Distributed Denial of Service Attack (DDoS) Part 1
DoS stands for “Distributed Denial of Service.” A DDoS attack is a
malicious attempt to make a server or a network resource unavailable to
users, usually by temporarily interrupting or suspending the services of
a host connected to the Internet.
Unlike a Denial of Service
(DoS) attack, in which one computer and one internet connection is used
to flood targeted resource with packets, a DDoS attack uses many
computers and many Internet connections,
DDoS attacks can be broadly divided in three types:
Volume Based Attacks – includes UDP floods, ICMP floods, and other
spoofed-packet floods. The attack’s goal is to saturate the bandwidth of
the attacked site, and magnitude is measured in bits per second (Bps).
Protocol Attacks – includes SYN floods, fragmented packet attacks, Ping
of Death, Smurf DDoS and more. This type of attack consumes actual
server resources, or those of intermediate communication equipment, such
as firewalls and load balancers, and is measured in Packets per second.
Application Layer Attacks – includes Slowloris, Zero-day DDoS attacks,
DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and
more. Comprised of seemingly legitimate and innocent requests, the goal
of these attacks is to crash the web server, and the magnitude is
measured in Requests per second.
Specific DDoS Attacks Types
Some specific and particularly popular and dangerous types of DDoS attacks include:
UDP Flood – this DDoS attack leverages the User Datagram Protocol
(UDP), a sessionless networking protocol. This type of attack floods
random ports on a remote host with numerous UDP packets, causing the
host to repeatedly check for the application listening at that port, and
(when no application is found) reply with an ICMP Destination
Unreachable packet. This process saps host resources, and can ultimately
lead to inaccessibility.
ICMP (Ping) Flood – similar in principle
to the UDP flood attack, an ICMP flood overwhelms the target resource
with ICMP Echo Request (ping) packets, generally sending packets as fast
as possible without waiting for replies. This type of attack can
consume both outgoing and incoming bandwidth, since the victim’s servers
will often attempt to respond with ICMP Echo Reply packets, resulting a
significant overall system slowdown.
SYN Flood – A SYN flood DDoS
attack exploits an known weakness in the TCP connection sequence (the
“three-way handshake”), wherein a SYN request to initiate a TCP
connection with a host must be answered by a SYN-ACK response from that
host, and then confirmed by an ACK response from the requester. In a SYN
flood scenario, the requester sends multiple SYN requests, but either
does not respond to the host’s SYN-ACK response, or sends the SYN
requests from a spoofed IP address. Either way, the host system
continues to wait for acknowledgement for each of the requests, binding
resources until no new connections can be made, and ultimately resulting
in denial of service.
Ping of Death – a ping of death ("POD")
attack involves the attacker sending multiple malformed or malicious
pings to a computer. The maximum packet length of an IP packet
(including header) is 65,535 bytes. However, the Data Link Layer usually
poses limits to the maximum frame size - for example 1500 bytes over an
Ethernet network. In this case, a large IP packet is split across
multiple IP packets (known as fragments), and the recipient host
reassembles the IP fragments into the complete packet. In a Ping of
Death scenario, following malicious manipulation of fragment content,
the recipient ends up with an IP packet which is larger than 65,535
bytes when reassembled. This can overflow memory buffers allocated for
the packet, causing denial of service for legitimate packets.
Slowloris – especially dangerous to hosts running Apache, dhttpd, Tomcat
and GoAhead WebServer, Slowloris is a highly-targeted attack, enabling
one web server to take down another server, without affecting other
services or ports on the target network. Slowloris does this by holding
as many connections to the target web server open for as long as
possible. It accomplishes this by creating connections to the target
server, but sending only a partial request. Slowloris constantly sends
more HTTP headers, but never completes a request. The targeted server
keeps each of these false connections open. This eventually overflows
the maximum concurrent connection pool, and leads to denial of
additional connections from legitimate clients.
Zero-day DDoS –
“Zero-day” are simply unknown or new attacks, exploiting vulnerabilities
for which no patch has yet been released. The term is well-known hacker
community, and trading Zero-day vulnerabilities that can be used in
attacks has become a popular activity.