Distributed Denial of Service (DDoS): Attacks and Defence Mechanisms
✅ Paper Type: Free Essay | ✅ Subject: Information Technology |
✅ Wordcount: 3308 words | ✅ Published: 8th Feb 2020 |
Distributed Denial of Service (DDoS)
Abstract — Denial of Service (DoS) attacks is one of the major threats and among the hardest security problems in today’s Internet. Distributed Denial of service (DDoS) attack is a type of Denial of Service (DoS) attack and is of concern because it is a rapidly growing problem and its impact can be correspondingly severe. For example, imagine someone prank calling your telephone. It’s like a thousand people prank calling your telephone and tying up the telephone traces, then when a person that needs to talk to you tries to call, they might get a busy signal or not get through to you at all. The telephone company may additionally have problem distinguishing among the “actual” telephone calls and the “prank” telephone calls. The goal of this prank telephone calls is to tie up the telephone traces so nobody else can get through to you. Now from an organisational perspective, your telephone company could be the organisation’s web server, all the prank calls are the DDoS attacks and the legitimate caller is the real visitor to your website. The web server is being flooded with these “prank” calls and cannot process the legitimate “calls”. This paper presents a detailed description of this DDoS threat, some recent high-profile exploits and defence mechanisms that can be carried out to protect your organisation from this attack.
Keywords — ddos attack.
I. Introduction
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Find out more about our Essay Writing Service
Distributed Denial of Service (DDoS) attacks is a type of DoS attack. It is a somewhat simple, yet dynamic technique used by attackers to exploit internet resources. When an attack is set up by influencing many machines to target one machine, the attack is typically called a DDoS attack. The use of botnet – a number of hijacked internet-connected devices each of which is running one or more bots, is often used by DDoS attackers to perform large scale attacks. Attackers exploit these weaknesses to control various devices using command and control software, they can command their botnet to perform DDoS on victim once they’re in control [3].
II. DDoS ATTACKS
A. Defining DDoS Attacks
According to WWW Security FAQ [4] on Distributed Denial of Service (DDoS) attacks: “A DDoS attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the DoS significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms.” Initially, the attacker finds loopholes or vulnerabilities in one or more networks to install malicious programs and control them remotely. Later, the attacker exploits these vulnerable hosts to send attack packets to the target machine(s), usually outside the network of the tainted hosts, without the knowledge of these compromised hosts. Depending on the intensity of attack packets and the number of hosts used to attack, commensurate damage occurs in the victim network. If the attacker can exploit many compromised hosts, a network or a Web server may be disrupted within a short time [5].
B. Types of DDoS Attacks
There are various types of DDoS attacks; but according to Imperva Incapsula [6], a DDoS protection centre, some of the most frequently used DDoS attack types include:
- UDP Flood: A UDP Flood attack is a type of DDoS attack where an attacker uses the User Datagram Protocol (UDP) by flooding random ports with packets on a host set up remotely. The User Datagram Protocol is a connectionless computer networking protocol and the resulting action is a continuous check by the host on the application that is listening at the port and to reply with ICMP ‘Destination Unreachable’ packet when no application is found [6].
- ICMP Flood: Also known as Ping flood, is a type of DDoS attack where an attacker mortifies a victim’s computer by overwhelming it with Internet Control Message Protocol (ICMP) echo request (ping) packets as fast as possible expecting no replies. This attack compels both outgoing and incoming bandwidth causing the performance of the system to be low since the victim’s server will try to respond with the ping packets [6].
- SYN Flood: This is a type of DDoS attack where an attacker attempts to compel the right amount of sever resources by sending SYN requests to slow down the performance the system or unresponsive to legitimate traffic. SYN requests are sent to start TCP connection sequence (three-way handshake), where a host and server exchange a series of messages. When the SYN requests are sent, a SYN-ACK response is expected from the host while the server confirms by an ACK response. A SYN attack works in such a way that no ACK response is sent to the server. The attacker can spoof the source IP address in SYN or not send an expected ACK response, which then makes the server send the SYN-Ack to a false IP address which at the same time not send an ACK response because it knows it never sent a SYN [6].
- Ping of Death: A ping of death (“POD”) attack is when an attacker sends multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet is 65,535 bytes. Ping of Death attack works in such a way that the victim has an IP packet larger than 65,535 bytes at the end of the day when reassembled, if the malicious manipulation of fragment is followed. This makes the memory buffers allocated for the packets to be full, resulting in the denial of service for the legitimate packets [6].
- Slowloris: This DDoS attack tool was invented by Robert Hansen. It enables a single machine to take down another machine with minimal side effects on other services or ports on the target network. Slowloris works in such a way that it holds many connections to the target machine server open for as long as possible. This is accomplished by opening connections to target machine and sending a partial request. It constantly sends subsequent HTTP headers and never completes the request filling the maximum concurrent connection pool and denying connection attempts from legitimate clients [6].
- NTP Amplification: This is a type of DDoS Attack where the attacker exploits public Network Time Protocol (NTP) servers overpower a targeted server with UDP traffic. The NTP Amplification attack is majorly a type of reflection attack that involves obtaining a response from a sever to a spoofed IP address. A packet with a forged IP address which is usually the victim’s is send by the attacker and the server sends a response to this address [6].
- HTTP Flood: This is a type of DDoS attack designed to attack a web application or server by exploiting a seemingly-legitimate HTTP GET or POST requests. It forces the web application or server to assign maximum resources possible to a single request compared to other attacks that use malformed packets, spoofing or reflection techniques or require a less bandwidth to bring down the targeted server or application [6].
Fig. 1. DDoS attack statistics up to the year 2014 (DDoS attack percentage is shown on the y-axis) [5].
Fig 1 above shows DDoS attack statistics up to the year 2014 and the most commonly used DDoS attacks are the TCP SYN, HTTP GET, UDP, and ICMP flooding [5].
C. Recent Exploits from DDoS Attack
Usually, a DDoS attacker’s main objective is to attack a victim’s routers, links, firewalls and defense systems, infrastructure, OS, current communications and/or applications. Most of the reasons why an attacker would form a network with compromised hosts to launch DDoS attacks is to take advantage of these compromised hosts and steal sensitive information. Other reasons include: high interdependencies exist in internet security, internet resources are limited, many unwittingly compromised hosts, intelligence and resources that may be used to thwart impending attacks are not usually collected, simple and straightforward routing principles are used on the internet, there are mismatches in design and speeds between core and edge networks are commonplace, network management is frequently slack [5].
Every day, DDoS attacks are launched. Famous websites like Facebook, Twitter, Google couldn’t escape the DDoS attacks which affected millions of their users. Some of the observed DDoS incidents in recent years are outlined in Table I in the chronological order.
TABLE I. recent ddos incidents
S/No. |
Date |
DDoS Target/Incident |
Description |
1 |
February 2018 |
Memchached attack on GitHub |
– Attack size was about 1.3 terabytes per second (Tbps) sending packets at a rate of 126.9 million per second. – Attackers leveraged the amplification effect on memchached, a popular database caching system. It was done by flooding memchached servers with spoofed requests hence amplifying the attack by a magnitude of about 50,000x [7]. – Lasted for about 20 minutes before it was resolved. |
2 |
October 2016 |
Mirai on Dyn Cyber attack |
– Estimated attack size was about 1.2 terabytes per second (Tbps). – This attack targeted systems operated by Domain Name Server (DNS) provider – Dyn. – It disrupted major sites like AirBnB, Netflix, PayPal, Visa, Amazon etc and rendered these platforms and services unavailable [7]. – It was done by using Mirai, a malware that creates botnet out of compromised IoT devices such as IP cameras, smart home systems, home routers etc. – Attack was resolved within one day. |
3 |
September 2016 |
Mirai on Brian Krebs’ website – “krebsonsecurity.com” |
– Attack size was approximately 665 Gigabits of traffic per second. – It was done by using Mirai, a malware that creates botnet out of enslaved IoT devices such as IP cameras, smart home systems, home routers etc. – Lasted about 77 hours and was powered by about 24,000 IoT devices. – This attack cost owners of devices unknowingly involved in the attack about $300,000. |
4 |
September 2016 |
OVH |
-Attack size was about 1 terabyte per second (Tbps). Attackers used IoT botnets composed of compromised CCTV cameras to hack into OVH because they often lack proper configuration and it is easy to locate on the internet with a weak or default login credentials. |
5 |
March 2015 |
GitHub |
– Attack traffic was generated by injecting into the browsers of everyone who visited Baidu – China’s most popular search engine, a malicious JavaScript code resulting in infected browsers sending HTTP requests to the targeted GitHub pages [7]. |
6 |
March 2013 |
Spamhaus attack |
– Attack traffic size was at a rate of 300 Gigabytes per second (Gbps). – Spamhaus fought back using Cloudflare’s DDoS protection but the attacker responded back by chasing certain internet exchanges and bandwidth providers trying to bring down Cloudflare as well. The attack was not successful eventually but caused issues for the London Internet Exchange (LINX) [7]. |
7 |
November 2010 |
Whistle blower site – Wikileaks |
– Attack size was about 10 Gigabytes per second (Gbps). – It was launched to prevent a leak of secret cables rendering the site unavailable to its users [8]. |
The cost of these DDoS incidents is tremendous. These incidents often cost millions of dollars to the affected companies and represent a significant threat to any computer system.
III. Defence mechanisms against ddos attacks
- Performing a DDoS risk assessment is necessary to identify when you’re under attack. Also, having a response plan on what to do and who should do it is equally important. Going further that just the IT team, like involving your vendors, having executive team, etc., would help both parties in the face of a DDoS attack. Carry out the risk assessment frequently and update your response time each time.
- Create a DDoS playbook. Documenting all details of planned responses is the best way to protect an organisation against future attacks.
- Over provision of bandwidth. Having more bandwidth for web servers is generally good. During an attack, it gives breathing time to act before resources and sensitive information are tampered with.
- Setting up a defense network attack surface. Technical measures such as adding filters to enable the router drop packets from the attacker or rate limit the router to prevent the web server from being overwhelmed. These measures partially tend to reduce the effect of an attack especially in the first few minutes.
- Continue to add layers of defense. This should be a habit at every organisation preventing DDoS attacks. Continue to add layers of security as they become available.
- Consult your Internet Service Provider (ISP). When a DDoS attack is suspected, it is important to contact the ISP or host provider and inform them of the attack.
- Consult your DDoS specialist. A DDoS specialist have the right large-scale infrastructure to keep your infrastructure to keep a website running especially during very large attacks.
- Use Web Application Firewall. A web application firewall is another great defense against a DDoS attack. It acts as an anti-virus that protects and blocks all malicious attacks on a website, it also improves application performance and enhances user experience. It sits above an application at the network level to provide protection before the attack gets to the server.
IV. Conclusion
Distributed Denial-of-service attacks is no doubt a serious threat in the internet today as it is growing day by day and various approaches have been proposed to counter them. However, the number of attacks and defense mechanisms these days obscures a global view of the DDoS challenge.
This paper discusses a clear view of DDoS, its types, some of the recent exploits from this attack and some defense mechanisms that have been proposed to counter them. Having a clear view of the DDoS attack allows us find more effective solutions to it and one great advantage of this attack and its defense mechanism is that effective communication and cooperation between researchers can be achieved so that more DDoS weaknesses can be discovered.
References
[1] |
OWASP, “owasp.org,” 3 02 2015. [Online]. Available: https://www.owasp.org/index.php/Denial_of_Service. |
[2] |
A. Mitrokotsa, C. Douligeris, “DDoS attacks and defense mechanisms: classification and state-of-the-art,” in Computer Networks, 2004. |
[3] |
United States Computer Emergency Readiness Team (USCERT), “Understanding Denial-of-Service Attacks,” 04 November 2009. [Online]. Available: https://www.us-cert.gov/ncas/tips/ST04-015. |
[4] |
J.N. Stewart, L.D. Stein, “The World Wide Web Security FAQ, version 3.1.2,” 4 February 2002. [Online]. Available: http://www.w3.org/Security/Faq. |
[5] |
J. K. Kalita, D.K. Bhattacharyya, DDoS Attacks – Evolution, Detection, Prevention, Reaction and Tolerance, CRC Press. |
[6] |
“Imperva Incapsula,” DDoS Protection Center, [Online]. Available: https://www.incapsula.com/ddos/. |
[7] |
“Cloud Flare,” [Online]. Available: https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/. |
[8] |
K. Kumar, K. Arora, “Impact Analysis of Recent DDoS Attacks,” vol. Vol. 3 No. 2, 2011. |
Cite This Work
To export a reference to this article please select a referencing stye below:
Related Services
View allDMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: