What is DDoS attack❓ — Types and how to react to them
Distributed Denial of service attacks are assaults outfitted at making a PC, a cyber-service inaccessible by congesting it with traffic from various sources. The point is ordinarily to make the computer(s) in question stop administration by utilizing resources of various hosts to cause a disturbance in its rush hour gridlock stream. To thoroughly comprehend the idea of DDoS, consider when vehicles are redirected from a bustling course to a generally free street. The course — at first intended for a specific number of vehicles — needs to oblige more than its ability. What this causes is a delay in the progression of vehicles and human movement or a total end on movement on the influenced route. The above is what precisely occurs in a DDoS assault. At the point when a framework is clogged up with traffic from different sources simultaneously, it quits working.
Distributed denial of service assaults are of various types.
These sorts are clarified beneath:
Application Layer Attacks
These kinds of DDoS assaults are very normal; in fact, they are the most well-known sort of DDoS assault. They are geared towards assaulting specific applications, particularly web applications. What aggressors do in this setting is to discover where these applications are powerless. In the wake of finding these provisos, they launch attacks that keep these applications from playing out the administrations they were intended for. As the times progressed, various methods of protecting the PC against application-layer attacks have been created. Notwithstanding, the more old strategies are held under wraps, the more clever the attackers have become. There are various kinds of use layer assaults;
Border gateway protocol hijacking — This sort of DDoS attacks are equipped at deflecting the traffic from a target web application to that of the aggressor. In this kind of assault, an aggressor pretends to be another organization by utilizing the prefix of the target organization as their own. That way, the traffic intended to flow towards the organization are directed to where the assailant needs it to.
Jumbo Payload assaults — This kind of application layer assault is designed for making applications useless by sending contents that are excessively enormous. In this assault, a structure of data encoded in XML is sent to the server of the target web application. At the point when this application attempts to decode the data, it utilizes a lot of memory and it crashes from exhausting it. User Datagram protocol attack — These attacks are often random. Attackers use user datagram protocols to flood random ports on the targeted host. When network hosts are flooded with UDPS, they become unable to respond to the normal users. Essentially, the network uses the available resources to process the requests from the datagram. By implication, when the normal user intends to access these ports, the user gets a message that it can’t be reached
Mimicked user attack — This type of attack is as straightforward as the name sounds. The attacker uses botnets posed as normal users to access specified applications. The attacker uses a lot of these botnets and they consequently create a high volume of traffic that overpowers the website in the target. The high volume of traffic created causes the application to cease to render service to the original users.
Volumetric attacks
These attacks are just about as clear as their name suggests; they include assaulting a server, an application, or a network with volume. Basically, aggressors send a tremendous measure of information to the target to cripple it from working. Most aggressors consider volumetric assaults as the least difficult kind of DDoS assaults. In some limit cases, these kinds of assaults even disables the frameworks put up to check DDoS assaults. Essentially, volumetric assailants utilize a lot of information to gobble up the transmission capacity between a web application, server, and network (or the web in general). There are various instances of volumetric DDoS assaults
Internet Protocol security attacks — These kinds of assaults are explicitly focused on the web protocol security of the target network. They are directed at the resources of the network with the essential objective of depletion.
Internet protocol fragmentation attacks — In this kind of assault, huge parcels of information (internet protocols) are broken into minute units and are sent across the focus network. At the point when these little units make it effectively into the network, they re-assemble to become an entire datagram. The datagrams in context are frequently higher than the limit of the network. A definitive point of the assault is to take up all the accessible memory of the target network.
Reflection attacks
In this sort of assault, the aggressor needs to pretend as (profess to be) the target IP; this is done by imitating this IP address and by additionally by overstating the characteristics of the target network — this is technically termed spoofing. When the attacker successfully does this, messages are sent to the server to request information using protocols. In most cases, the attacks are carried out using user datagram protocols (UDP) or transfer control protocols (TCP). By implication, the server attempts to reply to the voluminous amount of requests from the target address. In simpler terms, overload of responses is reflected from the attacker’s address towards the target address because the attacker has imitated the target. In most cases, you can easily spot reflection attacks; they are usually large enough to pique the interest of the network administrator. This is solely because of the size of requests directed to a single port on the network. Reflection DDoS attacks require no special efforts to launch and in very extreme cases may be difficult to prevent.
Domain Name System (DNS) DDoS Attacks
Think about a Domain name framework as some kind of telephone directory of web destinations. It is an arrangement of naming and recognizing web destinations with their IP address. Or on the other hand, in easier terms, it is somewhat similar to a registry that coordinates with the names of websites with explicit numbers. This catalog of names is appropriated and put away in DNS servers all throughout the planet. Aside from ID and explicitness, domain name frameworks are likewise methods for web destination security. The significance of domain name frameworks makes them consistent targets of DDoS assaults. At the point when assaults are effectively executed against the domain name system, both the identity and the security of the organization in question to are undermined. There are various instances of assaults coordinated at area name frameworks
TCP SYN assault — This kind of DDoS assault exploits the strategy of a user-server association called the “three-way handshake”. What the attacker does is misuse this strategy and in the process devour such a large number of resources to render the network nonfunctional. Typically, for an association to be made between a user and a server, these three cycles are required
The user PC sends packets to demand a connection with the worker — this request is made utilizing the SYN
The server sends affirmation messages to the user PC (SYN-ACK)
The customers send another message to the server; however, this time around it is an affirmation message (ACK).
The above method of association foundation is known as the “three-way handshake”. In a TCP SYN assault, the assailants send demand messages more than once to the target server. In many cases, the assailants do this by utilizing various phony IP addresses. The server attempts to react to various messages that seem genuine and subsequently exhaust its resources. The aftereffect of this is that the server sends “lost connection messages” to normal users.
DNS amplification attacks — This kind of attack is actually what the name suggests. Attackers do numerous DNS search demands (amplification) to render a network non-functional. The amplification brings about the depletion of the data transfer capacity of the organization. All in all, the attackers structure their requests to be commonly bigger than the size of a normal DNS demand. Therefore, the server is made to send responses bigger than it would have typically done. The fundamental rule of this kind of assault is to exploit the size of the responses. Typically, DNS demands get responses that are somewhat bigger than the size of the requests. By implication, sending enormous search requests make the server (need to) produce a correspondingly huge response. It doesn’t end here; attackers combine this with a reflection DDoS attack. The attackers imitate target IP addresses and reflect the dangerous large responses towards them. Think of it like using a concave mirror to amplify and reflect a little ray of light towards pieces of paper. Just that in the case of DNS amplification attacks, both the network transmission capacity and the target IP may be affected.
Slow-rate DDoS — These types of attacks are slow attacks focused on the hypertext transfer protocol. It is a method where external packets are slowly introduced at a slow and consistent rate. It is oftentimes not distinguishable from normal traffic because of its low speed. These kinds of attacks do not need very elaborate or wide-ranged resources; in other words, they can be launched from a single computer. Some tools employed by attackers include R.U.D.Y and sock stress
HTTP flooding attacks — Just like the slow rate attacks, you can almost not differentiate these attacks from normal traffic. In fact, most times, HTTPS floods are more difficult to detect than slow rate DDoS. What attackers do in this context is to make legitimate requests with a group of computers interconnected by malware. The goal of this method is to make the application attend to many intensive processes at the same time. They are very difficult to detect and defend against because they appear legitimate on the surface.
Ping flood attack — Normally, internet control message protocols (also known as pings) are diagnostic protocols. They are used to run analytics on the health of certain devices and how well they can connect with users. DDoS attackers over flood networks with pings. Consequently, the networks send responses to match the number of ping requests. Like all other volumetric attacks, the influx of pings makes the traffic inaccessible to other normal users.
Size OF DDOS ATTACK
DDoS assaults have varying sizes. Generally, a large portion of the DDoS assaults on the web are of moderately little size. This means, regardless of how little the size of an assault is, it is enough to disturbing the progression of traffic on any network today. The viability of these attacks changes with the defensive structures of these networks, servers, or applications. The web has seen some extremely huge DDoS attacks; the biggest of them to be recorded gone between 2.5 terabytes each second to 500 terabytes each second. In any case, there has truly not been a fixed figure of how enormous DDoS assaults can be.
How to Prevent and React to DDoS Attack
Let’s stick with the road and the traffic analogy shall we? If you want to successfully control an overcrowded route, you must be able to distinguish the actual legitimate users from the ones trooping in from other routes. Prevention and reacting to DDoS attacks work like too; though they are way more complex. The initial and most difficult obstacle is to be able to identify which traffic is illegitimate and which is that actual user. This may be especially difficult in spoofing attacks. In these attacks, attackers blend into the crowd as much as possible, they appear as natural as natural traffic can get. So it is important to first be careful not to get rid of the normal users along with suspected attackers.
Let’s go on a journey on how to prevent these attacks, how to limit the consequent effect of these attacks, and how to bounce back just in time for continued functionality
Never be caught Off guard — Just like in the case of any other attack, anticipating DDoS and setting up a defense plan is very important. Now that you can identify various forms of DDoS attacks, you should prepare immediate response plans to each of those types that are most relevant to your network, service or application. For instance, there are various network defense systems available that you can leverage on.
Continually testing your defense mechanism using DDoS tools — Another method of being battle-ready for DDoS attackers is to continually subject your network to demo DDoS attacks. These demo attacks help to gauge the efficiency of your security system. It also stimulates a demo response to prepare your security team for such emergencies. There are quite a number of DDoS tools available to carry out these demo tests. Each of these tools functions differently and each provides the users with a different test interface. Here are 10 examples of free DDoS attack tools available today;
Pyloris
DDOSIM — DDO simulator
Low Orbit Ion Canon (LOIC)
High Orbit Ion Canon (HOIC)
HTTP unbearable Load King (HULK)
Open web application security project (OWASP) HTTP post
Thor’s Hammer
Golden Eye
RUDY (R-U-Dead_Yet)
DAVOSET
Using a web application firewall — In the instance where your web app is under attack, you may employ a web application firewall (WAF) to reduce the effects of dangerous traffic to the barest minimum. What a firewall does, in this case, is to place a barrier between your application and other suspected traffic flow from attackers. A web application firewall selects between traffic using a predetermined group of instructions. After ascertaining which set of traffic is a potential danger, it blocks them off. This method is particularly effective against a layer 7 DDoS attack.
Using black hole routes — When too many cars on a route, you could also direct some away towards an empty route. In some instances, you could use an emergency (improvised routes) to lessen traffic flow on the initial route. This is the underlying principle of black hole routing. These black holes are used as some sort of funnel to channel away from the excess flow of traffic on a server, network, or application. When doing these, the best practice is to design your black hole to identify certain criteria for retaining legitimate traffic. Otherwise, both the good flow and the bad ones are sucked into the funnel.
Limiting the rate of requests on your server — This method can both mitigate and prevent DDoS attacks. If made active as a network security protocol, it limits the number of requests your server can receive (irrespective of whether it is from a normal user or from an attacker). This method can be activated in an emergency when you notice there is an attack on your server too. Despite the fact that it has no filter, it is the most effective means of preventing and mitigating attacks.
Network Diffusion — Diffusion — as a concept of science — is the random movement of substances from a region of high concentration to a region of lower concentration till they become evenly distributed. In the case of DDoS attacks, extremely high traffic flows are redirected into various smaller channels for the purpose of decongestion.
Conclusion
Denial of service attacks is one of the most common types that exist in today’s cyber world. It is very essential for a network administrator (or an individual) that wants to navigate safely on the internet to have a knowledge of the basic types and how to defend yourself against them. Aside from all the above, defense techniques, you could also hire pros in the field of cyber security to be on the safe side. Above all, the bottom line is to safeguard your internet experience from these attacks.
Originally published at https://www.wallarm.com.