Imagine a scenario where you are visiting some websites and one of them seems to be a little slow. You might blame their servers to improve their scalability as they might be experiencing a lot of user traffic on their site. Most of the sites already take this issue into account beforehand. Chances are, they might be a victim of what is known as DDoS attack, Ditributed Denial of Service Attack. Refer – Deniel of Service and Prevention
In DDoS attack, the attacker tries to make a particular service unavailable by directing continuous and huge traffic from multiple end systems. Due to this enormous traffic, the network resources get utilised in serving requests of those false end systems such that, a legitimate user is unable to access the resources for himself/herself.
Types of DDoS attacks –
DDoS attacks can be divided into three major categories:
- Application layer attacks –
These attacks focus on attacking the layer 7 of the OSI model where the webpages are generated in response to the request initiated by the end user. For a client, generating a request does not take any heavy load and it can easily generate multiple requests to the server. On the other hand, responding to a request takes considerable load for the server as it has to build all the pages, compute any queries and load the results from the database according to the request.
Examples: HTTP Flood attack and attack on DNS Services.
- Protocol attacks –
They are also known as state-exhaustion attacks. These attacks focus on vulnerabilities in the layer 3 and layer 4 of the protocol stack. These types of attacks consume resources like serves, firewalls and load balancers.
Examples: SYN Flood attack and Ping of Death.
- Volumetric attacks –
Volumetric attacks focus on consuming the network bandwidth and saturating it by amplification or botnet to hinder its availability to the users. They are easy to generate by directing massive amount of traffic to the target server.
Examples:NTP Amplification, DNS Amplification, UDP Flood attack and TCP Flood attack.
Common DDoS attacks –
- SYN Flood attack –
A SYN Flood attack works in a similar way a mischievous child keeps on ringing the door bell (request) and running away. The old person inside comes out, opens the door and does not see anyone (no response). Ultimately, after frequent such scenarios, the old person gets exhausted and does not answer even genuine people. A SYN attack exploits TCP Handshake by sending out SYN messages with a spoofed IP address. The victim server keeps on responding but does not receive final acknowledgement.
- HTTP flood attack –
In HTTP Flood attack, multiple HTTP requests are generated simultaneously against a target server. This leads to exhaustion of network resources of that server and thus fails to serve actual users’ requests. The variations of HTTP Flood attacks are – HTTP GET attack and HTTP POST attack.
- DNS amplification –
Assume a scenario where you call pizza hut and ask them to call you back on a number and tell all the combinations of pizzas they have along with the toppings and deserts. You generated a large output with a very small input. But, the catch is the number you gave them is not yours. Similarly, DNS Amplification works by requesting a DNS server from a spoofed IP address and structuring your request so that the DNS server responds with a large amount of data to the target victim.
DDoS mitigation –
Preventing DDoS attack is harder than DoS attacks because the traffic comes from multiple sources and it becomes difficult to actually separate malicious hosts from the non-malicious hosts. Some of the mitigation techniques that can be used are:
- Blackhole routing –
In blackhole routing, the network traffic is directed to a ‘black hole’. In this, both the malicious traffic and non-malicious traffic gets lost in the black hole. This countermeasure is useful when the server is experiencing DDoS attack and all the traffic is diverted for the upkeep of the network.
- Rate limiting
Rate limiting involves controlling the rate of traffic that is sent or received by a network interface. It is efficient in reducing the pace of web scrapers as well as brute-force login efforts. But, just rate limiting is unlikely to prevent compound DDoS attacks.
- Blacklisting / whitelisting –
Blacklisting is the mechanism of blocking the IP addresses, URLs, domains names etc. mentioned in the list and allowing traffic from all other sources. On the other hand, whitelisting refers to a mechanism of allowing all the IP addresses, URLs, domain names etc. mentioned in the list and denying all other sources the access to the resources of the network.