital video recorders, which can also be misused as bots, have been used more and more often.

With the correct computer network, the attacker often has an easy time carrying out the planned DDoS attack. In order to fulfil his goal i.e. to bring the targeted service to a standstill, he now needs the appropriate point of attack in the victim’s system or network. Once they find this backdoor, they can send the required commands to their bot army to start the DDoS attack wave at the desired time. In the following section, you will learn which different actions and attack patterns are used by the remote-controlled bots.

What types of DDoS attacks are there?

Unlike other cybercriminal invasions, DoS and DDoS attacks don’t try to infiltrate a system; instead, they are often part of a larger attack. For example, when a system has been paralyzed, the attacks can be used to distract server operators of the fact that an attack is happening elsewhere on another system. If a system’s responsiveness is delayed due to a DoS or a DDoS attack, hackers have the opportunity to change requests to the overloaded system through manipulated responses. The strategies underlying such attacks can be divided into three categories:

  • bandwidth overload
  • system resource overload
  • exploitation of software errors and security gaps

Bandwidth overload

The aim of overloading the bandwidth is to make a computer inaccessible. DoS and DDoS attacks directly target networks and their respective connecting device. A router can only process a certain amount of data at once. If this capacity is exceeded due to an attack, the corresponding services will no longer be available to other users. A typical DDoS attack designed for overloading bandwidth is the Smurf attack.

Smurf attack: this DDoS attack takes advantage of the Internet Control Message Protocol (ICMP), which helps the exchange of information and error reports in computer networks. The attacker sends manipulated ICMP Echo Request packets (Ping) to the broadcast address of a network and uses the target’s IP address as the sender address. The broadcast request is then forwarded from the network router to all connected devices, which causes them all to send a response to the sender address (Pong). A large network with many devices connected to it can therefore massively impair the target’s bandwidth.

System resource overload

A DDoS attack targets the resources of a system; this way, attackers exploit the fact that the web server can only establish a limited number of connections. If these are used for invalid requests, the server will be effectively blocked for regular users. This is known as flooding. Classic DDoS attack patterns on system resources are ping flood, SYN flood, and UDP flood.

  • HTTP flood: this is the simplest DDoS resource overload attack variant. The attacker floods the target’s web server with a large number of HTTP requests. To do this, they simply have to access any pages of the target project until the server collapses from the amount of requests.
  • Ping flood: when it comes to this type of attack, cyber criminals overload the server with ICMP Echo Request packets. These requests are usually sent by botnets on a massive scale. Since these requests (ping) have to be answered with a data packet from the target system (pong), slow systems end up being thwarted by a ping flood.
  • SYN flood: this attack abuses the TCP three-way handshake connection. TCP (Transmission Control Protocol) is a network protocol that, together with an IP, ensures smooth data traffic flow over the internet. A TCP connection is always made in a three-step authentication process, which starts with the client sending the server a synchronization packet (SYN). This is then received by the server, which acknowledges the request with its own synchronization packet (SYN) as well as a confirmation (ACK). The connection process is then ended with a client-side confirmation (ACK). If this last step fails to happen, the system will be paralyzed since the server doesn’t have a final confirmed connection to store in the working memory. If a large number of these half-opened connections meet due to SYN flooding, the available server resources will be completely used up.
     
  • UDP flood: with these attacks, cyber criminals rely on the connectionless User Datagram Protocol (UDP). Unlike transmission over the TCP protocol, data can be transferred via UDP without needing an established connection. In regards to DoS and DDoS attacks, UDP packets are sent to random ports on the target system. The system tries unsuccessfully to determine which applications are waiting for the transferred data, and then, as a result, sends an ICMP packet back to the sender along with the message “destination unreachable”. If a system is feeling the strain of numerous requests of this kind, the resource overload can cause limited availability for regular users.

Exploiting software errors and security gaps

If a hacker finds certain security gaps in an operating system or program, they can plan DoS or DDoS attacks so that the requests trigger a system crash. Examples of this type of attack include the ping of death and LAND (Local Area Network Denial) attacks.

  • Ping of death: the aim of this attack is to cause a system crash. Hackers take advantage of implementation errors in the internet protocol (IP). IP packets are generally sent as fragments. If incorrect information is sent for the packet assembly, many operating systems can be tricked into thinking that the IP packet is bigger than the maximum allowance of 64 KB. This can lead to a buffer overflow, which is where a program tries to store more data in a buffer than it can handle. The extra information has to go somewhere and flows into adjacent buffers, leading to any information stored there to be overwritten or corrupted.
     
  • LAND attack: during this type of attack an attacker sends a SYN packet in line with the TCP three-way handshake (see above). The SYN packet has the same target and sender address as the corresponding server that is to be attacked. The server then responds to the request by sending itself a response in the form of a SYN/ACK packet. This can be interpreted as a new connection request that again needs to be answered with a SYN/ACK packet. This leads to a capacity overload since the system keeps repeatedly responding to requests, which can then crash the system.

How can DDoS attacks be prevented and reduced?

Various security measures have been developed to stop IT systems being overloaded by DoS and DDoS attacks. One approach is that they identify critical IP addresses as well as close any known security gaps. In addition, making hardware and software resources available can compensate for smaller attacks.

  • IP blacklist: blacklists make it possible to identify critical IP addresses and to reject data packets. These security measures can be implemented manually or automatized through dynamic blacklists via a Firewall.  
  • Filtration: in order to filter out irregular data packets, you can define limits for data volumes in a specified period. You should pay attention to proxies, which can mean that many clients are registered with the same IP address on the server and can potentially be blocked.    
  • SYN cookies: SYN cookies focus on security gaps in the TCP connection. If these safety measures are implemented, information about the SYN packet won’t be saved on the server anymore, but rather sent as a crypto cookie to the client. SYN flood attacks take up some computer capacity, but don’t overload the memory of the target system.  
  • Load balancing: an effective counter measure against overloading is to distribute the load onto different systems, which is made possible through load balancing. Here the hardware capacity of the available service is spread across several physical machines. This is how DoS and DDoS attacks can be intercepted to a certain degree.
Tip

Do you want maximum security for your website? Read about 1&1 IONOS’s SSL certificates from 1&1 IONOS and how they increase trust in your site.