Question

Explain Denial-of-Sevice attacks thouroughly: DoS attacks, Flooding attacks, DDoS, Defense against DoS attacks, case studies, etc.

Answer 1

Answer:

DoS attack:

A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses. The network or server will not be able to find the return address of the attacker when sending the authentication approval, causing the server to wait before closing the connection. When the server closes the connection, the attacker sends more authentication messages with invalid return addresses. Hence, the process of authentication and server wait will begin again, keeping the network or server busy.

A DoS attack can be done in a several ways. The basic types of DoS attack include:

1. Flooding the network to prevent legitimate network traffic

2. Disrupting the connections between two machines, thus preventing access to a service

3. Preventing a particular individual from accessing a service.

4. Disrupting a service to a specific system or individual

5. Disrupting the state of information, such resetting of TCP sessions

Another variant of the DoS is the smurf attack. This involves emails with automatic responses. If someone emails hundreds of email messages with a fake return email address to hundreds of people in an organization with an autoresponder on in their email, the initial sent messages can become thousands sent to the fake email address. If that fake email address actually belongs to someone, this can overwhelm that person's account.

DoS attacks can cause the following problems:

1. Ineffective services

2. Inaccessible services

3. Interruption of network traffic

4. Connection interference

Flooding attacks:

Flooding is a Denial of Service (DoS) attack that is designed to bring a network or service down by flooding it with large amounts of traffic. Flood attacks occur when a network or service becomes so weighed down with packets initiating incomplete connection requests that it can no longer process genuine connection requests. By flooding a server or host with connections that cannot be completed, the flood attack eventually fills the host's memory buffer. Once this buffer is full no further connections can be made, and the result is a Denial of Service.

DDoS:

A distributed denial-of-service (DDoS) is a type of computer attack that uses a number of hosts to overwhelm a server, causing a website to experience a complete system crash. This type of denial-of-service attack is perpetrated by hackers to target large-scale, far-reaching and popular websites in an effort to disable them, either temporarily or permanently. This is often done by bombarding the targeted server with information requests, which disables the main system and prevents it from operating. This leaves the site's users unable to access the targeted website.

DDoS differs from a denial-of-service (DOS) attack in that it uses several hosts to bombard a server, whereas in a DoS attack, a single host is used.

In a standard DDoS attack, an attacker starts the process by taking advantage of a vulnerability in a computer system. The hacker makes this compromised computer the DDoS master. Using this master system, the hacker detects, communicates and infects other systems and makes them a part of the compromised systems. A compromised computer system within the control of a hacker is called a zombie or bot, while a set of compromised computers is called a zombie army or a botnet. The hacker loads several cracking tools on the compromised systems (sometimes thousands of systems). Using a single command, the attacker instructs these zombie machines to trigger several flood attacks toward a particular target. This packet flooding process causes a denial of service.

In a DDOS attack, the victim is not only the final target; all the compromised systems are victims of this kind of attack

WordPress.com, an open-source electronic publisher accessed by millions of electronic publishers and even more electronic authors for content publishing standards, experienced a major DDoS in March 2011. The attack is believed to have been a politically motivated attack against one of the blogs that appears on WordPress. The site was reportedly down for up to three hours, although users report that it had been extremely slow in the days leading up the crash. The size of the crash pointed to the use of botnets to perpetrate it.

Defense against DoS attacks:

Defending against a concentrated and sustained DDoS attack can be akin to defending against a 4 on 1 “fast break” in a full court game of basketball – there are too many attackers and not enough of you. Your defenses are completely overwhelmed, and the attackers are headed to the basket for an easy score.

Though it’s not always possible to defend against a large, organized DDoS attack without some impact to the targeted network, there are strategies that can help mitigate the effects of even the most vicious DDoS attacks:

1. Recognize the signs of a DDoS attack: the first and best defense against a DDoS attack is the ability to recognize it early. Unfortunately, not all DDoS attacks are easy to distinguish from normal spikes in network or web traffic, or a sudden slowdown in network performance. Invest in the right technology, expertise and training to help you tell the difference, or use an anti-DDoS service as discussed below.

2. Incident response planning: Be ready with a great incident response program and include in it a DDoS mitigation plan.

3. Contact your ISP provider: If your company is feeling the effects of a DDoS attack, it is likely affecting your ISP provider, as well. Call your ISP provider to see if they can detect DDoS attacks and re-route your traffic in the event of an attack rather than have you call for support. When choosing an ISP, inquire whether any DDoS protective services are available, and consider whether you might want to engage a backup ISP in the event of an attack to keep your business running.

4. Have your threat intel handy: Half the battle in today’s environment is knowing what to look for. What are the potential indicators of compromise that an attack is underway? What threat vectors are most popular? And how are your peers responding to those attacks? Join your local ISAC, use the threat intel service provider or network with your peers to understand the source of threats and attacks.

5. Other Mitigation Defenses and Tools: There are two tools that companies should consider in addition to standard signature-based firewalls and routers (to reject known bad traffic) when thinking about mitigation strategies: (1) Load balancers to balance traffic across multiple servers within a defined network with the goal of creating additional network availability, and (2) a cloud-based anti-DDoS solution to filter or divert malicious DDoS traffic.