DoS/DDoS Attacks Types, Countermeasures

Aravind S V
6 min readJun 23, 2023

--

A denial-of-service (DoS) attack is an attempt to make a computer or network resource unavailable to its intended users. During a DoS attack, malicious individuals inundate the victim’s system with illegitimate service requests or excessive traffic, overwhelming its resources and causing the system to crash. As a result, the victim’s website becomes unavailable or experiences a significant decrease in system or network performance. Unlike attempts to gain unauthorized system access or manipulate data, the primary objective of a DoS attack is to prevent legitimate users from utilizing the targeted system. Here are various examples of DoS attack types:

  • Overloading the victim’s system by inundating it with more traffic than it can handle.
  • Overwhelming a specific service, such as Internet Relay Chat (IRC), by generating an excessive number of events.
  • Disrupting the functioning of a TCP/IP stack by sending corrupted packets, ultimately causing it to crash.
  • Crashing a service by engaging with it in an unexpected manner.
  • Causing a system to enter an infinite loop, resulting in it becoming unresponsive.

Distributed Denial-of-Service (DDoS)

A Distributed Denial-of-Service (DDoS) attack is a type of cyber attack where multiple compromised computers, often referred to as a botnet, are used to overwhelm a target system or network with a massive volume of illegitimate traffic or requests. The goal of a DDoS attack is to disrupt the targeted system’s normal functioning and make it inaccessible to legitimate users.

How does DDOS attack work?

A Distributed Denial-of-Service (DDoS) attack occurs when an attacker compromises a network of internet-connected computers using malware programs. These compromised computers, known as zombie agents, are controlled by the attacker through a command and control (C&C) server. The attacker instructs the zombie agents to send connection requests to a large number of reflector systems, but with the victim’s IP address spoofed, making it appear as if the requests are originating from the victim’s machine.

The reflector systems, being deceived by the spoofed IP address, assume that the connection requests are legitimate and send the requested information (response) to the victim’s machine. Consequently, the victim’s machine becomes overwhelmed with unsolicited responses from multiple reflector computers simultaneously. This flood of responses can significantly reduce the performance of the victim’s machine or even cause it to completely shut down.

DDoS attacks are particularly challenging to mitigate because they originate from multiple sources, making it difficult to distinguish between legitimate and malicious traffic. Organizations often employ various strategies and technologies, such as traffic filtering, rate limiting, or deploying specialized DDoS mitigation services, to defend against and mitigate the impact of DDoS attacks.

DoS/DDoS Attack Techniques

Some of the most common types of DoS/DDoS attack vectors classified by layer:

Volumetric attacks: These attacks are designed to overwhelm the target’s resources by sending a large amount of traffic. They can be carried out using a variety of methods, including:

  • UDP flood: This attack sends a large number of UDP packets to the target. UDP is a connectionless protocol, which means that the attacker does not need to establish a connection with the target before sending the packets.
  • ICMP flood: This attack sends a large number of ICMP echo request packets to the target. ICMP is a network layer protocol that is used to ping devices.
  • Ping of death: This attack sends a specially crafted ICMP packet that is larger than the maximum allowed size. This can cause the target’s system to crash.
  • Smurf attack: This attack sends a large number of ICMP echo request packets to the target’s broadcast address. The target’s system will respond to each packet, which can overwhelm its resources.

Protocol attacks: These attacks exploit vulnerabilities in network protocols. They can be more difficult to defend against than volumetric attacks, as they require the attacker to know more about the target’s infrastructure.

  • SYN flood: This attack sends a large number of SYN packets to the target. SYN is a TCP packet that is used to initiate a connection.
  • Fragmentation attack: In a fragmentation attack, the attacker sends a series of IP fragments that are designed to overlap each other. This can cause the target’s system to crash when it tries to reassemble the fragments.
  • Spoofed Session Flood Attack: A spoofed session flood attack is a type of denial-of-service (DoS) attack that uses spoofed IP addresses to send a large number of TCP session initiation (SYN) packets to a target server. The SYN packets are used to initiate a TCP connection, but the attacker never completes the connection. This causes the target server to allocate resources for the connections, which can eventually overwhelm the server and make it unavailable to legitimate users.

Application layer attacks: These attacks target specific applications or services. They can be more difficult to defend against than volumetric attacks, as they require the attacker to know more about the target’s infrastructure.

  • HTTP flood: This attack sends a large number of HTTP requests to the target. HTTP is the protocol that is used to access websites.
  • DNS flood: This attack sends a large number of DNS queries to the target. DNS is the protocol that is used to resolve domain names to IP addresses.
  • Slowloris: This attack sends a small number of HTTP requests to the target, but each request is very slow. This can overwhelm the target’s resources and prevent it from responding to legitimate requests.

DoS/DDoS Attack Countermeasures

To mitigate the impact of DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks, organizations can implement various countermeasures. Here are some common countermeasures to help defend against DoS/DDoS attacks:

  • Network Monitoring: Implement robust network monitoring tools and systems to detect unusual or excessive traffic patterns, such as sudden spikes in traffic or a high volume of requests from a single source. Monitoring allows for early detection and timely response to potential attacks.
  • Traffic Filtering: Utilize firewalls, routers, or intrusion prevention systems (IPS) to filter and block traffic from suspicious or malicious sources. This can involve implementing access control lists (ACLs) to allow only legitimate traffic to reach the target network or system.
  • Rate Limiting: Set limits on the number of requests or connections from individual IP addresses or specific network ranges. Rate limiting helps prevent overwhelming the target with excessive traffic from a single source.
  • Load Balancing: Distribute incoming traffic across multiple servers or resources using load balancing techniques. This helps distribute the load and prevents a single server from becoming overwhelmed.
  • Content Delivery Networks (CDNs): Implement CDNs to cache and serve static content closer to the end-users. CDNs can absorb a significant portion of the traffic during an attack, reducing the impact on the origin servers.
  • Intrusion Detection and Prevention Systems (IDPS): Deploy IDPS solutions to detect and block malicious traffic patterns associated with DoS/DDoS attacks. These systems can analyze network traffic in real-time and automatically respond to suspicious activity.
  • Scalable Infrastructure: Design the network and infrastructure to scale and handle increased traffic during attacks. This may involve having additional bandwidth, server capacity, or cloud-based resources that can be dynamically scaled up during an attack.
  • Redundancy and Failover Mechanisms: Implement redundancy and failover mechanisms to ensure service availability in the event of an attack. This can involve having backup servers, data centers, or cloud-based infrastructure to handle traffic if the primary system is compromised.

It is important to note that implementing a combination of these countermeasures and continuously monitoring and updating security measures is crucial to effectively mitigate the impact of DoS/DDoS attacks. Additionally, staying informed about the latest attack techniques and working closely with security professionals can help organizations respond to evolving threats effectively.

--

--

No responses yet