This is a guest article written by David Balaban. The author’s views are entirely his own and may not reflect the views of IT Governance USA.
DDoS (distributed denial-of-service) attacks have been wreaking havoc on organizations since the mid-1990s. Their objective seems simple: to deluge a computer network with a slew of traffic packets it cannot cope with.
However, the DDoS ecosystem is heterogeneous and spans dozens of different techniques. Furthermore, malicious actors’ motivations range from political protest to financial schemes. The latter approach is exemplified by ransom DDoS, where criminals knock an enterprise network offline and demand payment to stop the attack.
Based on the targeted network components and the mechanisms used, DDoS attacks can be split into three top-level categories:
- Volumetric attacks aim to overwhelm a network’s bandwidth with more traffic packets than it can process
- Protocol attacks try to deplete all the resources of a web server or a firewall
- Application-layer attacks cash in on disrupting the normal functioning of web applications rather than an entire IT network
However, this is a generic hierarchy that only reflects the big picture. There are numerous sub-types that run the gamut of attack methods. Let’s delve into the most common.
- SYN flood
To execute a SYN flood attack, cyber crooks tamper with the TCP three-way handshake, a mechanism leveraged to initiate a connection between a client, a host, and a server over the TCP protocol. Criminal hackers submit numerous SYN (synchronize) messages from a spoofed IP address to a target server. These fraudulent connection requests congest the receiving server’s capacity, which makes real users experience a DoS.
- LAND attack
To set a LAND (local area network denial) attack in motion, an adversary sends a falsified SYN request in which the source and destination IP addresses are an exact match. This confuses the receiving server, which gets stuck in a loop of responding to itself, resulting in a critical error.
- SYN-ACK flood
This attack disrupts the TCP interaction phase where a web server sends a SYN-ACK packet to acknowledge a request from a client. The phony packets come in quantities large enough to congest the server’s RAM and CPU power.
- ACK and PUSH ACK flood
As soon as the connection between a client and a host has been established, iterative rogue ACK and PUSH ACK messages come into play. When trying to work out where these packets come from and how to deal with them, the server runs out of resources.
- Fragmented ACK flood
The attacker shells a server with fragmented ACK packets whose maximum allowed size is typically 1,500 bytes. Attempting to reassemble these messages drains the processing capabilities of network gear such as routers, and it doesn’t necessarily take a big number of such fractured packets to knock the equipment offline. Furthermore, intrusion prevention systems may fail to identify them as anomalous.
- Spoofed session flood
This attack relies on a combination of a fake SYN packet, several ACK packets, and at least one FIN (connection ending) or RST (reset) packet, and can dupe protection systems that monitor incoming traffic and mostly ignore return traffic.
- UDP flood
In contrast to TCP, UDP (User Datagram Protocol) connections don’t engage any sort of handshaking, which translates to a scarce IP verification ability. Numerous fabricated UDP packets are fired at a server until it becomes unresponsive.
- VoIP flood
A spin-off of UDP flood, this method zeroes in on VoIP (Voice over Internet Protocol) servers. It follows the classic principle of cramming the server’s capacity with numerous counterfeit VoIP packets that appear to come from different IP addresses.
- Media data flood
This attack has a lot in common with the VoIP flood, except that it uses media items such as videos and audio files to swamp a target server. To make these entities appear legitimate, the crook submits them from a myriad of different IP addresses.
- DNS flood
Criminals spawn a plethora of dummy request packets bombarding a DNS server. To feign legitimacy, these entities pretend to emanate from a large number of different IP addresses. DNS flood is one of the toughest attacks to tackle.
- NTP flood/amplification
This attack involves the NTP (Network Time Protocol), a long-standing networking protocol used for clock syncing. Malefactors piggyback on easy-to-access NTP servers to flood a victim network with a slew of UDP packets.
- CHARGEN flood
Launched in the 1980s, CHARGEN (Character Generator Protocol) may be considered obsolete, but it is still in use on some modern printers and photocopiers. Criminals submit small packets carrying a target server’s IP address to connected equipment that supports CHARGEN. The devices react by sending multiple UDP packets back to the server, thereby exhausting its capacity.
- SSDP flood/amplification
SSDP (Simple Service Discovery Protocol) is a component of the UPnP (Universal Plug and Play) protocol framework. This DDoS vector parasitizes devices that use UPnP services, submitting tiny UDP packets containing the prey server’s IP to a large number of such connected entities. Ultimately, the server cannot handle the multitude of requests generated by these devices and goes offline.
- SNMP flood/amplification
SNMP (Simple Network Management Protocol), which amasses and organizes information related to connected devices, can be abused to disrupt a network’s operation. Attackers inundate a switch or a router with a ton of small packets that come from a spoofed web server IP address. The devices that are tuned for such requests reply to that IP, and the redundant traffic knocks the server offline.
- HTTP flood
A perpetrator mimics regular GET or POST requests that shell a server or a web application and deteriorate its functioning. This DDoS attack often capitalizes on botnets on virus-tainted computers to emulate legitimate traffic.
- Single session HTTP flood
The distinguishing characteristic of this HTTP flood spinoff is that it focuses on slipping below the radar of conventional network protection instruments that effectively fend off suspicious requests. This incursion vector triggers a scenario where a single HTTP session spawns a number of requests by obfuscating them within one HTTP packet, which allows the attacker to amplify the disruptive potential of the raid.
- Recursive HTTP GET flood
The criminal requests a series of web pages from a server and analyzes the responses. They then request each website element recurrently to siphon off the server’s processing capacity.
- Random recursive GET flood
This method can be used to hit websites that contain recursive pages, such as blogs or forums. Page numbers are randomly picked from a valid range to fake a legitimate user and send numerous GET requests that diminish the website’s performance.
- ICMP flood
This technique, also dubbed ‘ping flood’, overwhelms a server with a huge quantity of falsified ICMP (Internet Control Message Protocol) pings. The target network generates a packet in response to every single echo request received. Once it reaches its reply limit, it can no longer handle legitimate requests.
- Misused application attack
Malicious actors infect and harness client machines that run resource-heavy software such as P2P applications, overburdening the target server by redirecting hefty amounts of Internet traffic from these computers to it. This attack is difficult to thwart because the requests stem from real clients.
- IP null attack
This incursion involves numerous packets with IPv4 headers whose value is set to null. Since some web servers are incapable of processing these invalid packets, they allocate too many resources to trying to cope with this task and eventually deny service to legitimate clients.
- Smurf attack
This onslaught stands out from the rest because it relies on a malicious program dubbed ‘Smurf’ to deluge a vast multitude of devices with ICMP pings that contain the victim’s fabricated source IP address. The server may crash attempting to sort out all the incoming requests.
- Fraggle attack
The Fraggle raid resembles the Smurf attack, but instead of leveraging ICMP pings, the crooks use fraudulent UDP packets to deteriorate a server’s normal operation.
- Ping of death attack
Malefactors pollute a network with anomalous echo request packets that are larger than 64 bytes (the maximum allowed size). The task of reassembling these non-standard items can be too cumbersome for some systems to complete, which entails a DoS down the line.
Slowloris is one of a kind because it takes very low bandwidth to execute – even a single computer can be enough to pull it off. The attacker opens numerous simultaneous connections to a target server and keeps them active for a long time. To maintain the continuous impact, the attacker submits fragmented queries and adds HTTP headers every now and then. This way, the uncompleted requests exhaust the server’s ability to keep concurrent connections running and cause it to become unresponsive.
- LOIC (Low Orbit Ion Cannon)
This open-source tool was originally intended to help security professionals perform network stress testing, but cyber criminals ended up adding it to their arsenal. An attacker mishandles it to throw a huge number of HTTP, TCP, or UDP packets to a victim server, which disrupts its operation.
- HOIC (High Orbit Ion Cannon)
Similar to the older LOIC tool, this one was designed for benign purposes but eventually fell into the wrong hands. To top it off, HOIC is much more powerful than its predecessor. It generates a slew of HTTP POST and GET requests that wear out the server. It can impact a whopping 256 domains concurrently.
- Advanced persistent DoS
Abbreviated as APDoS, this type of onslaught is typically in high-profile cyber criminals’ portfolios. It flexibly engages a fusion of different ‘flooding’ methods to cause as much damage as possible. Another hallmark of this attack is that it can persevere for weeks.
ReDoS (regular expression denial of service) targets a specific program by loading it with overly complex string search patterns. The algorithmic sophistication of these specially crafted tasks exhausts the system’s regular expression processing capacity, which may cause it to crash.
- Zero-day DDoS
As the name suggests, this attack cashes in on previously unknown flaws in a computer network or a web server. Bugs like this allow crooks to stay one step ahead of whitehats, who simply cannot tackle the issue proactively.
Although DDoS is an old-school attack vector, it continues to make itself felt and is dynamically evolving. Some incursions involve malware strains and botnets to inflate the attack surface. A growing number of threat actors are motivated by extortion. Open-source network stress-testing tools such as LOIC and HOIC are increasingly misused in real-world onslaughts.
DDoS is a multi-pronged phenomenon, and organizations should take the threat seriously. Although a reliable intrusion prevention system combined with a firewall should do the trick in most cases, it’s definitely a good idea to have a plan B that will kick in if things get out of hand.