What is a Distributed Denial-of-Service (DDoS) Attack
Far too many organizations are ill-prepared to deal with the effects of DDoS attacks and other Internet security threats. They rely on firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and other security technologies that are inadequate to defend their networks and systems against DDoS attacks, thereby creating plenty of opportunity for cybercriminals today.
The Internet has changed the way business works. Today, worldwide organizations move immense volumes of information progressively, and web based business is quick turning into the soul of exchange. Budgetary exchanging houses lead business at rates and scales that were immense only a couple of years prior. E-retail has developed on a tremendous scale, serving remote clients over the globe. Whole enterprises have jumped up around web based betting and gaming destinations. Online organizations rely upon day in and day out accessibility and quick, constant responsiveness to guarantee that clients continue going to their sites.
Yet, this new universe of fast, high-volume internet business has made new open doors for crooks and other people who might do mischief to flourishing on the web organizations. Malicious competitors, extortionists, and hacktivists are orchestrating devastating distributed denial-of-service (DDoS) attacks, turning depen dence on the speed and accessibility of business sites against the individuals who run them.
Today’s computing environments are being bombarded by distributed denial-of-service (DDoS) attacks that overload critical systems and networks, causing them to become unresponsive and unproductive.
A DDoS attack is a cyberattack in which many, usually compromised, computers send a series of packets, data, or transactions over the network to the intended attack victim in an attempt to make one or more computer based services (such as a web application) unavailable to the intended users.
A distributed denial-of-service (DDoS) is a DoS attack where the perpetrator uses more than one unique IP address, often thousands of them. Since the incoming traffic flooding the victim originates from many different sources, it is impossible to stop the attack simply by using ingress filtering. It also makes it very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin. As an alternative or augmentation of a DDoS, attacks may involve forging of IP sender addresses (IP address spoofing) further complicating identifying and defeating the attack.
The means for committing DDoS attacks are readily available to practically anyone. Easy-to-use, automated tools can be freely downloaded from various blackhat (hacker) websites on the Internet. The resurgence in DDoS attacks can be largely attributed to two factors: the rise of global botnets and new attack techniques for evading detection.
The scale of DDoS attacks has continued to rise over recent years, by 2016 exceeding a terabit per second.
A botnet is a network of compromised PCs or other devices. These compromised PCs are called bots (or zombies). Bots are PCs that are infected with various types of malware, such as viruses, worms, Trojans, and spyware, that enable the PCs to be compromised by an attacker. A bot can be remotely controlled by an attacker (sometimes called a bot-herder) to carry out DDoS attacks, steal data from victim networks and servers, or send out e-mail spam. Bots can be particularly difficult to detect and clean from an infected PC because they’re very adaptive and resilient. The bot-herder can quickly and easily change the behavior and characteristics of a bot, making it extremely difficult to detect.
The network-layer DDoS attacks are brute force attack, the attacker sends an exceptionally large payload to a targeted organization’s network in order to overwhelm the available bandwidth on that network. Network-layer DDoS attacks can disrupt communications with your critical e-commerce servers or overwhelm your network. Botnets systems simultaneously sends packets to a target server, attempting to open a communication session. When the victim server replies, the attacking systems don’t acknowledge the server’s response. This overloads the server by causing it to use all its available resources attempting to keep track of the many incoming connections. Service is degraded, and the server may crash.
The Open Systems Interconnection (OSI) model defines seven conceptual layers in a communications network. DDoS attacks mainly exploit three of these layers: network (layer 3), transport (layer 4), and application (layer 7).
Network (Layer 3/4) DDoS Attacks: The majority of DDoS attacks target the network and transport layers. Such attacks occur when the amount of data packets and other traffic overloads a network or server and consumes all of its available resources.
Application (Layer 7) DDoS Attacks: Breach or vulnerability in a web application. By exploiting it, the perpetrators overwhelm the server or database powering a web application, bringing it to its knees. Such attacks mimic legitimate user traffic, making them harder to detect.
Volumetric attacks flood a target network with data packets that completely saturate the available network bandwidth. Volumetric attacks are getting larger, more sophisticated, and are lasting for a longer duration. They can bring any business server down within a few minutes. These network-level (layers 3 and 4) attacks are designed to overwhelm a server’s internet link, network resources, and appliances that are not able to absorb the increased volumes.
Combo SYN Flood attacks are most common. In a SYN flood attack, the requester sends multiple SYN messages to the targeted server, but does not transmit any confirmation ACK messages. The requester can also dispatch spoofed SYN messages, causing the server to send SYN-ACK responses to a falsified IP address. Of course, it never responds because it never originated the SYN messages. The SYN flood binds server resources until no new connections can be made, ultimately resulting in denial of service. Large SYN packets above 250 bytes cause network saturation, the regular SYN packets exhaust server resources (e.g., CPU).
There are more than 400,000 NTP servers around the world that can potentially be used in an NTP amplification attack. Computers use the Network Time Protocol (NTP) to synchronize their clocks over the internet. NTP amplification attacks exploit a feature on NTP servers; called MONLIST, it returns a list of the last 600 IP addresses that communicated with the server. Attackers send out MONLIST requests to NTP servers using a target server’s spoofed IP address. Thus the NTP server response is much larger than the original request. By using numerous vulnerable NTP servers, attackers are quickly able to compromise the target server, it being overwhelmed with multiple data packets.
Hit-and-run DDoS is a type of denial-of-service (DDoS) attack that uses short bursts of high volume attacks in random intervals, spanning a time frame of days or weeks. The purpose of a hit-and-run DDoS is to prevent a user of a service from using that service by bringing down the host server. Hit and run attacks wreak havoc with “on-demand” DDoS mitigation solutions that need to
be manually engaged/disengaged with every burst. Such attacks are changing the face of the anti-DDoS industry, pushing it toward “always on” integrated solutions. Any mitigation that takes more than a few seconds is simply unacceptable.
Browser-based bots consist of malicious software code segments running inside a web browser. The bots run during a legitimate web browsing session; once the browser is closed, the bot session automatically terminates. Browser-based bots are surreptitiously installed on unsuspecting users’ computers upon visiting a malicious website. Multiple bots can then simultaneously launch an attack against a targeted server from compromised machines. Some DDoS bot types imitate browser behavior, such as support for cookies, in order to evade anti-DDoS defenses. It only takes 50 – 100 targeted requests per second to bring down a mid-size server. Browser-based bot attacks are hard to detect.
HTTP flood is one of the hackers’ favorites when it comes to causing a business disruption, as they are much harder to block (compared to a typical Layer 3 and Layer 4 network attack) and are prevalent - dozens of HTTP flood tools are available to the community and are constantly being improved. The majority of those tools leverage botnets for rent (DDoSaaS or Stresser services) that include HTTP flood attacks as part of their offering. An HTTP flood is an attack method used by hackers to attack web servers and applications. These floods consist of seemingly legitimate session-based sets of HTTP GET or POST requests sent to a targeted web server. HTTP flood attacks do not use spoofing, reflective techniques or malformed packets. These requests are specifically designed to consume a significant amount of the server’s resources, and therefore can result in a denial-of-service. Such requests are often sent en masse by means of a botnet, increasing the attack’s overall power. HTTP and HTTPS flood attacks are one of the most advanced threats facing web servers today since it’s very hard for network security devices to distinguish between legitimate HTTP traffic and malicious HTTP traffic. HTTP flood attacks are some of the most advanced cyber security threats to web servers. These attacks are hard to distinguish between legitimate and malicious traffic, creating a challenge to rate-based detection solutions.
Spoofing user agents is a frequently-used attack technique. Here the DDoS bots masquerade as “good” bots from reputable sources such as Google or Yahoo, in order to evade detection. Using this method, the bots are able to pass through low-level filters and proceed to wreak havoc on target servers.
UDP (user datagram protocol) Flood attack involves the attacker sending UDP packets to each of the 65,535 UDP ports on the target system. The target system is overloaded while processing the UDP packets and attempting to send reply messages to the source system.
Traditionally, DDoS attack campaigns used a single attack type, or vector. However, there is a rise in DDoS attacks using multiple vectors to disable a network or server(s). Called multi-vector attacks, they consist of some combination of the following: (1) Volumetric attacks; (2) State-exhaustion attacks; and (3) Application layer attacks.The multi-vector approach is very appealing to an attacker, since the tactic can create the most collateral damage to a business or organization. These attacks increase the chance of success by targeting several different network resources, or using one attack vector as a decoy while another, more powerful vector is used as the main weapon. These attacks can be extremely difficult to mitigate because they require a multi-layered approach across the entire data center/enterprise and a highly-skilled IT team to combat them.
Next-generation cyber attacks target specific individuals and organizations to steal data. They use multiple vectors, including web, email, and malicious files and dynamically adapt to exploit zero-day and other network vulnerabilities.
Advanced cyber attacks succeed because they are carefully planned, methodical and patient. Malware used in such attacks:
By the time most organizations realize they've suffered a data breach, they have actually been under attack for weeks, months, or even years. Most traditional defense-in-depth cyber security measures, such as AV or next-generation firewalls, fail to use signature- and pattern-based techniques to detect threats, and don't monitor malware call backs to CnC servers.
Advanced cyber attacks take many forms, including virus, Trojan, spyware, rootkit, spear phishing, malicious email attachment and drive-by download. To properly protect against these attacks, defenses must monitor the entire life cycle of the attack, from delivery, to call backs and reconnaissance, to data exfiltration.
In Which Geolocations Do DDoS Attacks Originate?
DDoS attacks are frequently routed through hijacked hosting environments or internet connected devices in regions having an insecure infrastructure. The attacks may originate in another country, but are then amplified through other environments. IT infrastructures in these countries tend to have weaker security measures in place, which is why computing resources located therein are used more frequently to commit attacks.
Live Cyber Attack Threat Map
DDoS Protection Considerations for Organizations Under Threat
What is Denial of Service (DoS) Attacks
Did you find this tutorial helpful? Don’t forget to share your views with us.
The Internet has changed the way business works. Today, worldwide organizations move immense volumes of information progressively, and web based business is quick turning into the soul of exchange. Budgetary exchanging houses lead business at rates and scales that were immense only a couple of years prior. E-retail has developed on a tremendous scale, serving remote clients over the globe. Whole enterprises have jumped up around web based betting and gaming destinations. Online organizations rely upon day in and day out accessibility and quick, constant responsiveness to guarantee that clients continue going to their sites.
Yet, this new universe of fast, high-volume internet business has made new open doors for crooks and other people who might do mischief to flourishing on the web organizations. Malicious competitors, extortionists, and hacktivists are orchestrating devastating distributed denial-of-service (DDoS) attacks, turning depen dence on the speed and accessibility of business sites against the individuals who run them.
Today’s computing environments are being bombarded by distributed denial-of-service (DDoS) attacks that overload critical systems and networks, causing them to become unresponsive and unproductive.
A DDoS attack is a cyberattack in which many, usually compromised, computers send a series of packets, data, or transactions over the network to the intended attack victim in an attempt to make one or more computer based services (such as a web application) unavailable to the intended users.
A distributed denial-of-service (DDoS) is a DoS attack where the perpetrator uses more than one unique IP address, often thousands of them. Since the incoming traffic flooding the victim originates from many different sources, it is impossible to stop the attack simply by using ingress filtering. It also makes it very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin. As an alternative or augmentation of a DDoS, attacks may involve forging of IP sender addresses (IP address spoofing) further complicating identifying and defeating the attack.
The means for committing DDoS attacks are readily available to practically anyone. Easy-to-use, automated tools can be freely downloaded from various blackhat (hacker) websites on the Internet. The resurgence in DDoS attacks can be largely attributed to two factors: the rise of global botnets and new attack techniques for evading detection.
The scale of DDoS attacks has continued to rise over recent years, by 2016 exceeding a terabit per second.
A botnet is a network of compromised PCs or other devices. These compromised PCs are called bots (or zombies). Bots are PCs that are infected with various types of malware, such as viruses, worms, Trojans, and spyware, that enable the PCs to be compromised by an attacker. A bot can be remotely controlled by an attacker (sometimes called a bot-herder) to carry out DDoS attacks, steal data from victim networks and servers, or send out e-mail spam. Bots can be particularly difficult to detect and clean from an infected PC because they’re very adaptive and resilient. The bot-herder can quickly and easily change the behavior and characteristics of a bot, making it extremely difficult to detect.
Warning
It has been estimated that up to 80 percent of all Internet connected computers are infected with some form of spyware or adware.
The network-layer DDoS attacks are brute force attack, the attacker sends an exceptionally large payload to a targeted organization’s network in order to overwhelm the available bandwidth on that network. Network-layer DDoS attacks can disrupt communications with your critical e-commerce servers or overwhelm your network. Botnets systems simultaneously sends packets to a target server, attempting to open a communication session. When the victim server replies, the attacking systems don’t acknowledge the server’s response. This overloads the server by causing it to use all its available resources attempting to keep track of the many incoming connections. Service is degraded, and the server may crash.
The Open Systems Interconnection (OSI) model defines seven conceptual layers in a communications network. DDoS attacks mainly exploit three of these layers: network (layer 3), transport (layer 4), and application (layer 7).
Network (Layer 3/4) DDoS Attacks: The majority of DDoS attacks target the network and transport layers. Such attacks occur when the amount of data packets and other traffic overloads a network or server and consumes all of its available resources.
Application (Layer 7) DDoS Attacks: Breach or vulnerability in a web application. By exploiting it, the perpetrators overwhelm the server or database powering a web application, bringing it to its knees. Such attacks mimic legitimate user traffic, making them harder to detect.
Volumetric attacks flood a target network with data packets that completely saturate the available network bandwidth. Volumetric attacks are getting larger, more sophisticated, and are lasting for a longer duration. They can bring any business server down within a few minutes. These network-level (layers 3 and 4) attacks are designed to overwhelm a server’s internet link, network resources, and appliances that are not able to absorb the increased volumes.
Combo SYN Flood attacks are most common. In a SYN flood attack, the requester sends multiple SYN messages to the targeted server, but does not transmit any confirmation ACK messages. The requester can also dispatch spoofed SYN messages, causing the server to send SYN-ACK responses to a falsified IP address. Of course, it never responds because it never originated the SYN messages. The SYN flood binds server resources until no new connections can be made, ultimately resulting in denial of service. Large SYN packets above 250 bytes cause network saturation, the regular SYN packets exhaust server resources (e.g., CPU).
There are more than 400,000 NTP servers around the world that can potentially be used in an NTP amplification attack. Computers use the Network Time Protocol (NTP) to synchronize their clocks over the internet. NTP amplification attacks exploit a feature on NTP servers; called MONLIST, it returns a list of the last 600 IP addresses that communicated with the server. Attackers send out MONLIST requests to NTP servers using a target server’s spoofed IP address. Thus the NTP server response is much larger than the original request. By using numerous vulnerable NTP servers, attackers are quickly able to compromise the target server, it being overwhelmed with multiple data packets.
Hit-and-run DDoS is a type of denial-of-service (DDoS) attack that uses short bursts of high volume attacks in random intervals, spanning a time frame of days or weeks. The purpose of a hit-and-run DDoS is to prevent a user of a service from using that service by bringing down the host server. Hit and run attacks wreak havoc with “on-demand” DDoS mitigation solutions that need to
be manually engaged/disengaged with every burst. Such attacks are changing the face of the anti-DDoS industry, pushing it toward “always on” integrated solutions. Any mitigation that takes more than a few seconds is simply unacceptable.
Browser-based bots consist of malicious software code segments running inside a web browser. The bots run during a legitimate web browsing session; once the browser is closed, the bot session automatically terminates. Browser-based bots are surreptitiously installed on unsuspecting users’ computers upon visiting a malicious website. Multiple bots can then simultaneously launch an attack against a targeted server from compromised machines. Some DDoS bot types imitate browser behavior, such as support for cookies, in order to evade anti-DDoS defenses. It only takes 50 – 100 targeted requests per second to bring down a mid-size server. Browser-based bot attacks are hard to detect.
HTTP flood is one of the hackers’ favorites when it comes to causing a business disruption, as they are much harder to block (compared to a typical Layer 3 and Layer 4 network attack) and are prevalent - dozens of HTTP flood tools are available to the community and are constantly being improved. The majority of those tools leverage botnets for rent (DDoSaaS or Stresser services) that include HTTP flood attacks as part of their offering. An HTTP flood is an attack method used by hackers to attack web servers and applications. These floods consist of seemingly legitimate session-based sets of HTTP GET or POST requests sent to a targeted web server. HTTP flood attacks do not use spoofing, reflective techniques or malformed packets. These requests are specifically designed to consume a significant amount of the server’s resources, and therefore can result in a denial-of-service. Such requests are often sent en masse by means of a botnet, increasing the attack’s overall power. HTTP and HTTPS flood attacks are one of the most advanced threats facing web servers today since it’s very hard for network security devices to distinguish between legitimate HTTP traffic and malicious HTTP traffic. HTTP flood attacks are some of the most advanced cyber security threats to web servers. These attacks are hard to distinguish between legitimate and malicious traffic, creating a challenge to rate-based detection solutions.
Spoofing user agents is a frequently-used attack technique. Here the DDoS bots masquerade as “good” bots from reputable sources such as Google or Yahoo, in order to evade detection. Using this method, the bots are able to pass through low-level filters and proceed to wreak havoc on target servers.
UDP (user datagram protocol) Flood attack involves the attacker sending UDP packets to each of the 65,535 UDP ports on the target system. The target system is overloaded while processing the UDP packets and attempting to send reply messages to the source system.
Traditionally, DDoS attack campaigns used a single attack type, or vector. However, there is a rise in DDoS attacks using multiple vectors to disable a network or server(s). Called multi-vector attacks, they consist of some combination of the following: (1) Volumetric attacks; (2) State-exhaustion attacks; and (3) Application layer attacks.The multi-vector approach is very appealing to an attacker, since the tactic can create the most collateral damage to a business or organization. These attacks increase the chance of success by targeting several different network resources, or using one attack vector as a decoy while another, more powerful vector is used as the main weapon. These attacks can be extremely difficult to mitigate because they require a multi-layered approach across the entire data center/enterprise and a highly-skilled IT team to combat them.
Next-generation cyber attacks target specific individuals and organizations to steal data. They use multiple vectors, including web, email, and malicious files and dynamically adapt to exploit zero-day and other network vulnerabilities.
Advanced cyber attacks succeed because they are carefully planned, methodical and patient. Malware used in such attacks:
- Settles into a system
- Tries to hide
- Searches out network vulnerabilities
- Disables network security measures
- Infects more endpoints and other devices
- Calls back to command-and-control (CnC) servers
- Waits for instructions to start extracting data from the network
By the time most organizations realize they've suffered a data breach, they have actually been under attack for weeks, months, or even years. Most traditional defense-in-depth cyber security measures, such as AV or next-generation firewalls, fail to use signature- and pattern-based techniques to detect threats, and don't monitor malware call backs to CnC servers.
Advanced cyber attacks take many forms, including virus, Trojan, spyware, rootkit, spear phishing, malicious email attachment and drive-by download. To properly protect against these attacks, defenses must monitor the entire life cycle of the attack, from delivery, to call backs and reconnaissance, to data exfiltration.
In Which Geolocations Do DDoS Attacks Originate?
DDoS attacks are frequently routed through hijacked hosting environments or internet connected devices in regions having an insecure infrastructure. The attacks may originate in another country, but are then amplified through other environments. IT infrastructures in these countries tend to have weaker security measures in place, which is why computing resources located therein are used more frequently to commit attacks.
Live Cyber Attack Threat Map
DDoS Protection Considerations for Organizations Under Threat
- Hybrid DDoS Protection – on-premise and cloud-based anti DDoS protection solutions for real-time protection that also addresses high volume attacks and protects from pipe saturation.
- Behavioral-Based Detection - to quickly and accurately identify and block anomalies while allowing legitimate traffic through.
- Real-Time Signature Creation - to promptly protect from unknown threats and zero-day attacks.
- Cyber-Security Emergency Response Plan - that includes a dedicated emergency team of experts.
What is Denial of Service (DoS) Attacks
Did you find this tutorial helpful? Don’t forget to share your views with us.