DoS and DDoS attacks, their types, and defense methods
Probably every hosting, dedicated server, and VPS user at least once heard about DDoS attacks, or even fell victim to them. This attack overloads servers and drains their resources, causing them to stop responding.
What are these attacks, how do they work, and how to defend yourself from them? We will answer those questions in this article.
A DoS (Denial of Service) attack is supposed to cause server failure. It can use one of the methods described below and unlike DDoS, it needs only one machine to be performed.
DDoS (Distributed Denial of Service) is an extended DoS attack, with many machines participating. Usually, users of those machines are not aware that their computers are being used for attacks.
Volumetric attacks are a kind of DDoS attacks that rely on a large number of requests sent to the server. Overwhelming the server drains its resources until it becomes unable to serve the new ones.
A Botnet is a network of computers infected with malware undetected by the user. Those computers appear to operate normally, however they perform actions requested by the hacker in the background. Such computers are mostly used for the harmful activity, IP spoofing, and DDoS attacks.
DoS and DDoS attacks can be symmetric - the amount of packets sent is equal to the number of packets received by the victim - or asymmetric (i.e. amplificated) - the victim receives more data than the attacker sent. The second type of attack is usually performed with third-party servers, like DNS servers. Servers used in the attacks are usually misconfigured or compromised (i.e. an unauthorized person got access to them).
IP spoofing, i.e. possibility to impersonate another IP address, is often used for DDoS attacks. The attacker sends packets with their victim's IP to which overloading packets will be sent. Alternatively, IP spoofing can be used so one can avoid being detected. Amplification attacks for example are possible due to IP spoofing.
Types of DoS and DDoS attacks
Protocol attacks / Protocol layer attacks
Protocol attacks abuse the third and fourth layers of OSI model protocols. The third is the network layer, responsible for communications between computers from separate networks by using the IP protocol, which is responsible for data addressing, and packaging. The fourth layer is the transport layer in which the TCP and UDP protocols, responsible for packet transport.
Ping Flood / ICMP Flood
A third layer volumetric attack, during which the attacker using either own machine or a botnet sends a large amount of ECHO requests from the ICMP protocol. The attacked machine is busy responding to neverending pings (small packets, commonly used for bandwidth speed and server efficiency testing), and at some moment will drain all of its resources, and in effect won't be able to serve authentic users.
SYN flood and ACK flood
SYN flood and ACK flood are attacks of the fourth layer - the transport layer. They are performed by sending packets to the attacked server.
SYN packet (Synchronise) starts communication within TCP/IP model. The receiver responds with SYN-ACK (Acknowledgement), to which the sender responds with ACK. The attacker usually uses packets with a random, spoofed source address and does not receive feedback data, while the victim uses its resources to respond to SYN.
The attacker usually uses packets with a random, spoofed source address and does not receive feedback data, while the victim uses its resources to respond to SYN.
An attack also can be performed with the use of an ACK packet; forged packets are practically indistinguishable from authentic ones, and they are using computing power as well.
In the case of SYN floods, those attacks have been a well-known problem for a year and there are many methods of mitigating it, for example, a SYN cookie: after the server's SYN backlog has been filled up, the server will start responding with SYN-ACK packets containing a cookie and then delete the SYN request from memory, freeing its resources. If a client continues communications, the server will use the cookie to rebuild the SYN packet.
ACK attacks can be prevented by filtering out ACK packets that are not tied to any ongoing TCP/IP communication.
Amplification attacks
Amplification attacks use the UDP protocol of the transport layer.
Unlike TCP/IP, it does not require confirmation of communication from both parties (data can be sent without the receiver's consent). During the attack, the attacker contacts a server and asks for a lot of data, while using spoofed IP to impersonate the victim. In response, the server sends a lot of data to a specified address without ensuring the receiver's willingness to accept them.
For example, a request "send me addresses of all people living in Poland" itself is rather short, however, a response will be much longer.
DNS (Domain Name System) servers - Internet's "info boots" - are an example of servers used in amplification attacks. They inform which domain name responds to which IP address. Another way to perform an amplification attack is using NTP (Network Time Protocol), a protocol used for time synchronization between two computers. This attack uses the monlist command, which can be disabled by servers admins, making it impossible to use them in an attack of this type.
A very effective attack is the memcached attack (memcache - memory caching, a solution that allows faster page loading). Using memcached attack, 1 Mbps of Internet traffic can be amplified from 10 to even 51 Gbps of DDoS attack.
Application attacks / Application layer attacks
An application layer attack uses weaknesses of software in the highest (sixth and seventh) layers of the OSI model. It may, for example, cause software errors or infect the victim with malware.
Low and slow / R.U.D.Y.
R.U.D.Y. (an acronym of R U Dead Yet), also called low and slow, is a type of application layer attack. To perform it, the attacker finds forms on the webpage and sends answers to it - fragmented into many small packets, sent at large intervals (but not large enough for the connection to time out). The awaiting server's resourced are drained and kept busy by this process.
Due to the way this attack is performed, it is rather hard to detect, as it does not generate large traffic. One way of defending from it is decreasing maximum waiting time, this however may make the server unusable for users with slower connections, or cause rejection of incomplete HTTP requests.
Slowloris
"Slowloris" comes from "slow loris" - the name of a slow, asian mammal. It is similar to the R.U.D.Y. attack, however, instead of sending HTTP POST packets, it just sends HTTP headers. Like the slow and low attack, it drains server resources, making serving other users harder or impossible
Fork bomb
Fork bomb attack implements a script that starts new scripts which starts yet other scripts, etc. - in other words, an unending loop. New scripts use up machine's resources, so it cannot process normal users' requests.
A machine can be secured from a fork bomb by i.e. limiting the number of processes a user can have or the number of resources that one process can use.
SSL abuse
This attack uses the SSL protocol of the sixth layer - the session layer. The attacker uses the "SSL handshake" (initiation of SSL communication) to flood the server with false requests or abuse of the protocol itself. Another way to perform an SSL abuse attack is to keep renegotiating the connection or, if it is not possible, ending it once confirmed and starting again.
SSL uses computing power and entropy, a set of random data used, among others, for SSL connections. Exhaustion of the entropy delays new SSL connections, as they have to wait for new entropy to be generated.
HTTP flood
This volumetric attack takes place in the seventh layer and is performed with a botnet. During it, the server is flooded with HTTP commands - GET and POST, effectively being drained out of its resources. Attacks of these types don't use malformed packets or amplification methods, they generate lower Internet traffic, and thus they need to be understood better to be stopped.
Historical: Ping of death
It's an obsolete and nowadays unused method of DoS attack. The attacker would send the server ping packet bigger than 65 535 (2 to the power of 16 minus 1). This is the biggest packet size IPv4 protocol can handle. A ping like that could be sent with older Windows systems (3.1, 95, NT) and Novel Netware, where a software vulnerability would allow sending a packet with a size of 65 538 bytes. This could cause a crash of receiving machine or an application running on it. Modern software is immune to attacks of this type.
Those are just some DDoS attacks. Every day about 30 000 DDoS attacks are performed, with dozen of millions infected machines being used. Those numbers increase as the Internet develops, as does the amount of possible DDoS attacks.
DDoS mitigation methods
Filtering incoming packets
One of the widely used Anti-DDoS methods is filtering incoming packets, e.g. allowing only ones that are sent within ongoing TCP/IP communication. Some floods (e.g. HTTP) can be stopped by client authentication, for example with Captcha software.
Reverse proxy
Reverse proxy involves the installation of proxy servers that will receive incoming traffic and filter it, so only legitimate requests are sent to the servers.
Infrastructure oversizing
One way to protect against DDoS is to oversize your infrastructure. After being equipped with redundant resources it will be able to serve more requests. Infrastructure can also be improved by the installation of protection hardware and software modules. Proper software configuration, such as the implementation of firewall and Captcha solutions, also increases the system's resistance to DDoS attacks.
Blackholing
Blackholinge is mostly used as a "last-resort" defense mechanism from volumetric attacks. It ignores incoming requests, sending them to "nowhere" (to a "black hole", like the name implies), leaving them without an answer. It usually completely cuts the server away from the network**, however, with proper configuration it can limit denied requests to certain continents or countries.
History of DoS and DDoS attacks
The first DDoS attack took place in late June/early July 1999. The best described is the one performed against the University of Minnesota's computer, in which 114 machines were used, infected with tainoo software.
The first "media" attack took place in February 2000, during which 15 years old Canadian using the nickname mafiaboy attacked servers of many popular services, like Amazon, eBay, or Yahoo! (the most popular search engine back then), also using tainoo.
An interesting thing about this malware is that the attacker could leave messages to the infected machine's users in cry_baby folder.
Trivia: Biggest DDoS attack
Currently, the biggest known attack is the one report by Amazon Web Services. It took place in February 2020 and reached 2,3 Tbps (or 2 300 Gbps) of traffic.
Blackholing out of control, or how Pakistan blocked YouTube
An interesting example of the security vulnerability is the worldwide blocking of YouTube by Pakistan in February 2008.
Pakistan's Ministry of Communication ordered local Internet Providers to block access to YouTube and thus Pakistani ISPs started blackholing all requests sent to this platform. One of them, Pakistan Telecom, also sent a "warning" about YouTube to its Internet provider from Hong Kong, which in turn did not block it. In effect Internet providers worldwide received the warning from the Pakistani ISP and started blackholing requests sent there, making it unavailable worldwide for two hours.
Anti DDoS in Skynode
Skynode offers protection from volumetric attacks. We protect using Juniper equipment and Wanguard software. After the server's protection packet has been exceeded, blackholing is automatically enabled, cutting the server from the Internet while the attack takes place.
Dedicated servers have free protection from up to 2 Gbps of Internet traffic; with an additional fee, we offer the biggest protection packets.