Distributed Denial of Service
by Felix Kinaro About 2 min reading time
Distributed denial of service results from multiple devices overwhelming servers and load balancers with voluminous traffic. This is achieved using botnets, abusing authentication protocols or misconfigured services. There are many types of DDos attacks.
Random ports on a target machine are flooded with UDP packets on multiple ports. This causes it to listen for applications on those ports and report with ICMP packets. UDP is a sessionless protocol with no flow control.
Multiple sources send repeaed spoofed SYN requests to a target server, which responds with an ACK packet to complete the TCP connection. Instead of closing the connection, it is allowed to time out. The hosts resources may be stretched when attempting to fulfil all requests, and the server will go offline.
An attacker creates forged packets which are sent out to as many connected devices as possible. The devices respond to a spoofed address which directs traffic to the target. The devices attempt to communicate with the target concurrently, which overwhelms the server with bogus traffic exhausting resources.
Degradation of Service Attacks
These are often confused with an increase in traffic. Tje attacker's aim is to slow down the page load speed to a crawl, making a site unusable by most people. Botnets are used to generate malicious traffic which slows the response to valid user requests.
Slowloris is a tool that attacks machines by opening connections to a target machine and sending partial requests. The connections are kept open for the maximum time possible, using up resources on the server while fewer resources are used on the attacker's device. HTTP headers are also sent at intervals, further contributing to the load.
In P2P attacks, a P2P server is hijacked to route traffic to a target. Clients using the server are redirected to the target site where their collective requests overwhelm the target. It is particularly ideal for attackers who do not wish to write target-specific malware aimed at specific OS or device.
The attacker sends small requests to a DNS server and asks the server to send a larger reply to the target. If for instance a botnet is used to send out the requests, the target can receive traffic that is up to &0 times of the original request
Application specific attacks.
These target specific applications and content management systems such as WordPress or Joomla. The attack can be successful even with a few attacking machines as they are hard to detect.
This is a complex attack where multiple methods and tools are used to cause denial of service. This can be a combination of malware, botnets and misconfigured services exposed on the internet.
This is usually caused by a spike in traffic. For instance if running a WordPress site, it may go oofline if the number of requests causes it to exhaust memory.