Understanding the DOS and DDOS attacks
Insights about the working of DOS and DDOS attacks.
In today’s day and age of digitalization, you rely on web applications or mobile applications for the smallest of work. However, for that purpose, you need continuously send requests and receive responses over the internet. That’s where the security threats come into the picture.
The attacker can intercept the communication and flood the server with a flow of HTTP requests making it unavailable for genuine users. So, as a developer, you need to know the security threats or attacks.
Taking that into perspective, this blog will provide you with insights on DOS and DDOS attacks that have become very common in today’s time. So, let’s get things started.
Introduction to DOS attack
A Denial of service (DOS) attack is an intentional and planned process by an attacker to make a website or a web app unavailable for genuine users or the target audience.
They perform this task by either flooding it with HTTP requests over some exposed endpoints or by consuming the available network bandwidth of the target servers to a greater extent in other possible ways.
With the simplest infrastructure possible, an attacker may use a single source/machine to carry out the DDOS attack against a target, as depicted in the following image.
Say hi to Big Brother -> DDOS attack
DDOS attack is an elevated/amplified form of a DOS attack where an attacker uses a cluster of servers/resources to attack a target and overwhelm its resources so they are not available to legitimate users.
This cluster may include groups of infected servers, resources, computers, other endpoints, etc. The following diagram depicts a network of compromised servers/resources arranged to launch a DDOS attack on a target.
Types of DDOS attacks and their understanding
We all might be aware of the OSI model (Open Systems Interconnections). DDOS attacks are most common at layers 3,4,6, and 7.
The below table will depict the OSI model layers and the types of DDOS attacks to which they are vulnerable.
Application Layer => HTTP floods, DNS query, floods
Presentation Layer => TLS abuse
Session Layer => N/A
Transport Layer => SYN floods
Network Layer => UDP reflection Attacks
Data Layer => N/A
Physical Layer => N/A
Infrastructure Layer Attacks
The most common infrastructure layer DDoS attacks are:
1) User Datagram Protocol (UDP) reflection attacks
2) Synchronize (SYN) floods
An attacker can use either of the above strategies to generate high traffic loads on the target server that can be sufficient to overwhelm the capacity of the network, servers, or load balancers.
While we can design our infrastructure in order to identify these attacks and mitigate them effectively, we must have our system designed for scaling as well for these types of situations so that our system can scale more rapidly than the inbound traffic flood.
This capacity in any infrastructure helps to absorb the attack, freeing up the system resources to respond to the legitimate requests of genuine users.
- UDP Reflection Attacks
User Datagram Protocol (UDP) reflection attack exploits the UDP stateless protocol. In these kinds of attacks, the attacker crafts a valid UDP request listing the target’s IP as the UDP source IP address. In this way, the crafted request packet source IP is spoofed now.
The UDP packet containing the spoofed source IP (the target IP) is now sent to an intermediate server or a reflection server. This reflection server is configured to send the UDP response packets to the target IP instead of returning them to the attacker’s original source IP.
The role of the reflection server here is to amplify and generate a response that is several times larger than the request packet, thus amplifying the traffic load sent to a target IP address.
2. SYN Flood Attacks
Connecting to a webserver over TCP (Transmission control protocol) is a three-way handshake process that includes the following steps:
1) Client sends the SYN synchronization packet
2) The server returns an SYN-ACK packet in acknowledgment
3) Client responds with ACK (acknowledgment) packet
The basis of SYN flood attacks is that the attacker is a client for a web server, sends a large number of SYN packets but never sends the final ACK packets to complete the 3 ways handshake process.
In this way, the target server is left to wait for the response to the half-open TCP connection and runs out of capacity to accept new incoming TCP connections.
This can prevent new legitimate users from connecting to our services. It basically aims to overwhelm the server connection capacity so that legitimate users cannot connect with the target server/services.
Application Layer Attacks
Another way of targeting a web server is to launch a layer 7 or application layer attack. In this kind of attack, similar to SYN flood attacks attacker aims to overwhelm specific functions of an application to make our application unresponsive to genuine users.
This can also be achieved with low request volumes that generate only a small volume of network traffic. Due to this, sometimes it becomes difficult to detect this kind of attack.
There are basically two types of Application layer attacks:
1) HTTP flood attacks
2) Cache busting attacks
3) WordPress XML-RPC flood attack
- HTTP flood attack
HTTP flood is a type of DDOS attack in which an attacker exploits the HTTP GET and POST endpoints to flood a web server with loads of HTTP request traffic.
These are the volumetric attacks often using a group of interconnected servers/computers to exploit the exposed API endpoints of a web application.
Some HTTP flood attack targets a specific resource which may look like a legitimate user request, and it also makes it difficult to use common mitigating techniques like request rate limiting.
2. Cache Busting Attacks
Nowadays, many web applications use CDN networks for page caching to provide low-latency data transfer and high performance for their web applications.
Cache Busting Attack, as the name suggests, is a type of HTTP flood that uses variations in the query string to get around the content delivery network (CDN) caching.
Instead of being able to return already cached results, the CDN must fetch the data from the origin web server for every request, and this origin fetches cause load on the application web server.
Besides the above attacks, there are other forms of malicious traffic that can impact an application’s availability. Scraper scripts(bots) automate attempts to access a web application to steal content or capture any competitive information.
Also, attacks like brute force and credential stuffing are pre-programmed attempts to enter a secure region of an application without authorization.
3. WordPress XML-RPC flood attack
This kind of attack is also known as a WordPress pingback flood attack. In this type of attack, the attacker targets a website hosted on WordPress content manager. The attacker basically misuses the XML-RPC API function to generate volumes of HTTP requests.
This attack basically includes two WordPress sites that communicate with each other. The process is as follows:
1) The pingback feature allows website A to notify a different website B through a linked site A has created to site B.
2) Site B then attempts to fetch Site A to verify the existence of the link.
In pingback flood, the attacker misuses this capability to cause site B to attack Site A. This attack has a detection signature as WordPress is present in the User-Agent of the HTTP request header.
Conclusion
These attacks may be harmful to the reputation of our business and website and may provide a great blow to the growth of an organization.
So as a developer and system architecture designers, we must be aware of various types of DOS and DDOS attacks and their mitigation techniques.
In this article, we described about various kinds of DOS and DDOS attacks. In the next article, we will introduce some of the common mitigation techniques.
Keep following the Simform Engineering publication to know more about such insights and the latest trends in the development ecosystem.
