Security

Explain the DDoS problem

Distributed denial-of-service (DDoS) attacks are the most prevalent and challenging attacks of this era. The first-ever DDoS attack was witnessed in 1999 when a computer at the University of Minnesota started receiving superfluous data packets from other computers [1]. Soon after this attack, attackers have targeted many big firms like Amazon, CNN, GitHub, etc.

What is a DDoS Attack?

A DDoS attack is basically a distributed version of a denial of service attack. In a DOS attack, the attacker launches an illegitimate flood of requests to the server, making the legitimate users’ services unavailable. This flood of requests makes the server resources unavailable, thereby bringing down the server.

The main difference between a DOS attack and a DDoS is that a dos attack is launched from a single computer, whereas a DDoS attack is launched from a group of distributed computers.

In a DDoS, the attacker usually uses botnets (network of bots) to automate the attack. Prior to launching the attack, the attacker forms an army of zombie computers. The attacker first infects the victim’s computers with malicious software or ad-ware. Once the bots are in place, the botmaster creates a command and control channel to control the bots remotely. The botmaster then issues commands to launch a distributed and synchronized attack using these victimized computers on the target computer. This leads to flooding of targeted websites, servers, and networks with more traffic than they can handle.

Botnets can range from hundreds to millions of computers controlled by bot-masters. A Bot-master uses botnets for different purposes, like infecting servers, publishing spam, etc. A computer can be a part of a botnet without knowing about it. Internet of Things (IoT) devices is the latest target of attackers with the emerging IoT applications. IoT devices are hacked to become a part of the botnets to deliver DDoS attacks. The reason is that the security of IoT devices is generally not of that level as that of a complete computer system.

DDoS Digital Attack Maps are developed by many firms which provide a live overview of the ongoing DDoS attacks in the world. E.g., Kaspersky provides a 3D view of the live attacks. Other, e.g., include FireEye, Digital Attack map, etc.

DDoS Attack Business Model

Hackers have developed a business model to earn their penny. Attacks are sold on illegal websites using the Dark Web. The Tor browser is generally used to access the dark web as it provides an anonymous way to surf the Internet. The price for an attack depends on the level of attack, time duration for the attack, and other factors. High programming skill hackers create botnets and sell or rent them to less skilled hackers or other businesses on the Dark Web. DDoS attacks as low as 8£ are being sold on the internet [2]. These attacks are powerful enough to bring down a website.

After DDoSing the target, hackers demand lump sum money to release the attack. Many organizations agree to pay the amount to save their business and customer traffic. Some hackers even offer to provide measures for protection from future attacks.

Types of DDoS Attack

There are mainly three types of DDoS attacks:

  1. Application Layer Attacks: Also referred to as a layer 7 DDoS attack, it is used to exhaust system resources. The attacker runs multiple http requests, drains the available resources, and makes the server unavailable for legitimate requests. It is also called the http flood attack.
  2. Protocol Attacks: Protocol attacks are also known as state-exhaustion attacks. This attack targets the state table capacity of the application server or intermediate resources like load balancers and firewalls. For e.g., the SYN flood attack exploits the TCP handshake and sends many TCP SYN packets for “Initial Connection Request” with forged source IP addresses to the victim. The victim machine responds to every connection request and waits for the next step of the handshake, which never comes and thus exhausting all its resources in the process
  3. Volumetric Attacks: In this attack, the attacker exploits the server’s available bandwidth by generating huge traffic and saturates the available bandwidth. For e.g., in a DNS amplification attack, a request is sent to a DNS server with a spoofed IP address (the victim’s IP address); the victim’s IP address receives a response from the server.

Conclusion

Enterprises and businesses are very concerned with the alarming rate of attacks. Once a server comes under a DDoS attack, organizations have to incur significant financial and reputation losses. It is a clear fact that customer trust is essential for businesses. The severity and volume of attacks are increasing every day, with hackers finding more smart ways to launch DDoS attacks. In such situations, organizations need a solid shield to preserve their IT assets. Deploying a firewall at the enterprise network level is one such solution.

References

  1. Eric Osterweil, Angelos Stavrou, and Lixia Zhang. “20 Years of DDoS: a Call to Action”. In:arXivpreprint arXiv:1904.02739(2019).
  2. BBC News. 2020. Ddos-for-hire: Teenagers sold cyber attacks via the website. [online] Available at: https://www.bbc.co.uk/news/uk-england-surrey-52575801&gt

About the author

Ali Imran Nagori

Ali imran is a technical writer and Linux enthusiast who loves to write about Linux system administration and related technologies. You can connect with him on LinkedIn
.