If not redirected, please click here https://www.thesecuritybuddy.com/dos-ddos-prevention/how-to-protect-servers-from-dos-and-ddos-attacks/
DoS attacks are one of the most serious threats of today. We often hear about DoS attacks that temporarily or indefinitely suspend a service or an entire network. How are these DoS attacks perpetrated and how can we prevent them? In this article we would discuss about that.
DoS attacks are one of the most serious threats of today. We often hear about DoS attacks that temporarily or indefinitely suspend a service or an entire network. How are these DoS attacks perpetrated and how can we prevent them? In this article we would discuss about that.
What are a DoS and a DDoS Attack ?
A
DoS or
Denial of Service Attack is
an attack which
is perpetrated for
the purpose of making a target machine or network resource
unavailable for its intended users. This attack is
usually made
to
temporarily or
indefinitely suspend a service of a host connected to internet.
DDoS
Attack or
Distributed Denial of Service Attack
is
an
attack in which the attack comes from multiple sources having
different IP addresses. Basically,
a DDoS attack is a DoS attack in which the attack is perpetrated
using several source IP addresses. Using
IP address spoofing, the attackers normally hide their own IP
addresses, making it extremely hard to catch the attackers.
Effects of DoS Attacks
As
a result of
a DoS attack,
you may see:
-
Unusually slow network performance.
-
Unavailability of a particular website.
-
Dramatic increase of number of spam emails received.
-
Disconnection of internet connection.
The
effects can be sometimes long term or even for indefinite time.
Different Types of DoS Attacks
There
are different
types of DoS Attacks.
Let's understand what each type of DoS Attack does:
UDP Flood Attack
UDP Flood Attack is an attack which floods random ports of a remote host with a large number of UDP packets. This makes the host to repeatedly check the application which is listening to the port and to reply with ICMP Destination Unreachable packets when no application found. As a result, the host ends up exhausting considerable amount of its resources and leads to a DoS Attack.
Internet Control Message Protocol Flood or ICMP Flood
Smurf Attack is this type of attack. In these attacks, the attacker sends lots of ICMP broadcast packets forging the source address of the victim. As a result, all the computers in the network send overwhelming number of replies to the victim computer. As a result, the victim computer ends up consuming all its network banwidth in sending replies and its resources become unavailable for legitimate purposes
Ping Flood
In this attack, the attacker sends a large number of ICMP Echo Request or ping packets to the targeted victim's IP address, mostly by using the flood option of ping. As a result, the victim's machine starts responding to each ICMP packet by sending a ICMP Echo Reply packet and ends up exhausting all its network bandwidth, resulting in a DoS attack.
Ping of Death
A correctly formed ping packet is typically 56 bytes in size. But any IPv4 packet may be as large as 65,535 bytes. If the attacker sends a malformed very large ping packet to the victim's IP address, the IP packet will reach the targeted victim splitting into multiple fragments. When the victim's machine will reassemble the IP fragments, it will end up with IP packet larger than 65,535 bytes. As a result, the victim's computer cannot handle that properly and a buffer overflow will happen. It can result in a system crash and potentially allowing the injection of malicious code. This type of attacks are called Ping of Death.
SYN Flood
In a SYN Flood, the attacker sends an enormous number of connection request to the victim server, often forging his IP address. As a result, the victim server ends up spawning lots of half open connections, sending back a TCP/SYN-ACK packets and waiting for the response. But as the attacker has forged his IP address, the sent packets end up going to wrong IP addresses and the server never gets a reply. But, these half-open connections saturate the maximum number of open connections the server can have and the server can no more respond to legitimate requests, resulting in a DoS attack.
Other Application Level Flood
In this sort of attacks, the attacker floods the victim machine with legitimate looking requests like database lookup, search requests etc. It exploits few conditions like buffer overflow, and fills up the diskspace of the victim machine or consume all its memory and CPU cycles. As a result, the victim machine ends up exhausting all its computational resources and results in a DoS Attack.
Banana Attack
In this attack, the attacker redirects outgoing messages from the victim machine back to the machine itself. As a result, the machine ends up exhausting its own network bandwidth and becomes inaccessible to outside network access, resulting in a DoS attack.
Slowloris
In this attack, the attacker's computer opens many connections to the victim machine's webserver and try to keep them open as long as possible. It mainly opens connections to the victim web server and sends partial request. Periodically, it sends subsequent HTTP headers, but never completes those requests. As a result, the victim webserver keeps maximum possible connections open and becomes inaccessible for legitimate connection requests.
NTP Amplificaion Attack
NTP or Network Time Protocol is a protocol used by machines connected to the internet to set their clocks accurately. These NTP Servers are publicly accessible and can easily be found with tools like MetaSploit and NMAP. NTP Amplification Attack is an attack in which the attacker exploits these publicly available NTP Servers and sends lots of UDP packets to the victim machine. As a result, the victim machine ends up sending long replies which exhausts its resources.
HTTP Flood
HTTP Flood Attack is an attack in which the attacker sends lots of legitimate looking malicious HTTP GET or HTTP POST requests to a webserver. These requests consume significant amount of server's respurces. As a result, the webserver ends up exhausting its resources and results in a DoS attack.
Zero-day DoS Attack
In this type of attacks, the attacker exploits vulnerabilities of a software for which no patch is yet released and performs the DoS attacks. This is quite a popular attack for attackers.
DNS Amplification Attack
In this attack, the attacker sends lots of DNS query to a DNS server, but forges the IP address of the victim machine as source IP address of all the query packets. As a result, the DNS server ends up sending all the responses to the victim machine. As DNS responses are much larger in size, the responses end up flooding the victim machine with responses and consuming its bandwidth.
CHARGEN Attack
CHARGEN is a character generation protocol that listens to port 19 of TCP or UDP and continues to stream random characters until the connection is closed. For UDP, it responds to a request with up to 512 byte response. In CHARGEN Attack, the attacker sends lots of request with spoofed IP addresses and floods the victim machine with UDP traffic at port 19, resulting in a DoS attack.
DrDoS Attack or Reflection DoS Attack
In this attack, an attacker spoofs his IP address, and sends lots of request messages to other hosts of the network. As the attacker uses the victim machine's IP address as the source IP address of the outgoing request messages, all the other hosts sends a response to the victim machine. At this point, if the attacker has much higher bandwidth than the victim machine, the victim machine gets lots of reponses which uses up all its network bandwidth. As a result, victim machine becomes no longer available for legitimate requests, resulting in a DoS attack.
SSDP Reflection Attack
SSDP or Simple Service Discovery Protocol is a protocol which enables network devices to smoothly connect with each other. It is part of the Universal Plug and Play or UPnP protocol standard and is used to connect devices such as computers, printers, internet gateways, Wi-Fi access points, mobile devices, cable modems, gaming consoles etc. In SSDP Reflection Attack, the attacker sends lots of falsified request messages and redirects the amplified responses to the victim machine. As a result, the victim machine gets flooded with the responses, resulting in a DoS attack. The concept of this attack is pretty new and it first appeared in July, 2014.
SNMP Attack
SNMP or Simple Network Management Protocol is a protocol which is used to manage devices with IP addresses, such as routers, servers, printers, IP video cameras, alarms etc. These devices transmits sensor readings and other variables over the network using this protocol. In SNMP Attack, the attacker sends falsified SNMP requests and redirects the responses to the victim machine, flooding it with responses and thus it results in a DoS attack.
SSL Flood
When a server provides a secure connection to a client, normally it involves a large amount of processing cycles from the server's side. This type of attacks exploits that scenario. The attacker requests lots of secure connection to the server, and the server loses its processing cycles to respond to the illegitimate connections, not being able to respond to the legitimate ones.
SSL Garbage Flood
In SSL Garbage Flood, the attacker sends lots of malformed SSL requests to the victim machine. As these SSL requests takes lots of computational resources of the SSL server, the victim machine ends up exhausing all its resources, resulting in a DoS attack.
TCP Null Attack
In this attack the attacker sends lots of IP packets to the victim machine with the IPv4 headers filled with NULL. The firewalls configured for TCP, UDP and ICMP packets may allow these packets. As a result, the enormous amout of these packets flood the victim machine, consuming its bandwidth.
LAND Attack
It is a Local Area Network Denial attack. In this attack, the attacker sends a TCP SYN packet to initiate a TCP connection with the victim machine. But the attacker uses the victim machine's IP address as both source and destination address. As a result, the victim machine ends up replying to itself continuously, consuming all its processing power and resulting in a DoS attack.
Teardrop Attacks
In this attack, the attacker sends a mangled IP packet, with oversized and overlapping payloads, to the victim. If the Operating System of the victim's machine cannot handle it properly, the machine will end up crashing, resulting in a DoS attack.
Peer-to-Peer Attacks
In this attack, the attacker gets control over the clients of a peer-to-peer file sharing hub. He instructs the clients to disconnect from their peer-to-peer network and connect to the victim's machine instead. This results in hundreds of thousands of connection request to the victim machine. As a result, the victim machine ends up exhausting all its computational resources, resulting in a DoS attack.
Slow Read Attack
A Slow Read Attack sends a legitimate application layer request to the victim machine, but it reads the responses from the machine very slowly. The attacker advertises a very small number for the TCP Receive Window size and empties the victim machine's receive buffer slowly.
Smurf Attack
In Smurf Attack, the attacker creates lots of ICMP packets with the intended victim's IP address as source IP address of those packets and broadcasts those packets in a computer network using an IP Broadcast address. As a result, computers in the network sends the responses to the victim machine. And, the victim machine gets flooded with the responses, resulting in a DoS attack.
Fraggle Attack
This type of attack is similar to Smurf Attack, but instead of ICMP traffic, the attacker sends large number of forged UDP traffic to the victim machine.
Prevention of DoS Attacks
There
are a number of ways to prevent DoS attacks. It can be defended in
Application Layer, Transport Layer, Network Layer or by profiling
allowed traffic and filtering the traffic as per that.
Profiling Application Layer Traffic
DoS Attacks can be defended in Application Layer by profiling incoming traffic to distinguish between humans, human bots or hijacked web browsers and filtering traffic based on that. Several techniques can be used to profile the incoming traffic. Various attributes like IP and ASN informartion, HTTP headers, cookie support variation, JavaScript footprint etc can be used to classify client requests and filter out bots. Often fingerprinting is used to separate good bots from the bad bots. Some DoS defense solutions also maintain visitor state across sessions within an application to isolate real users from repeat offenders.
Using Progressive Challenges
A set of progressive challenges can be used to isolate a legitimate human user from a malicious bot. Transparent challenges like cookie support or JavaScript execution can be used for this purpose. CAPTCHA also can be used, so that a human can complete a CAPTCHA test and move ahead.
Behavioral Anomaly Detection
Anomaly detection rules can be used to analyze behavioral patterns of incoming traffic and detect non-human traffic or traffic from hijacked or malware infected computers, which are often used to carry out a DDoS attack.
Web Application Firewall
Application Layer firewalls can examine the payload of a packet and filter traffic based on that. They can allow or deny certain Application Layer requests coming from a user. Firewalls rules can also be created to block malicious traffic on allowed ports.
Deep Packet Inspection
Deep Packet Inspection or DPI can look into the data part of a network packet and filter traffic accordingly. DPI can monitor the payload of each packet and detect protocols, applications, inappropriate URLs and intrusion attempts. It also can produce much more detailed logs, which can help in dealing with security incidents. DPI can eliminate unwanted traffic before it can attack the entire network.
You can find more on how Deep Packet Inspection works here : Deep Packet Inspection
Using IDS/IPS
IDS/IPS can match the packet signature with existing attack signatures present in a database and filter traffic accordingly. If a database is adequately populated, they can detect and prevent network attacks with much less false positives.
High Capacity Network Bandwidth
High capacity network bandwidth helps in preventing Layer 3 and Layer 4 DDoS attacks up to a great extent. Layer 3 or Layer 4 DDoS attacks are usually possible if the network bandwidth of the attackers is more than that of the attacked network. Hence, increasing the capacity of the network bandwidth does help.
This
article was intended to give a brief overview of DoS attacks and its
prevention. Hope it helped.
Read More
What is Deep Packet Inspection ?
What is Next Generation Firewall ?
What is a Honeypot ?
What is an Intrusion Detection System and how does it work ?
What are Ping Flood and Ping of Death ?
What is Smurf Attack ?
What are Fast Flux Networks ?
What is IoT Botnet and how is it used to make DDoS attacks ?
How does Web Application Firewall work ?
Read More
What is Deep Packet Inspection ?
What is Next Generation Firewall ?
What is a Honeypot ?
What is an Intrusion Detection System and how does it work ?
What are Ping Flood and Ping of Death ?
What is Smurf Attack ?
What are Fast Flux Networks ?
What is IoT Botnet and how is it used to make DDoS attacks ?
How does Web Application Firewall work ?
No comments:
Post a Comment