Understanding DDOS Attack

Distributed Denial of service attack (Dos attack) is a cyber-attack where the attacker make server machine so busy/hung that it stop responding to other user. Most of the users will start seeing some error message(like not available or not responding).

Types of DOS Attack

UDP Flood

User Datagram Protocol is a sessionless networking protocol. Random ports on the target machine are flooded with packets that cause it to listen for applications on that those ports and report back with a ICMP packet.

SYN Flood

A “three-way handshake”, which is a reference to how TCP connections work, are the basis for this form of attack. The SYN-ACK communication process works like this:

  • First, a “synchronize”, or SYN message, is sent to the host machine to start the conversation.
  • Next, the request is “acknowledged” by the server. It sends an ACK flag to the machine that started the “handshake” process and awaits for the connection to be closed.
  • The connection is completed when the requesting machine closes the connection.

A SYN flood attack will send repeated spoofed requests from a variety of sources at a target server. The server will respond with an ACK packet to complete the TCP connection, but instead of closing the connection the connection is allowed to timeout. Eventually, and with a strong enough attack, the host resources will be exhausted and the server will go offline.

Ping of Death

Ping of death (”POD”) is a denial of service attack that manipulates IP protocol by sending packets larger than the maximum byte allowance, which under IPv4 is 65,535 bytes. Large packets are divided across multiple IP packets — called fragments — and once reassembled create a packet larger than 65,535 bytes. The resulting behemoth packet causes servers to reboot or crash.

Note: This was a real problem in early years (think 1996), but doesn’t have the same effect these days. Most ISPs block ICMP or “ping” messages at the firewall. However, there are many others forms of this attack that target unique hardware or applications. Some other names are “Teardrop”, “Bonk”, and “Boink”.

Reflected Attack

A reflected attack is where an attacker creates forged packets that will be sent out to as many computers as possible. When these computers receive the packets they will reply, but the reply will be a spoofed address that actually routes to the target. All of the computers will attempt to communicate at once and this will cause the site to be bogged down with requests until the server resources are exhausted.

Application Level Attacks

Application level attacks target areas that have more vulnerabilities. Rather than attempt to overwhelm the entire server, an attacker will focus their attack on one — or a few — applications. Web-based email apps, WordPress, Joomla, and forum software are good examples of application specific targets.

Degradation of Service Attacks

The purpose of this attack is to slow server response times. A DDoS attack seeks to take a website or server offline. That is not the case in a degradation of service attack. The goal here is to slow response time to a level that essentially makes the website unusable for most people. Zombie computers are leveraged to flood a target machine with malicious traffic that will cause performance and page-loading issues. These types of attacks can be difficult to detect because the goal is not to take the website offline, but to degrade performance. They are often confused with simply an increase in website traffic.

Few other type of attacks are:

- Peer-to-Peer Attacks
- Nuke
- Slowloris
- Unintentional DDoS

Which security measures to take

1. Install anti-DDoS services. Advanced DDoS protection services, such as CloudFlare, Incapsula, Akamai, or DoS Arrest, help to effectively mitigate volume-based attacks.

2. Use secure hosting like Heroku platform with multiple out-of-the box security features.

3. Install web application firewall. WAFs like the one by Wallarm generate security rules and verify the impact of malicious payloads in real time. Although make sure it doesn’t impose excessive rules.

4. Look after your code.

5. Keep an eye on your website. Track any changes on your web pages, their size and content changes.