DDoS, RISE OF AN OLD THREAT
Numerous vendors are currently engaged in the production and development of systems and solutions aimed at addressing the challenges posed by Distributed Denial of Service, DDoS attacks. They are an old threat and one of the most persistent.
The attackers have been continuously improving their techniques and capabilities. As technology evolves, new vulnerabilities are in pursuit to exploit.
Protective measures may yield positive results or prove to be entirely futile. Their effectiveness is contingent upon various factors, making it crucial to assess the solution’s performance you have opted for.
For the best insight, it is essential to simulate the attacks to test and assess the effectiveness of your countermeasures. LoDDoS serves as an automated attack simulation and testing platform designed to assist you in this endeavor.
Obviously, the sophistication of such attacks is on the rise. This prompts the development of more comprehensive protective measures. At this point, we should ask what exactly a DDoS attack is then.
The information presented here provides an overview of the most prevalent definitions, categories, methods, and approaches associated with these attacks. Increased awareness through knowledge allows us to navigate the complexities involved more effectively.
The risk is tangible, and it is now more discernible to us.
So, let’s delve into the details.
WHAT IS A DDoS ATTACK
Distributed Denial of Service, is an old cyber attack that dates back to the early days of the Internet.
Initially, it was carried out for amusement and was relatively easy to mitigate. However, it has now evolved into a highly sophisticated business activity. A ransomware attack and an Advanced Persistent DoS are two good examples of this sort of sophistication. The consequences might be multiple and devastating. It poses a serious threat.
This type of attack involves applying pressure on a service, server, or network resource from numerous remote sources. It specifically aims to disrupt the service or overwhelm the targeted device. These can be a router, firewall, server, or load balancer. The attack renders the target unavailable to its intended legitimate users for some time or indefinitely.
With more than 40,000 attacks occurring worldwide every day, it has become quite common. The best approach to deal with this threat is to be ready and stay prepared. To prevent the harmful impacts of those attacks and mitigate them effectively, it is essential to periodically test the organization’s level of resiliency and readiness.
HOW DOES IT WORK
A threat actor exploits the normal behavior of a network protocol. Even more, it might also manipulate the normal workings of network devices or services to launch an attack.
The attackers significantly use numerous compromised computer systems such as IoT devices. They are particularly used as the source of internet traffic to direct an attack on the target. We call this network a botnet. A remote Command and Control Center controls and manages each botnet.
The requests or packets sent from the botnet to the targeted IP address might seem to be legitimate. Contrarily, they are not. Attackers craft them to be malicious while imitating that they are legitimate. They cannot be distinguished from normal traffic and aim to take the target down.
THE MAIN CONSEQUENCES OF A DDoS ATTACK
There are some significant impacts of those attacks on organizations. The most prominent ones are as follows;
- Financial losses;
- No production or trade
- Lack of productivity among employees
- Substantial costs for remediation and recovery
- Penalties or lawsuit expenses
- Reputational harm
- Damage to brand name due to unavailability
- Negative impact on market share due to business disruptions
- Diminished competitive advantages
- Failure to meet regulatory compliance requirements
- Inability to protect the network or assets from unauthorized access
- Service disruptions
- Data loss
- Painful consequences
- Theft or leakage of private information or sensitive data
- Attacks as part of a plan to disguise data leakage or theft of sensitive data
- Exploitation of vulnerabilities to gain unauthorized access to network resources
- Customer discontent
ATTACK TYPES
The techniques used for DDoS attacks can be grouped into four categories;
- Volumetric Attacks
This type of attack is designed to overwhelm a targeted site’s total bandwidth with a large volume of malicious traffic, effectively blocking legitimate inbound and outbound traffic. The severity of these attacks is measured in terms of bandwidth (BPS – bits per second).
The largest volumetric DDoS attack ever recorded was 4.4Tbps in 2021 (Nokia Deepfield Network Intelligence Report – DDoS In 2021). As of the end of 2023, the most commonly observed attack volume reaches up to 10Gbps.
Undoubtedly, the IoT (Internet of Things) botnets are weaponized to launch these types of DDoS attacks.
An IoT botnet is a group of internet-connected devices. They are typically home routers infected by malware. They are maliciously controlled and managed by an attacker or a group of attackers. Mirai, Mozi (inactive now), Moobot, Reaper, Miori, Kaiten, Agoent, Qbot, and Gafgynt are good examples of IoT botnets.
Nevertheless, the number of IoT devices worldwide is estimated to be around 15 Billion as of 2024. Every botnet can use tens of thousands of IoT devices together to launch a DDoS attack on a target.
- Volumetric Attacks
This type of attack is designed to overwhelm a targeted site’s total bandwidth with a large volume of malicious traffic, effectively blocking legitimate inbound and outbound traffic. The severity of these attacks is measured in terms of bandwidth (BPS – bits per second).
The largest volumetric DDoS attack recorded was 4.4Tbps in 2021 (Nokia Deepfield Network Intelligence Report – DDoS In 2021). As of the end of 2023, the most commonly observed attack volume reaches up to 10Gbps.
Undoubtedly, the IoT (Internet of Things) botnets are weaponized to launch these DDoS attacks.
An IoT botnet is a group of internet-connected devices. They are typically home routers infected by malware. They are maliciously controlled and managed by an attacker or a group of attackers. Mirai, Mozi (inactive now), Moobot, Reaper, Miori, Kaiten, Agoent, Qbot, and Gafgynt are good examples of IoT botnets.
Nevertheless, the number of IoT devices worldwide is estimated to be around 15 Billion as of 2024. Every botnet can use tens of thousands of IoT devices together to launch a DDoS attack on a target.
- Volumetric Attacks
This type of attack is designed to overwhelm a targeted site’s total bandwidth with a large volume of malicious traffic, effectively blocking legitimate inbound and outbound traffic. The severity of these attacks is measured in terms of bandwidth (BPS – bits per second).
The largest volumetric DDoS attack ever recorded was 4.4Tbps in 2021 (Nokia Deepfield Network Intelligence Report – DDoS In 2021). As of the end of 2023, the most commonly observed attack volume reaches up to 10Gbps.
Undoubtedly, the IoT (Internet of Things) botnets are weaponized to launch these types of DDoS attacks.
An IoT botnet is a group of internet-connected devices. They are typically home routers infected by malware. They are maliciously controlled and managed by an attacker or a group of attackers. Mirai, Mozi (inactive now), Moobot, Reaper, Miori, Kaiten, Agoent, Qbot, and Gafgynt are good examples of IoT botnets.
Nevertheless, the number of IoT devices worldwide is estimated to be around 15 Billion as of 2024. Every botnet can use tens of thousands of IoT devices together to launch a DDoS attack on a target.
- Protocol Attacks
This type of DDoS attack is designed to overwhelm the processing power of networked resources. These can be servers, routers, firewalls, load balancers, or any other network hosts. The goal is to leave no resources available to process legitimate packets.
Attackers exploit vulnerabilities in network protocols at the Network Layer (Layer 3) or Transport Layer (Layer 4) of the OSI model. Their ultimate goal is to disrupt the normal establishment or termination of TCP connections.
The severity of these attacks is measured in terms of speed (PPS – packets per second).
As of the end of 2023, the most commonly observed attack speeds range between 10,000 packets per second (10 kpps) and 1 million packets per second (1Mpps).
To gain a better understanding of protocol attacks, let’s first briefly review the details of TCP connections.
The TCP header contains 6 distinct 1-bit flags, which work with either a 0 or a 1 to control the establishment, maintenance, and termination of a TCP connection. When a flag is set to 1:
This type of DDoS attack is designed to overwhelm the processing power of networked resources. These can be servers, routers, firewalls, load balancers, or any other network hosts. The goal is to leave no resources available to process legitimate packets.
Attackers exploit vulnerabilities in network protocols at the Network Layer (Layer 3) or Transport Layer (Layer 4) of the OSI model. Their ultimate goal is to disrupt the normal establishment or termination of TCP connections.
The severity of these attacks is measured in terms of speed (PPS – packets per second).
As of the end of 2023, the most commonly observed attack speeds range between 10,000 packets per second (10 kpps) and 1 million packets per second (1Mpps).
To gain a better understanding of protocol attacks, let’s first briefly review the details of TCP connections.
The TCP header contains 6 distinct 1-bit flags, which work with either a 0 or a 1 to control the establishment, maintenance, and termination of a TCP connection. When a flag is set to 1:
This type of DDoS attack is designed to overwhelm the processing power of networked resources. These can be servers, routers, firewalls, load balancers, or any other network hosts. The goal is to leave no resources available to process legitimate packets.
Attackers exploit vulnerabilities in network protocols at the Network Layer (Layer 3) or Transport Layer (Layer 4) of the OSI model. Their ultimate goal is to disrupt the normal establishment or termination of TCP connections.
The severity of these attacks is measured in terms of speed (PPS – packets per second).
As of the end of 2023, the most commonly observed attack speeds range between 10,000 packets per second (10 kpps) and 1 million packets per second (1Mpps).
To gain a better understanding of protocol attacks, let’s first briefly review the details of TCP connections.
The TCP header contains 6 distinct 1-bit flags, which work with either a 0 or a 1 to control the establishment, maintenance, and termination of a TCP connection. When a flag is set to 1:
- The SYN flag initiates a connection,
- The FIN flag terminates a connection,
- The RST flag resets a connection,
- The ACK flag acknowledges that the data is received,
- The PSH flag forces the receiving party (usually an application running on a server) to push the data to the initiating party (usually a client),
- The URG flag prioritizes the packet,
The TCP protocol uses a three-way handshake mechanism to establish a connection. First, the client sends a packet with the SYN flag set to 1 (turned on) as a request to the server. Next, the server responds by sending a packet back to the client with the SYN/ACK flags on. Finally, the client sends a packet with the ACK flag onto the server to finalize the establishment of the TCP connection.
Similarly, a four-way handshake mechanism is used to terminate an established connection in TCP protocol. This process can be initiated by either the client or the server. First, the initiating party (let’s say the client) sends a packet with the FIN flag set to 1 to the receiving party (say, the server). Then, the server responds with two packets. The first packet has the ACK flag set, and the second packet has the FIN flag set. Finally, the client sends a packet back to the server with the FIN flag to gracefully complete the termination process of the established TCP connection.
- Application-Layer Attacks
These types of attacks are more sophisticated as they aim to drain all the available disk space and system memory by opening connections to the application and initiating requests. These attacks are especially designed to target the OSI model’s Application Layer (Layer 7).
Their magnitude can be measured by the number of “RPS – requests per second”. For instance, as of the end of 2023, the most frequently seen attack rate is between 10-20 rps.
Application layer (Layer 7) attacks focus on exploiting vulnerabilities specific to applications to carry out DDoS attacks.
As a matter of fact, these types of attacks can disrupt businesses that rely on online revenue generation. They specifically involve low-volume, slow-speed traffic and often leverage bots to launch the attacks.
L7 attacks are increasingly associated with API-related interactions, with non-human API calls mimicking legitimate user behavior to evade detection.
The impacts of L7 DDoS attacks are severe, with an average duration of more than 50 hours.
These types of attacks are more sophisticated as they aim to drain all the available disk space and system memory by opening connections to the application and initiating requests. These attacks are especially designed to target the OSI model’s Application Layer (Layer 7).
Their magnitude can be measured by the number of “RPS – requests per second”. For instance, as of the end of 2023, the most frequently seen attack rate is between 10-20 rps.
Application layer (Layer 7) attacks focus on exploiting vulnerabilities specific to applications to carry out DDoS attacks.
As a matter of fact, these types of attacks can disrupt businesses that rely on online revenue generation. They specifically involve low-volume, slow-speed traffic and often leverage bots to launch the attacks.
L7 attacks are increasingly associated with API-related interactions, with non-human API calls mimicking legitimate user behavior to evade detection.
The impacts of L7 DDoS attacks are severe, with an average duration of more than 50 hours.
These types of attacks are more sophisticated as they aim to drain all the available disk space and system memory by opening connections to the application and initiating requests. These attacks are especially designed to target the OSI model’s Application Layer (Layer 7).
Their magnitude can be measured by the number of “RPS – requests per second”. For instance, as of the end of 2023, the most frequently seen attack rate is between 10-20 rps.
Application layer (Layer 7) attacks focus on exploiting vulnerabilities specific to applications to carry out DDoS attacks.
As a matter of fact, these types of attacks can disrupt businesses that rely on online revenue generation. They specifically involve low-volume, slow-speed traffic and often leverage bots to launch the attacks.
L7 attacks are increasingly associated with API-related interactions, with non-human API calls mimicking legitimate user behavior to evade detection.
The impacts of L7 DDoS attacks are severe, with an average duration of more than 50 hours.
- Multiple Vector Attacks
In addition, there is a fourth type of attack that we could call “Multiple Vector Attacks”.
DDoS attacks usually fall into one of the types mentioned above. When a combination of these three main attack types is orchestrated together, it is called a multivector attack. This type of attack is becoming more common every year and is the hardest to deal with. It is capable of bringing down even the best-shielded servers and the best-protected networks.
SOME OF THE COMMON DDoS ATTACKS
In this type of attack, the attacker initiates lots of connection requests by sending SYN packets to the targeted server. However, it deliberately doesn't send the ACK packets to the server back after receiving the SYN/ACK packets. So, the connections stay half-opened. This consumes lots of server resources. Legitimate connection requests are refused by the server since there are not enough resources available on the server to respond.
The attacker sends many spoofed SYN/ACK packets to the targeted server. Since they are all out-of-order, the server consumes its processing power to find the corresponding connections that don't belong to any of the sessions initiated by the server itself. Eventually, the server becomes overwhelmed and unresponsive to legitimate connection requests since there are not enough resources available on the server to respond.
The attacker sends a very high number of ACK-FIN packets to the targeted server.
The server looks for the corresponding connections to implement the termination requests gracefully. Unfortunately, none of the packets received is associated with any of the sessions previously established. They are coming out of order.
So, the server starts to get overwhelmed since this process requires a significant amount of processing power. Sooner or later the server becomes unresponsive to legitimate connection requests.
The attacker sends a very large number of packets with RST flags onto a targeted server. The server cannot find the corresponding connections in its session list. It drains all the processing power of the server, and it eventually starts to become unresponsive to legitimate connection requests.
When a client sends a packet to a server with a PSH (push) flag set to 1, the server immediately starts pushing out all the data in the buffer of its TCP stack to the client instead of getting buffered in the stack.
When an attacker sends a high volume of spoofed ACK or PSH-ACK packets with a PUSH flag set to 1, the services running on the targeted server try to find the corresponding session to push out the data in the buffer of its TCP stack immediately to the client. Those packets are out-of-state, so they don't belong to any of the sessions in the connection list of the server.
None of those packets can be responded accordingly and as required. They contrarily continue to come, this consumes the available resources of the victim server. It eventually becomes unresponsive to legitimate requests.
According to RFC 793, any packet not including a SYN, ACK, or RST flag set to 1 will be either discarded if the port is open or returned with an RST packet if the port is closed. This means that a packet not including any of these three flags but carrying others, PSH, URG, and FIN, can be exploited. Given these points, this combination of flags resembles the packet like a Christmas tree. That is the origin of the name of this attack.
Many operating system sends RST packets by ignoring the status of the port. When an attacker sends a very high volume of specially crafted TCP packets to a server with PSH, URG, and FIN flags set to 1, the targeted server starts to close all its ports and send RST packets back to the client. This is a resource-consuming task so the server eventually becomes unresponsive to legitimate requests.
Normally if the port is open, a TCP packet with a Null Flag or No Flag is discarded. If the port is closed an RST packet will be sent back as it is in All Flag Flood Attack.
In this attack, the attacker sends many packets to a targeted server with no flags. Many of the operating systems behave differently to this. Mostly send RST packets back to the client without considering the port's status. This is a resource-consuming task so the server eventually becomes unresponsive to legitimate requests.
These attacks aim at both bandwidth saturation and resource consumption. UDP is a connectionless protocol. It means there is no handshake between client and server so it is more difficult for the security systems to identify a UDP Flood attack.
When an attacker directs a high volume of spoofed UDP packets from a large number of IPs to a targeted server's IP address with a specific port, the application working on that port starts to become overwhelmed if that port is listening for UDP packets, and eventually becomes unresponsive. If no application/service is listening to that port, the server starts to send ICMP packets to the clients. This will generate more unwanted traffic which creates some extra load on the network.
The detection of this type of variant is difficult since it is very well masked. It uses the maximum allowed size of packets with the minimum number of packets to saturate the bandwidth of their channel. Those packet fragments are fake and carry no real data.
When an attacker sends a high volume of such fragmented UDP packets to a targeted server, it tries to reserve resources to rebuild those fragmented packets and eventually becomes unresponsive.
ICMP protocol works at the Internet Layer (Layer 3). It is used by network devices to communicate, to identify connectivity issues, or for diagnostic purposes.
In this type of attack, an attacker sends lots of ICMP Echo Request packets from a large set of source IP addresses (clients) to a targeted server. The server tries to send ICMP Echo Reply packets back to the clients. This will eventually end up with the saturation of the bandwidth.
Providing a secure connection to a client request requires a significant amount of processing power on the server side.
When an attacker sends many SSL connection requests from different sources to the targeted server and then starts to renegotiate this relationship drains the server resources. This eventually makes the server unresponsive to the legitimate requests.
In this type of attack, the attacker coordinates many HTTP(S) GET requests for large-size assets such as files, images, videos, etc. from numerous simulated real users to a targeted web server or a web application. This consumes the server resources dramatically. So, the server or the application starts to get overwhelmed and eventually unresponsive to legitimate requests.
When a form is submitted to a web server, it is handled and pushed to a database server to commit this data to the database. Running a series of commands to complete this task is a resource-consuming process for the servers.
When an attacker simulates a considerable number of real users submitting data with large payloads to the targeted web server or web application by sending a large amount of HHTP(S) POST requests, the server becomes overwhelmed and eventually unresponsive to legitimate requests.
This is an Application Layer Attack that occurs at a slow rate from one client to one server. It uses minimum bandwidth and maximum resources allocated on the server side. The name of the attack comes from the name of the primate moving slowly.
An attacker opens many connections with partial HTTP requests to the targeted server. It keeps each of the connections open as long as possible by sending partial requests at certain intervals. This starts to diminish the available resources on the server. It eventually becomes unavailable for legitimate requests once the maximum number of concurrent connections limit exceeded.
An attacker sends a massive amount of DNS queries to the targeted DNS server. This inundates its performance and eventually makes it unresponsive to legitimate DNS requests.
An attacker sends a massive amount of malicious DNS queries for non-existent subdomains of a legitimate domain. Since the lookup query is randomized and not repeated, there are no records cached on the resolving server, so each query is redirected to the Authoritative Nameserver. This overloads it and eventually makes it unresponsive to legitimate DNS requests.
ICMP is a connectionless Network Layer (Layer 3) protocol in the IP suite. It is used to test a network connection. The maximum allowable size for an ICMP IP4 ping packet is 65,535 bytes. Some TCP/IP systems are vulnerable to packets exceeding this size.
An attacker sends packets larger than the maximum size to a server. Those packets are fragmented into some smaller packets below the size limit. The targeted server tries to reassemble the parts. The size of those packets then exceeds the size limit. This causes a buffer overflow on the server.
The server starts to slow down or freeze and eventually becomes unresponsive to the legitimate packets.
This type of attack works especially on the older systems.
The name of the tool gives the name to this attack. It is a popular low and slow attack and is conducted unreasonably slow, but it is effective on almost all websites harboring a form to fill up.
When an attacker connects to a website, this tool searches for a form to fill out and sends an HTTP POST request to the targeted server. The header of this request informs the server about a long content will be submitted to ensure the server keeps the connection open. Then RUDY starts to send extremely small packets, say 1 byte, every 10 seconds. It keeps doing that infinitely while sending a bunch of other requests in the same way to the server. The attacker uses a botnet to perform this so, many computers can participate in the attack. Each connection allocates its resources. So even if it is one of the most powerful and robust servers, it cannot resist such overloading. It starts becoming overwhelmed and eventually unavailable for legitimate requests.
SSL is a protocol to encrypt data in transit end-to-end between a client and a web server. The drawback is the need for a CPU-intensive decryption process to handle the data. Unquestionably, the harder the encryption, the more CPU power is used to decipher it.
An attacker opens and closes many SSL connections continuously on a targeted web server. It gets overloaded and becomes unresponsive to legitimate connection requests.
Cross-site Scripting (XSS) is a dangerous web threat for both users and organizations. It compromises the interaction between the website and the users.
It is an attack executing malicious scripts on a vulnerable trusted website. In essence, the threats include but are not limited to, stealing sensitive information, performing some malicious actions on visitor's behalf, misleading visitors by modifying the web content and redirecting them to a phishing site, injecting malicious links/advertisements, and so on.
An attacker injects some JavaScript codes into a website by exploiting vulnerabilities and the malicious code is executed inside the browser of the user connected to that website.
It is an attack used as a technique to combine the power of multiple Network Layer (Layer 3) and Transport Layer (Layer 4) attacks to detect the vulnerabilities on a targeted server.
Internet Protocol Security (IPsec) is a secure network protocol suite. It is used for establishing VPN between devices. It uses the Internet Key Exchange (IKE) protocol to establish a secure connection on Network Layer (Layer 3). It does that by authenticating and encrypting packets sent in unsecured (public) networks.
IPsec flooding attacks were more common a few years ago but after the launch of IKEv2, its spread is getting narrower.
An attacker establishes many VPN connections to the targeted VPN server with IKEv1 packets. The vulnerable VPN server reaches the limit of accepting new connections, so legitimate connection requests are declined.
