DDoS means Distributed Denial of Service and it occurs when an attacker overwhelms a target, that is generally a server, with a load of traffic that the target cannot manage. DDoS is a special kind of DoS, Denial of Service attack, and it is important to notice the difference between them. A Dos, in fact, involves a single machine trying to flood a target with fake requests, while a DDos involves a botnet, thus a network of infected computers where a malware is installed, allowing the attacker to control all of them against his target. It’s evident that a DDoS is very more complicated to fight and it can last for days, even weeks, costing to the targeted company a lot of money and credibility. The effectiveness of this attack is clear if you think that a little botnet, sufficient to take down a small company, can be bought for $150 on some darknet markets. To have an idea of how many DDoS attacks are perpetrated in the various regions of the world, take a look at the digital-attack map.
A great variety of DDoS attacks exist and some of them are explained in the following lines.
Different Kinds of DDoS Attacks
– Application layer DDoS
An “application layer” or “layer 7” attack, consists in flooding the application layer of a server with a huge amount of requests that require a great load of traffic and computational power. In this class of attacks are included HTTP flood attacks and DNS query flood attacks.
– HTTP flood
HTTP flood must be specifically crafted against the particular target and it is therefore more difficult to be prevented, not requiring malicious packets but using a botnet of zombies to take down the target. HTTP flood is a volumetric attack.
– DNS query flood
In this kind of attack, the DNS server is the target. The DNS server is the responsible for the packets’ roadmap of a certain zone of a network. Without a DNS server working properly, you cannot find the server you’re searching when you surf the internet. A DNS query flood is a symmetrical attack launched by many zombies in a botnet and belongs to the class of UDP attacks. Being UDP, a full connection is never established, making the spoofing easier.
– Network layer DDoS
These are large attacks measured in gigabits per seconds (Gbps) or packets per seconds (PPS), going from 20 to 200 Gbps in the worst cases. Network layer DDoS’ aim is to occlude the pipeline to the webapplication flooding it with SYN or UDP. Network layer DDoS kinds of attacks are explained in the following lines.
– SYN flood
Generates a flood of connection requests to the server, making it unable to respond. This is a three-way handshake poisoning, that targets every port of the server with SYN packets. The server waits for SYN-ACK packets that never arrive, leaving open a number of half-established connections that overwhelm it.
– UDP flood
The server is flooded with UDP requests to every port. Being no actual destination for many of them, the server replies with “destination unreachable” packets. The attacker can spoof the IP address of the UDP packets being sure that the server does not reply to him. Going on with the attack, the server becomes overwhelmed and unresponsive to legitimate clients.
What Is Amplification
Amplification is a technique used to amplify the bandwidth of a DDoS attack. We can reassume saying “little request from the attacker, huge reply from the server”. By spoofing the IP address in the request, the attacker can increase his attack effectiveness by 70x. The amplification factor can vary with the kind of server, and it goes from a minimum of 3.8 for NetBios to a maximum of 556.9 for NTP.
For example, a command called monlist, is frequently used for NTP DDoS attacks. This command sends back to the attacker the details of the last 600 people who have requested the time. While the request’s size is small, the response’s one is 556.9 times the size of the first one. Spoofing the IP address of the requests with the IP of a victim, the attacker can easily send many of them resulting in an exaggerated load for the victim. This becomes a massive attack if the attacker uses a botnet.
The first thing you have to do, is to imagine in which zone of your network’s infrastructure you could see as vulnerable. Next you have to think to what an attacker needs to take down that portion of your infrastructure. You will want to have a sort of notification system in the case of an attack to know as soon as possible that you are in danger and you must prepare a plan of self-defense. You have to imagine what are the risks for your business, for your data or your reputation. Finally you can hire a penetration tester (yes, you could hire TheInnocent) to test the security of your network. At this point you could be reasonably secure. For a while.