DDoS attacks

A common form of DoS is known as “dis­trib­uted denial of service” (DDoS). Instead of just using one single computer, cyber criminals overload systems with requests from many computers, which are combined together to form gigantic botnets. By using such computer networks, more traffic is generated than with simple DoS attacks, which are only carried out from a single system. DDoS attacks have drastic effects on those involved and hope of locating the source of the attack is generally quite bleak. Attackers that plant botnets of this kind place special software agents on in­suf­fi­cient­ly protected computers. These computers are then used to control them without the owner’s knowledge. An “infection” sometimes happens months before the actual DDoS attacks are carried out.

Unlike other cy­ber­crim­i­nal invasions, DoS and DDoS attacks don’t try to in­fil­trate a system; instead, they are often part of a larger attack. For example, when a system has been paralyzed, the attacks can be used to distract server operators of the fact that an attack is happening elsewhere on another system. If a system’s re­spon­sive­ness is delayed due to a DoS or a DDoS attack, hackers have the op­por­tu­ni­ty to change requests to the over­loaded system through ma­nip­u­lat­ed responses. The strate­gies un­der­ly­ing such attacks can be divided into three cat­e­gories:

• bandwidth overload
• system resource overload
• ex­ploita­tion of software errors and security gaps

The aim of over­load­ing the bandwidth is to make a computer in­ac­ces­si­ble. DoS and DDoS attacks directly target networks and their re­spec­tive con­nect­ing device. A router can only process a certain amount of data at once. If this capacity is exceeded due to an attack, the cor­re­spond­ing services will no longer be available to other users. A typical DDoS attack designed for over­load­ing bandwidth is the Smurf attack.

Smurf attack: this DDoS attack takes advantage of the Internet Control Message Protocol (ICMP), which helps the exchange of in­for­ma­tion and error reports in computer networks. The attacker sends ma­nip­u­lat­ed ICMP Echo Request packets (Ping) to the broadcast address of a network and uses the target’s IP address as the sender address. The broadcast request is then forwarded from the network router to all connected devices, which causes them all to send a response to the sender address (Pong). A large network with many devices connected to it can therefore massively impair the target’s bandwidth.

A DDoS attack targets the resources of a system; this way, attackers exploit the fact that the web server can only establish a limited number of con­nec­tions. If these are used for invalid requests, the server will be ef­fec­tive­ly blocked for regular users. This is known as flooding. Classic DDoS attack patterns on system resources are ping flood, SYN flood, and UDP flood.

• HTTP flood: this is the simplest DDoS resource overload attack variant. The attacker floods the target’s web server with a large number of HTTP requests. To do this, they simply have to access any pages of the target project until the server collapses from the amount of requests.

• Ping flood: when it comes to this type of attack, cyber criminals overload the server with ICMP Echo Request packets. These requests are usually sent by botnets on a massive scale. Since these requests (ping) have to be answered with a data packet from the target system (pong), slow systems end up being thwarted by a ping flood.

• SYN flood: this attack abuses the TCP three-way handshake con­nec­tion. TCP (Trans­mis­sion Control Protocol) is a network protocol that, together with an IP, ensures smooth data traffic flow over the internet. A TCP con­nec­tion is always made in a three-step au­then­ti­ca­tion process, which starts with the client sending the server a syn­chro­niza­tion packet (SYN). This is then received by the server, which ac­knowl­edges the request with its own syn­chro­niza­tion packet (SYN) as well as a con­fir­ma­tion (ACK). The con­nec­tion process is then ended with a client-side con­fir­ma­tion (ACK). If this last step fails to happen, the system will be paralyzed since the server doesn’t have a final confirmed con­nec­tion to store in the working memory. If a large number of these half-opened con­nec­tions meet due to SYN flooding, the available server resources will be com­plete­ly used up.
   
• UDP flood: with these attacks, cyber criminals rely on the con­nec­tion­less User Datagram Protocol (UDP). Unlike trans­mis­sion over the TCP protocol, data can be trans­ferred via UDP without needing an es­tab­lished con­nec­tion. In regards to DoS and DDoS attacks, UDP packets are sent to random ports on the target system. The system tries un­suc­cess­ful­ly to determine which ap­pli­ca­tions are waiting for the trans­ferred data, and then, as a result, sends an ICMP packet back to the sender along with the message “des­ti­na­tion un­reach­able”. If a system is feeling the strain of numerous requests of this kind, the resource overload can cause limited avail­abil­i­ty for regular users.

If a hacker finds certain security gaps in an operating system or program, they can plan DoS or DDoS attacks so that the requests trigger a system crash. Examples of this type of attack include the ping of death and LAND (Local Area Network Denial) attacks.

• Ping of death: the aim of this attack is to cause a system crash. Hackers take advantage of im­ple­men­ta­tion errors in the internet protocol (IP). IP packets are generally sent as fragments. If incorrect in­for­ma­tion is sent for the packet assembly, many operating systems can be tricked into thinking that the IP packet is bigger than the maximum allowance of 64 KB. This can lead to a buffer overflow, which is where a program tries to store more data in a buffer than it can handle. The extra in­for­ma­tion has to go somewhere and flows into adjacent buffers, leading to any in­for­ma­tion stored there to be over­writ­ten or corrupted.
   
• LAND attack: during this type of attack an attacker sends a SYN packet in line with the TCP three-way handshake (see above). The SYN packet has the same target and sender address as the cor­re­spond­ing server that is to be attacked. The server then responds to the request by sending itself a response in the form of a SYN/ACK packet. This can be in­ter­pret­ed as a new con­nec­tion request that again needs to be answered with a SYN/ACK packet. This leads to a capacity overload since the system keeps re­peat­ed­ly re­spond­ing to requests, which can then crash the system.

Various security measures have been developed to stop IT systems being over­loaded by DoS and DDoS attacks. One approach is that they identify critical IP addresses as well as close any known security gaps. In addition, making hardware and software resources available can com­pen­sate for smaller attacks.

• IP blacklist: black­lists make it possible to identify critical IP addresses and to reject data packets. These security measures can be im­ple­ment­ed manually or au­tom­a­tized through dynamic black­lists via a Firewall.  

• Fil­tra­tion: in order to filter out irregular data packets, you can define limits for data volumes in a specified period. You should pay attention to proxies, which can mean that many clients are reg­is­tered with the same IP address on the server and can po­ten­tial­ly be blocked.    

• SYN cookies: SYN cookies focus on security gaps in the TCP con­nec­tion. If these safety measures are im­ple­ment­ed, in­for­ma­tion about the SYN packet won’t be saved on the server anymore, but rather sent as a crypto cookie to the client. SYN flood attacks take up some computer capacity, but don’t overload the memory of the target system.  

• Load balancing: an effective counter measure against over­load­ing is to dis­trib­ute the load onto different systems, which is made possible through load balancing. Here the hardware capacity of the available service is spread across several physical machines. This is how DoS and DDoS attacks can be in­ter­cept­ed to a certain degree.