A distributed denial-of-service attack (DDoS) is a malicious attempt to disrupt a targeted website, service or network’s usual traffic by flooding the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks gain effectiveness through the use of several compromised computer systems as sources of traffic attack. Machines that have been abused may include computers and other networked tools, such as IoT devices. A DDoS attack from a high level is like a traffic jam blocking the road, preventing normal traffic from reaching its desired destination.
How does a DDoS attack work?
To carry out an attack, a DDoS attack allows an attacker to gain control of a network of online machines. Computers and other machines (such as IoT devices) get malware infected, transforming each into a bot (or zombie). The attacker then manages the community of bots remotely, which is called a botnet.
Once a botnet is created the attacker can direct the machines through a remote-control system by sending updated instructions to each bot. When the botnet targets a victim’s IP address, each bot will respond by sending requests to the target, potentially causing the targeted server or network to exceed capacity, leading to a denial of service to normal traffic. Because every bot is a legitimate Internet tool, it can be difficult to separate the attack traffic from normal traffic.
What are common types of DDoS attacks?
Various vectors of DDoS attack target varying components of a network connection. To understand how different DDoS attacks work, you need to know how to make a network connection. There are many different components or “layers” to a network connection on the Internet. When building a house from the ground up, there is a specific reason to every move in the model. The OSI model shown below is a conceptual structure for the analysis of network connectivity in 7 different layers.
While almost all DDoS attacks involve disrupting traffic over a target device or network, attacks can be categorized into three groups. An attacker may use one or more different attack vectors or loop attack vectors that may be dependent on the target’s countermeasures.
Application Layer Attacks
The Goal of the Attack:
Also called a layer 7 DDoS attack (referring to the OSI model’s 7th layer), the purpose of these attacks is to exhaust the target’s resources. The attacks target the layer where the server creates web pages and delivers them in response to HTTP requests. On the client side, a single HTTP request is cheap to execute and can be costly for the target server to react to, as the server often has to load multiple files and run queries in databases to create a web page. Layer 7 attacks are hard to defend, as the traffic can be hard to mark as malicious.
This attack is equivalent to pressing refresh on many different computers over and over in a web browser at once –large numbers of HTTP requests overwhelm the site, resulting in denial of service.
This type of attack is between simple and complex. Simpler implementations may access the same set of attacking IP addresses, referrers, and user agents in one URL. Complex versions can use a large number of attacking IP addresses, and target random urls with random referrers and user agents.
The Goal of the Attack:
Protocol attacks, also known as state-exhaustion attacks, trigger a disruption of service by absorbing all the available state table power of web application servers or intermediate resources such as firewalls and load balancers. Protocol attacks exploit vulnerabilities in protocol stack layer 3 and layer 4 to make the target inaccessible.
A SYN Flood is analogous to a worker in a supply room receiving requests from the front of the store. The worker receives a request, goes and gets the package, and waits for confirmation before bringing the package out front. The worker then gets many more package requests without confirmation until they can’t carry any more packages, become overwhelmed, and requests start going unanswered.
This attack exploits the TCP handshake by sending spoofed source IP addresses to a target a large number of TCP “Initial Contact Demand” SYN packets. The target computer answers every communication question and then waits for the final step in the handshake, which never happens, wasting the resources of the target in the process.
The Goal of the Attack:
This form of attacks attempts to create congestion by absorbing all the bandwidth available. It is between the target and the wider Internet. Large amounts of data are sent to a target by using a method of amplification or other means of mass traffic formation, such as botnet requests.
A DNS amplification is like calling a restaurant . It saying “I’m going to have one of all, please call me back and tell me all my order”. Where the number they offer is the number of the target. Long response is provided with very little effort.
The target IP address then receives a response from the server. By making a request to an open DNS server with a spoofed IP address (the target’s actual IP address). The attacker structures the request with a large amount of data, so that the DNS server responds to the target. Consequently, the target receives an amplification of the initial demand from the attacker.