Denial-of-service Attack (2)
In the three elements of information security — “Confidentiality”, “Integrity” and“Availability”, the object of denial of service attack is“Availability”. The attack mode makes use of the network service function defect of the target system or consumes its system resources directly so that the target system can not provide normal service.
The problem of denial-of-service attacks has not been properly addressed and is still a worldwide problem because it is caused by a security flaw in the network protocol itself, so denial-of-service attacks have become the ultimate means of attackers. An attacker’s denial of service attack actually makes the server achieve two effects: one is to force the server’s buffer to be full and not accept new requests, and the other is to use IP spoofing, forcing the server to reset the connection of legitimate users, affecting the connection of legitimate users.
Form of denial-of-service attack
Denial-of-service attacks are characterized by an explicit attempt by attackers to prevent legitimate use of a service. There are two general forms of DoS attacks: those that crash services and those that flood services. The most serious attacks are distributed.
Distributed DoSD
A distributed denial-of-service attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. A DDoS attack uses more than one unique IP address or machine, often from thousands of hosts infected with malware. A distributed denial of service attack typically involves more than around 3–5 nodes on different networks; fewer nodes may qualify as a DoS attack but is not a DDoS attack.
Application layer attacks
An application-layer DDoS attack is a form of DDoS attack where attackers target application-layer processes. The attack over-exercises specific functions or features of a website with the intention to disable those functions or features. This application-layer attack is different from an entire network attack and is often used against financial institutions to distract IT and security personnel from security breaches. Ali further noted that although network-level attacks were becoming less frequent, data from Cloudflare demonstrated that application-layer attacks were still showing no sign of slowing down.
Advanced persistent DoS
An advanced persistent DoS is associated with an advanced persistent threat and requires specialized DDoS mitigation. These attacks can persist for weeks; the longest continuous period noted so far lasted 38 days. This attack involved approximately 50+ petabits of malicious traffic.
Attackers in this scenario may tactically switch between several targets to create a diversion to evade defensive DDoS countermeasures but all the while eventually concentrating the main thrust of the attack onto a single victim. In this scenario, attackers with continuous access to several very powerful network resources are capable of sustaining a prolonged campaign generating enormous levels of un-amplified DDoS traffic.
Attack techniques
Peer-to-peer attacks
Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. With peer-to-peer, there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a puppet master, instructing clients of large peer-to-peer file-sharing hubs to disconnect from their peer-to-peer network and connect to the victim’s website instead.
Challenge Collapsar (CC) attack
A Challenge Collapsar attack is an attack where standard HTTP requests are sent to a targeted web server frequently. The URIs in the requests require complicated time-consuming algorithms or database operations which may exhaust the resources of the targeted web server. In 2004, a Chinese hacker nicknamed KiKi invented a hacking tool to send these kinds of requests to attack a NSFOCUS firewall named Collapsar, and thus the hacking tool was known as Challenge Collapsar, or CC for short. Consequently, this type of attack got the name CC attack.
(S)SYN flood
A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet and waiting for a packet in response from the sender address. However, because the sender’s address is forged, the response never comes. These half-open connections saturate the number of available connections the server can make, keeping it from responding to legitimate requests until after the attack ends.
Sophisticated low-bandwidth Distributed Denial-of-Service Attack
A sophisticated low-bandwidth DDoS attack is a form of DoS that uses less traffic and increases its effectiveness by aiming at a weak point in the victim’s system design, i.e., the attacker sends traffic consisting of complicated requests to the system. Essentially, a sophisticated DDoS attack is lower in cost due to its use of less traffic, is smaller in size making it more difficult to identify, and it has the ability to hurt systems that are protected by flow control mechanisms.
Defense techniques
Firewalls
In the case of a simple attack, a firewall could have a simple rule added to deny all incoming traffic from the attackers, based on protocols, ports, or the originating IP addresses. More complex attacks will however be hard to block with simple rules. Additionally, firewalls may be too deep in the network hierarchy, with routers being adversely affected before the traffic gets to the firewall. Also, many security tools still do not support IPv6 or may not be configured properly, so the firewalls often might get bypassed during the attacks.
Application front-end hardware
Application front-end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front-end hardware analyzes data packets as they enter the system, and then identifies them as a priority, regular, or dangerous. There are more than 25 bandwidth management vendors.
Blackholing and sinkholing
With blackhole routing, all the traffic to the attacked DNS or IP address is sent to a “black hole” (null interface or a non-existent server). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP.
A DNS sinkhole routes traffic to a valid IP address which analyzes traffic and rejects bad packets. Sinkholing is not efficient for most severe attacks.
DDS based defense
More focused on the problem than IPS, a DoS defense system can block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks and rate-based attacks. DDS has a purpose-built system that can easily identify and obstruct denial of service attacks at a greater speed than a software that is based system.
