What is a DDoS attack and Anti-DDoS methods
As technological solutions emerge, new methods of computer warfare also appear that threaten the security of our platforms. One of the most traditional cyber-attacks is carried out using the DDoS method. This technique dates back to the early 2000s, but according to Akamai reports, DDoS attacks have been on the rise since 2014. On October 21, 2016, one of the most severe massive DDoS attacks in the world took place, disrupting the services of large companies such as PayPal, Spotify, Twitter and Netflix. According to The Guardian, this attack was the most massive of its kind in history.
What is a DDoS attack and what does it consist of?
Let's start by defining a simple denial of service or DoS attack. The final objective of a DoS attack is to consume the resources of the target machine or network causing the unavailability of its services. This is not a hacking attack, as a denial of service attack is not designed to steal confidential information or break into a system in a forced manner, but rather to interrupt the services offered by that system, which can be an application/web site or any IT platform connected to the Internet. Some hackers, however, can take advantage of this temporary vulnerability to perpetuate other types of attacks.
Difference between DoS and DDoS
Let's look at a simple analogy: suppose a large store with enough staff and products opens a new offer, free PS4 consoles! The number of customers trying to purchase the product will cause your resources to collapse, so it is very likely that the store will have to close temporarily, preventing customers from accessing your services.
Now suppose a more cunning attacker wants to attack the store with more customers and inserts a chip that turns thousands of customers into zombies -yes, this is the IT term for an intruder-controlled computer- to drain more and more resources from that store. This is what a DDoS or distributed denial of service attack is all about. A stresser/booter is used for this type of attack.
A DoS attack is carried out using a single Internet connection, taking advantage of software vulnerabilities or overflowing the attacked machine with fake requests with the intention of overloading network resources, RAM or CPU usage. In contrast, and as we can see in the analogy, a DDoS attack is perpetuated from several devices across the Internet network. In general, these attacks are executed using many computers in a network, in the order of hundreds or thousands. How do so many people manage to agree on such an attack? The reality is that the vast majority of device owners running a DDoS attack have no idea they are part of the attack, this is because a Trojan/Malware/bot infects the devices and takes over the attack.
The large number of devices sending requests saturates the target computer or network, making it unavailable. This also makes determining the source of the attack extremely difficult. There are different types of DDoS attacks, which are described in the section Types of DDoS attacks and how they are carried out.
What is a botnet?
The group of devices infected with a bot that can be managed remotely is called a botnet. Also called "zombie armies" (zombies are the equivalent of computer bots), they are the source of a DDoS attack. Due to the geographical dispersion of the computers that make up a botnet, it is almost impossible to find a pattern of attacking devices.
What is the impact of a DDoS attack?
The impact of a DDoS attack that achieves its objective is very extensive. Suppose you have a large retail consortium -like Amazon- and your service is affected for 24 hours or more. The first impact is usually economic. And it's not just the impact on major sales losses, it also affects your reputation, service level agreements are violated, your numbers drop in availability, and statistically important values such as quality of service and experience (QoS and QoE) are impacted.
This is why it is so important that you are protected against these attacks, or that you are prepared for their imminent occurrence. At OpenCloud we are pioneers in offering Anti-DOS solutions in Chile and Latin America, with which you can avoid the occurrence of these types of attacks or mitigate the problem, addressing it with mitigation methods used by large companies. For more information go to the Anti-DDoS Methods section.
Types of DDoS attacks and how they are carried out
We can divide DDoS attacks into two main categories within the OSI model: network layer attacks and application layer attacks.
DDoS attacks in the application layer
These attacks are usually of a smaller scale, and are aimed at directly affecting the web server, without adverse effects on other ports and services. These types of attacks consume little bandwidth and include: HTTP overflows, slow attacks with tools such as Slowloris or RUDY, "day zero" attacks (taking advantage of vulnerabilities before they are discovered/solved by the manufacturer) and DNS request overflow attacks.
Slowloris sends partial requests to the target server, to keep connections open for as long as possible. At the same time, it sends large numbers of HTTP headers at certain time intervals that increase the number of requests, but never complete a connection. In this way, the victim's resources are affected, making it impossible for them to continue providing their services. This attack only affects the web server.
For its part, RUDY focuses on web applications by consuming all available sessions on the web server. It simulates a user who has a very slow Internet connection and sends HTTP POST packets -like those of a web form-, forcing the server to wait a long time until the request is completed. It is a slow attack, but is usually effective as it takes advantage of this HTTP vulnerability.
DDoS attacks in the network layer
These types of attacks try to take advantage of network and transport layer vulnerabilities (layers 3 and 4 of the OSI model), sending more packets or more bandwidth than the target server can support. The major attacks we usually read about in media reports are DDoS attacks on the network layer.
Attacks under this category usually cause a total interruption of service or serious operational damage. These attacks consume so many network resources that they are usually measured in the order of Gbps (gigabits per second), the largest ones even exceeding 300 Gbps.
Attacks of this type include:
- SYN overflows: this attack exploits a small vulnerability in TCP connections. Attackers send a request in a SYN synchronization packet to the victim server, but mask the attacker's IP address (or the zombies in a botnet). Although the connection request looks real, the victim, when trying to respond to the connection request with an ACK message, does not find the attacker, slowing down the connection process and leaving connections open. By multiplying these requests by hundreds of thousands, the server consumes all available network resources and stops working.
- DNS overflow: The attacker points to one or more DNS servers and sends apparently valid traffic, when in reality it is a question of badly formed packets, exhausting the resources of the recursive DNS server and preventing it from processing the requests that are real.
- UDP overflow: in this case the attacker floods random ports of the victim with IP packets containing UDP datagrams. The victim searches for the associated service and when it does not get anything, it returns an "Unreachable Destination" packet. As it receives and responds to more packets, it becomes saturated and stops responding to other clients.
- UDP-based amplification attacks: this type of attack is based on saturation of other services such as [DNS] (name translation to IPs on the Internet), NTP (synchronization of the computer clock on the Internet) or SSDP (searching for UPnP devices on the network) by sending large amounts of UDP packets. They are called amplification attacks because the attacker uses amplification techniques that can exaggerate the size of UDP packets, making the attack very powerful.
- Ping of death: in this case, the attacker sends badly formed ICMP packets (slightly above the standardized limit of 65,535 bytes) using a simple ping command. When the victim server tries to reconstruct these packets it consumes a lot of resources; by considerably multiplying the number of packets sent via ping the server hangs.
- There are other attacks such as NUKE and SMURF (smurf) that also take advantage of IP protocol vulnerabilities and ICMP messages to cause saturation and a final network overflow.
Why do you carry out DDoS attacks?
There are many different reasons for performing a DDoS attack, the most common causes include:
- Hacktivism: this word comes from hacker and activism; this is one of the most common reasons for these attacks. It is a way for hackers or hacker organizations -like Anonymous- to express their critical opinion on issues of large corporations or politics.
- Extortion: this is another increasingly popular motive. Here, attackers extort medium and large companies to hand over money in exchange for not carrying out a DDoS attack.
- Cyber-vandalism: These are generally less experienced attackers who use tools and scripts already developed to carry out an attack simply for the sake of fun or unethical revenge.
- Competition in the market: these competitive attacks are usually triggered by rivalry between companies or simply as a form of dirty market competition; for example: attacks on servers of online games companies, or attacks on companies selling services and products on crucial days, such as Black Friday.
DoS-based attacks cannot be prevented. You must accept the fact that the attackers are likely to act and will succeed in reaching the target. However, let's look at some steps to prepare you in case of such an attack. What we can do is make our platform more difficult to penetrate, and be prepared to take action in the event of an attack. Let's look at some recommendations for preparing for DDoS cyber-attacks:
- Invest in building a robust platform: If you own a large platform that offers services or products that generate revenue or commercial value, you should invest in the security of your applications. Many times companies are reluctant to pay for services they don't use, however, this can be a very small expense when compared to the losses that a DDoS attack can generate.
- Implement a monitoring tool for your systems: there are many tools available on the market, OpenCloud offers a monitoring solution to monitor the most important values of your CloudServer, however, it is advisable to implement a monitoring solution in a different network segment to be aware of unusual changes in the use of bandwidth, CPU and memory. Conduct stress tests: Another good idea is to use tools for third-party DDoS attacks and do testing before your platform goes into production, so you know how your system behaves in different DDoS scenarios.
- Watch out for social networks and news blogs about DDoS threats. You can use Info Risk Today's RSS crawlers to keep up to date with the latest cyber threats.
- During a DDoS attack, the log file record grows exponentially and can be the cause of your service interruption. As soon as you become aware that you are a victim of a DDoS attack, start deleting the dump files that start to be created due to the amount of general errors. One of the secrets of DDoS attacks is to cause large loads on instances of the system other than those attacked a priori. A good idea is to completely disable the generation of logs while the attack lasts.
- Mitigating DDoS attacks with OpenCloud
- OpenCloud offers a solution that helps redirect traffic corresponding to a DDoS attack on your website, diverting it to another point in the network. Traffic - national and international - entering your network is carefully inspected, filtered and discarded. In addition, we use IP masking on your CloudServer, preventing direct attacks on your IP address. This is an ideal solution for gamers or users with broad platforms that require more advanced levels of security.