DDoS Attacks | All you want to know!

by Aniket Pandey

A distributed denial of service (DDoS) attack is a malicious attempt to disrupt the functioning of your system, network or server by making it impossible for a service to be delivered.

In its simplest form, the DDoS is carried out by flooding the target system with high speed, high volume of bogus traffic with the final aim of overwhelming the target system.

The target system gets overloaded processing bogus traffic and the “service” is “denied” to the genuine traffic, hence the name.

… And you cannot even use a boat to move around your network in this kind of flood!

DDoS can be carried out against virtually anything: servers, devices, networks, cloud drives, applications or even specific transactions or services within those transactions!

Usually the attack conducted against a network, augments over time- it begins with probing traffic that maps network infrastructure, progresses to overwhelm monitoring and security infrastructure and then finally sweeps across the entire network like a tidal wave.

Why bother?

Why we must all be concerned about DDoS is because they have been increasing in both intensity and frequency - and steadily!

Well Exponentially Steadily! Just look at the growth rate of DDoS attacks!

For 2011, it was an increase of 11%,

By 2016, the increase had increased to 35% and

In 2020 (last year), the number of attacks tripled in volume with a recorded increase of a massive 200%!

Availability of cheap virtual servers, advanced botnets and high returns in form of ransom and stolen data make DDoS a lucrative attack for cybercriminals.

Difference between DoS and DDoS attack

A DoS (Denial of Service) attack is carried by one single system that sends the malicious data or requests while a DDoS attack involves multiple systems sending those malicious queries.

These multiple systems may either all be owned by the hackers (like a seedbox for torrents) or they might be slaves (or bots) controlled by one master system (belonging to the hacker), through malware.

E for END DATA - that's lame i know XD

This network of slaves (or bots) is known as a botnet (network of bots).

How is a DDoS attack performed? What are DDoS Attack Tools?

In reality, an effective DDoS almost always requires high end hardware or a robust botnet, both of which require considerable investment in terms of time and resources.

However, if you want to check your existing device/network security systems for vulnerabilities, or maybe DoS somebody for fun (don’t do that!) Here is how to do it.

A fairly simple and fairly effective (in case of DoS attacks) is the open-source LOIC (Low Orbit Ion Cannon). As you can see, it is easy to set up and use - a good tool to test individual device safety and with proper modifications - a deadly weapon.

Then for a DDoS attack, it is recommended you set up a small botnet of at least 5 machines and clean them later on. Get the tools RUDY and HULK up and running on all machines with process permissions explicitly granted.

Start with RUDY (RU Dead Yet) to probe a network for vulnerability with slow rate HTTP flooding. RUDY can then generate and export the vulnerability report.

Once you know the way in (mostly recommended settings based on the report) HULK (HTTP Unbearable Load King) can be used to generate unique HTTP requests to attempt flooding.

Types of DDoS attacks

Depending upon how they are carried out, DDoS attacks can be classified into 5 main types.

Volumetric DoS

Most common type of DDoS where the attackers overwhelm your systems by flooding them with massive amounts of bogus traffic. Now this section too, can be broken into direct attacks that bombard queries and the more sinister reflection attacks that flood DNS reply requests. More on that in another dedicated article.

Fragmentation DoS

So any data that you send or receive over the network, is transmitted in fragments (or pieces). The receiver then has to rebuild those fragments to recreate the original data.

In this attack, the attacker overwhelms the reassembling ability of your receiver system by bombarding it with faultily fragmented packets.

Network-Layer DoS

In this case, the hacker pushes through large numbers of malicious packets (SYN floods, Ping of Death or Smurf DDoS) into your network, capable of COMPLETELY OVERLOADING AND DISABLING your server (if unprotected) or intermediate communication equipment (Firewall/DMZ/Load Balancer).

State Exhaustion DoS

Now today, the hacker will tear down the state tables present in your network servers or communication equipment (Firewall/Load Balancer).

The TCP connections will get distorted and within moments your registry is overwhelmed, tables lose consistency, and a DDoS attack is here!

Application-layer DoS

Malicious request type attack carried out by exploiting glitches (bugs) in the application. Hence, you guessed it right, this is also known as a “0-day-DDoS”.

This one is harmful and nasty as it can target even specific services within infected applications - say denying your website’s billing page or exploiting your consumers who land there.

DDoS Attacks Examples (Famous DDoS Attacks In History)

Dyn DNS DDoS Attack

Attack targeted Dyn, an internet infrastructure services provider. Dyn DNS (Now Oracle DYN) was struck by a wave of DNS queries from tens of millions of IP addresses. That attack, executed through the Mirai botnet that had an arsenal of over 400,000 slave systems (bots).

Github DDoS Attack

A 1.35 Tbps of traffic struck the developer platform GitHub in Jan 2018. GitHub struggled with their monitoring and security systems and sought help from Akamai Prolexic who took over as an intermediary, routing (casting) all the traffic coming into and out of GitHub through their threat management centres to weed out and block malicious packets.

Amazon DDoS Attack

In Feb of 2018, Amazon Web Services had to defend against a DDoS attack with a peak traffic volume of 2.3 Tbps, the largest ever recorded. Amazon said that the attack was mitigated by an advanced anycast based threat mitigation system - AWS Shield.

How to prevent a DDoS Attack?

Comprehensive protection like one offered by tools like Firewalls and unified threat mitigators are required to fend against DDoS attacks. In case one happens we have to rely on casting techniques to divert the attack before engaging backup systems.

Following are some tips to help you mitigate the risks of a DDoS attack against your network. They involve,

  • Proper monitoring of all traffic entering and leaving your network and its trend.
  • Beefing up the server farm infrastructure by including better casting techniques like multicast and anycast to handle large no of requests and get a bigger bandwidth.
  • Performing regular network analysis/vulnerability testing to find out the possibility of a DOS attack and set up thresholds.
  • Rate limiting the traffic allowed from one source: to about 5 requests/sec. A rate of more than 15 requests/sec from a single source can be a DDoS.
  • Adding load balancing lines on throttle logic to absorb and control traffic.
  • Shutting down (pruning) unnecessary services on your network.
  • Performing proper and ingress/egress filtering with in-depth packet analysis to filter out unwanted traffic.
  • Regular activity profiling. What type of traffic does your business have to usually deal with? Profile it, and use that to compare anomalies.
  • Reducing system vulnerability by rectifying program errors. Use the tools we discussed above to test.
  • Following Whitelisting Approach, rather than blacklisting malicious sources.

OR if you want to save all that time and hassle and still want to make sure your network is prepared to deal with DDoS attacks, you can do so by SIGNING UP for BhaiFi. It is going to automatically take care of everything, so that you sit back, relax and enjoy!

Cheers and Happy Reading!