|

DoS/DDoS Attack Techniques

A distributed denial of service (DDoS) attack is a malicious attempt to make an online service unavailable to users, usually by temporarily interrupting or suspending the services of its hosting server.

Basic Categories of DoS/DDoS Attack Vectors

  • Volumetric Attacks: Consumes the bandwidth of target network or service.
  • Fragmentation Attacks: Overwhelms target’s ability of re-assembling the fragmented packets.
  • TCP State-Exhaustion Attacks: Consumes the connection state tables present in the network infrastructure components such as load-balancersfirewalls, and application servers.
  • Application Layer Attacks: Consumes the application resources or service thereby making it unavailable to other legitimate users.

DoS/DDoS Attack Techniques

  • Bandwidth Attacks and Service Request Floods
  • SYN Flooding Attack
  • ICMP Flood Attack
  • Peer-to-Peer Attacks
  • Application-Level Flood Attacks
  • Permanent Denial-of-Service Attack
  • Distributed Reflection Denial of Service (DrDoS)

Bandwidth Attacks

  • A single machine cannot make enough requests to overwhelm network equipment; hence DDoS attacks were created where an attacker uses several computers to flood a victim.
  • When a DDoS attack is launched, flooding a network, it can cause network equipment such as switches and routers to be overwhelmed due to the significant statistical change in the network traffic.
  • Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets.
  • Basically, all bandwidths is used and no bandwidth remains for legitimate use.

Service Request Floods

  • An attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections.
  • Service request flood attacks flood servers with a high rate of connections from a valid source.
  • It initiates a request on every connection.

SYN Attack

  • The attacker sends a large number of SYN request to target server (victim) with fake source IP addresses.
  • The target machine sends back a SYN/ACK in response to the request and waits for the ACK to complete the session setup.
  • The target machine does not get the response because the source address is fake.

Attack with an incomplete three-way handshake:

  1. Attacker sends TCP SYN request to victim
  2. Victim responds with SYN/ACK to attacker
  3. But the attacker does not send back an ACK response, causing the victim to wait for the connection to complete.
  • Tools for prevention are: SYN cookies and SynAttackProtect

SYN Flooding

  1. SYN Flooding takes advantage of a flaw in how most hosts implement the TCP three-way handshake.
  2. When Host B receives the SYN request from A, it must keep track of the partially-opened connection in a “listen queue” for at least 75 seconds.
  3. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests the a host, but never replying to the SYN/ACK.
  4. The victim’s listen queue is quickly filled up.
  5. The ability of holding up each incomplete connection for 75 seconds can be cumulatively used as a Denial-of-Service attack.  

ICMP Flood Attack

  • ICMP flood attack is a type DoS attack in which perpetrators send a large number of ICMP packets directly or through reflection networks to victims causing it to be overwhelmed and subsequently stop responding to legitimate TCP/IP requests.
  • To protect against ICMP flood attack, set a threshold limit that when exceeds invokes the ICMP flood attack protection feature. 

Peer-to-Peer Attacks

  • Using peer-to-peer attacks, attackers instruct clients of peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim’s fake website.
  • Attackers exploit flaws found in the network using DC++ (Direct Connect) protocol, that is used for sharing all types of files between instant messaging clients.
  • Using this method, attackers launch massive denial-of-service attacks and compromise websites.
  • Using the vulnerability of the DC++ (Direct Connect) protocol to change the connection between clients without botnet intervention, the attacker acts as a “puppet master,” instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim’s website instead.
  • 80 port can be set to not allow point-to-point transmission, reducing the risk of website attacks

Permanent Denial-of-Service (PDoS) Attack

  • Phlashing:
    • Permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system hardware.
  • Sabotage:
    • Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware.
  • Bricking a system:
    • This attack is carried out using a method known as “bricking a system
    • Using this method, attackers send fraudulent hardware updates to the victims.
  • Process

Application-Level Flood Attacks

  • Application-level flood attacks result in the loss of services of a particular network, such as emails, network resources, the temporary ceasing of applications and services, and more.
  • Using this attack, attackers exploit weaknesses in programming source code to prevent the application from processing legitimate requests.
  • Using application-level flood attacks, attackers attempts to:
    • Flood web applications to legitimate user traffic.
    • Disrupt service to a specific system or person, for example, blocking a user’s access by repeating invalid login attempts.
    • Jam the application-database connection by crafting malicious SQL queries.

Distributed Reflection Denial of Service (DRDoS)

  • A distributed reflected denial of service attack (DRDoS), also known as spoofed attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application.
  • Attacker launches this attack by sending requests to the intermediary hosts, these requests are then redirected to the secondary machines which in turn reflects the attack traffic to the target.
  • Advantage:
    • The primary target seems to be directly attacked by the secondary victim, not the actual attacker.
    • As multiple intermediary victim servers are used which results into increase in attack bandwidth.
  • To prevent Chargen service amplification attacks: Disable Character Generator Protocol (CHARGEN) TCP/UDP 19 port.

  • DoS -> Service/System Destruction

  • DDoS/DRDDoS -> Resource Consumption

    • Bandwidth
    • CPU
    • Memory
    • Connection
  • Prevention:

    • Cloud/CDN
    • ISP/DDoS Prevention Service
    • DDoS Firewall

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *