What is a DDoS attack?
DDoS stands for Distributed Denial of Service. This attack has the same goal as a traditional Denial Of Service (DOS) attack which is to effectively disrupt the availability of a computer system by overloading it with garbage messages. What distinguishes a Distributed Denial Of Service attack is that the attacking power is distributed across multiple attacking systems. For example, a threat actor (attacker) may direct the efforts of thousands of different computers to a company’s website or online ordering system in an effort to overload it. If it does this successfully, the website will stop working, hence - denial of service.
How do DDOS attacks work?
DDOS attacks rely on a network of internet connected devices called a Botnet. As the name suggests, a Botnet is a large-scale network of systems which are centrally controlled by a malicious actor (attacker). In most common scenarios, the systems have been covertly taken over and repurposed for Botnet use by hackers unbeknownst to their original owners. These owners can literally be anyone; corporate/government/privately owned systems where a user has accidently allowed for malware to execute and install botnet software to run in the background. Most commonly, these would be computers owned by members of the general public who have unknowingly clicked on a malicious advert, opened a malicious attachment aor downloaded compromised pirated software – resulting in the system getting backdoored + by the attacker and taken over.
Although there are numerous DDOS attack methods, all of them fall under three general categories as follows.
This method involves the target's network bandwidth being maxed out and overwhelmed by a vast quantity of requests being made towards a single (or set of grouped) destinations. In many cases techniques called reflection and amplification are used to significantly increase the power of a DDOS attack:
Reflection: This is where attacking systems performing a Denial of Service (DOS) send requests to open servers on the internet, but falsely provide the IP address (spoofing) belonging to the target system as the reply address to a request. This results in the contacted servers sending the traffic to the target system in response. This technique can multiply the count of packets (requests) sent during a DDOS attack, especially if each system in the botnet contacts a high quantity of servers. For example, a botnet of 1000 systems each reflecting the responses of 40 servers will result in the DDOS effectively having comparable traffic quantity to 40,000 systems.
Amplification: This is a type of reflection attack, where the response from the servers are disproportionate in size to the requests made by the systems within the botnet. Packets being sent to servers will be configured in a way that by function, will result in a much larger packet being reflected towards the target. An example of this is asking one of the open servers to provide a list of all its known services. This means that when an attacker is sending only 1 byte of traffic in request to the server, the server is sending up to 40-100 bytes in response, and directed at the victim of the attack as the reply address is spoofed.
An example of a common volumetric DDOS attack method is DNS Amplification - in this attack, botnet systems will send spoofed packets to many DNS resolvers with the response address pointing at the intended target. The spoofed packets will also contain parameters which significantly increases the size of the response DNS packet compared to the original request. The end result is significantly more traffic being sent from the exploited DNS servers than possible with the botnet systems alone, with these DNS response packets potentially being over 50 times bigger than each initial request.
This method involves exhausting network and infrastructure devices within the target's environment by flooding intentionally flawed or invalid network protocol packet. Within this context, a network protocol packet contains the necessary information to set up a computer exchange of data (rather than containing the data itself); imagine this being like a cult's secret handshake to verify that an interaction is going to happen, rather than information being exchanged within a given interaction. An example of this would be flooding a router with protocol packets which, by design, fundamentally require a response. The router will send a response to these protocol packets and wait for a response. No response to these would be sent from the attacker-controlled system though, just more initial protocol packets. This will dramatically increase resource consumption on the router until it starts dropping legitimate traffic or crashes.
Similar to volumetric attacks, application attacks overload targets with requests. However, these requests are directed towards the applications running on target systems (such as web server programs or databases) rather than attacking the network layer with packet data. One thing to note is that application attacks can also be carried out in a non-distributed manner, but focus more on overloading the application with complicated or impossible requests instead of bulk quantity of requests.
Who is behind DDOS attacks?
DDOS attacks are generally carried out by advanced criminal groups or state-sponsored attackers, as acquiring and maintaining a Botnet can be a difficult to carry out. Both exploit kits and means of controlling the Botnet will need to be developed or purchased in order to have the capability to perform DDOS attacks.
These groups will DDOS targets for reasons including:
· Generate revenue; with recent examples being attacking targets unless ransoms are paid
· Cause reputational damage
· Political motivations
· To act as a false flag for other malicious activities directed at the same target
A recent trend however has been botnets being offered as a service for hire, allowing for sole individuals or groups to "rent" botnets and perform DDOS attacks. Attacks by these threat actors are executed due to any number of reasons, such as: personal grievances; political protest; to cause general disruptions and inconvenience.
Can DDOS attacks be mitigated or stopped?
DDOS attacks can be difficult to mitigate, especially if being executed by advanced criminal groups or state-sponsored attackers with strong motivations. The most effective control is to contract specialist companies who offer DDOS mitigation services. It is strongly recommended to review your network infrastructure and harden systems to reduce the attack surface area which could be exploited by DDOS attacks.
Written by Marcus Havell, IT Security Analyst at InPhySec