Ethical Hacking - DDOS Attacks
Distributed Denial of Service (DDoS)
By Distributed Denial of Service (DDoS) attack, the website or any online service is overloaded with traffic from multiple sources and thus make the website unavailable.
While Denial of Service (DoS) attack uses one computer and one Internet connection, DDoS attack uses many computers and many Internet connections, to flood a target resource with packets and distributed globally, which is termed as botnet.
A large scale volumetric DDoS attack can generate a traffic measured in tens of Gigabits (and even hundreds of Gigabits) per second, which the normal network will not be able to handle.
What are Botnets
Botnets are the network of hacked machines built by the attackers, by spreading vulnerabilities through emails, websites and social media. These computers can be remotely controlled once infected, without the knowledge of the owner and used as an army to launch the attack.
A DDoS flood can be generated in multiple ways. For example −
Botnets can be used for sending more number of connection requests than a server can handle at a time. Attackers can have computers send a victim resource huge amounts of random data to use up the target's bandwidth. These machines are used to generate high traffic which is out of reach to handle resulting in complete blockage of the service.
Types of DDoS Attacks
DDoS attacks can be broadly classified into three categories −
Volume-based attacks include TCP floods, UDP floods, ICMP floods, and other spoofedpacket floods. These are also called Layer 3 & 4 Attacks. The bandwidth of the target size is being saturated by the attacker. The magnitude of the attack is measured in terms of Bits per Second (bps).
- UDP Flood − A UDP flood is used to flood random ports on a remote host with numerous UDP packets, more specifically port number 53. To filter out or block malicious UDP packets, specialized firewalls are used.
- ICMP Flood − This is similar to UDP flood and used to flood a remote host with numerous ICMP Echo Requests. Outgoing and incoming bandwidth is consumed and end up with overall slowdown of the system due to the high volume of the ping requests.
- HTTP Flood – A large volume of HTTP GET and POST requests are sent by the attacker which are not handled by the server and leads to denial of the additional connections from legitimate clients.
- Amplification Attack – A request is made by the attacker which generates a large response including DNS requests for large TXT records and HTTP GET requests for large files like images, PDFs, or any other data files.
Protocol attacks include SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS, etc. This type of attack consumes actual server resources and other resources like firewalls and load balancers. The magnitude of the attack is measured in terms of Packets per Second.
- DNS Flood – infrastructure and DNS application are attacked by DNS floods to get access to a target system and consume the available network bandwidth.
- SYN Flood − TCP connection requests are sent by the attacker faster than the targeted machine can process them, causing network saturation. Administrators can tweak TCP stacks to mitigate the effect of SYN floods. The effect of the SYN floods can be reduced by reducing the timeout or dropping the desired incoming connections using iptables.
- Ping of Death − The attacker sends malformed or oversized packets using a simple ping command. IP allows sending 65,535 bytes packets but sending a ping packet larger than 65,535 bytes violates the Internet Protocol and could cause memory overflow on the target system and finally crash the system. To avoid Ping of Death attacks and its variants, many sites block ICMP ping messages altogether at their firewalls.
Application Layer Attacks
Application Layer Attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Here the goal is to crash the web server. The magnitude of the attack is measured in terms of Requests per Second.
- Application Attack − This is also called Layer 7 Attack, where the attacker makes excessive log-in, database-lookup, or search requests to overload the application. It is really difficult to detect Layer 7 attacks because they resemble legitimate website traffic.
- Slowloris – Huge number of HTTP headers are sent by the attacker to the targeted web server, never completing the request. These false connections are kept open by the targeted web server and gradually overflow the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.
- NTP Amplification – The Network Time Protocol (NTP), which is accessible publicly is being exploited by the attacker to overcome the server target with User Datagram Protocol (UDP) traffic.
- Zero-day DDoS Attacks − A zero-day vulnerability is a system or application flaw previously unknown to the vendor, and has not been fixed or patched. For instance, exploiting vulnerabilities for which no patch has yet been released.
How to Fix a DDoS Attack
- Many DDos protection options are available and depending on the type of DDos attack, the protection option is selected.
- To start with the DDos protection, the possible OS and the vulnerabilities at the application level are closed by closing the ports, deleting unnecessary access from the system and hiding the server behind CDN system.
- Many solutions help in filtering the DDos based traffic, if the magnitude of the DDos is low. But if the magnitude is high, say in gigabits, then DDos protection service provider need to help out, which offers a proactive and genuine approach.
- There are a number of DDos protection service providers. Be careful in approaching and selecting the service provider, as they offer enormous services at huge costs.
- Simple and working solution is search for a DNS service provider and configure A and CNAME records for the website. Then, search for a CDN provider to handle big DDos traffic and at the same time provide DDos protection service as a part of CDN package.
Assume your server IP address is AAA.BBB.CCC.DDD. Then the DNS configuration to be done is as follows:
- Create a A Record in DNS zone file as shown below with a DNS identifier, for instance, ARECORDID and keep it secret from the outside world.
- Now ask the CDN provider to link the created DNS identifier with a URL, like cdn.someotherid.domain.com.
- Use the CDN URL cdn.someotherid.domain.com to create two CNAME records, the first one to point to www and the second record to point to @ as shown below.
- The system administrator helps in understanding and configuring the DNS and CDN correctly. Follow the DNS configuration.
All DDos attacks are handled by CDN keeping the system safe. But under any circumstance, the IP address of the system or A record should not be disclosed.
DDoS attacks became quite common and there is no specific quick fix for it. However, if the system gets DDos attack, look into the matter and resolve it.