Intro to DDoS — DDoS Explained (Part 1)
What is a DoS Attack?
Denial of service attacks pose a serious financial and security risk to companies of all sizes. During a DoS attack, an attacker attempts to disrupt the availability of a service by overwhelming it with malicious traffic. During a Distributed Denial of Service attack, an attacker uses multiple different devices to launch the attack with the same goal in mind. A DDoS attack is even trickier to mitigate than a DoS attack due to the large volume of traffic from a number of different sources.
DDoS Attack Techniques
DDOS attacks make use of what is called a botnet — a group of devices which have been hijacked by a malicious actor to launch attacks. A technique called IP spoofing is used to conceal the true IP of the devices making it harder for the target to find the source of the attack and blacklist the malicious IPs.
Types of DDoS Attacks
There are a few different categories of DDOS attacks with the main being: application, volumetric and protocol based. Let’s go over what these attack types are and some examples of each.
Volumetric Attack
During a volumetric attack, an attacker sends a large amount of traffic to a target in an effort to consume its bandwidth. An example is a DNS amplification attack.
A DNS Amplification attack abuses the DNS protocol by sending a large number of small DNS resolution requests. The goal is to cause the resolver to generate large response packets. For this reason, an attacker will send an ANY DNS query which returns all records available for a domain. Queries of this type are small in size, making it easy for an attacker to send a large number of requests using minimal bandwidth.
Protocol Based Attack
A protocol based attack exploits the weaknesses of Layer 3 and 4 protocols by sending malformed or incomplete packets to consume resources of the target server. An example of this is a SYN Flood.
During the initiation of a TCP connection, a 3 way handshake occurs. A client sends a SYN packet signaling it wants to initiate a connection . The target server creates a TCB (transmission control block) using memory on the server and adds the connection info to the backlog. It then sends back a SYN/ACK signaling to the client that it is ready to accept the connection. The client responds with an ACK and completes handshake.
During a SYN attack, this protocol is abused. An attacker sends a SYN and the target server adds the connection info to the backlog before sending back a SYN/ACK. While the server waits for an ACK in response, the attacker continues to send SYN packets. Eventually the SYN backlog runs out of space and no new connections can be initiated causing the server to reply to actual traffic slowly or not at all.
Application Based Attack
An application based attack targets specific applications or services running on the target. Typically the goal is to trigger computations or transactions that exhaust the application resources. An example of this is the slow loris attack which keeps a server occupied by opening a large number of long running connections.
In a SlowLoris attack, an attacker opens multiple connections by first sending partial HTTP request headers. The server opens a thread for each request. Typically if a connection is idle for too long, the server will timeout the connection. To prevent this, an attacker periodically sends partial request headers to keep the connection alive. At this point the server has all threads in use and can’t respond to additional requests. This attack may also include sending request data slowly or reading response data slowly to keep the connection alive. The benefit of this attack pattern is that it requires very little bandwidth and can be hard to detect.
Now that we are familiar with some DDOS attack patterns, in part 2 we will talk about learning how to protect against them.
