DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK

Disclaimer: Copyright infringement not intended.

Context

• The number of cyber-attacks is on the rise – none more so than Distributed Denials of Service (DDOS) which target individuals, international corporations, and even whole nations.
• Recently, a series of service disruptions experienced by users of Microsoft Azure, OneDrive and Outlook were the result of a major Distributed Denial of Service(DDoS) attack.

What is a Distributed Denial of Service (DDoS)?

• To understand what a distributed denial of service (DDoS) is, we first need to know what a ‘Denial of Service’ (DoS) means.
• A denial of service is a deliberate cyber-attack that floods a computer system with so much data that it is slowed down, and in many cases, is forced offline.
• A typical DoS attack usually stems from one computer causing havoc to another network of computers.
• On the other hand, with a DDoS, the source of the cyber-attack is ‘distributed’ amongst hundreds and sometimes thousands of different computer sources.
• By using multiple computers, the perpetrators make it difficult to combat and find the source of the attack, causing widespread disruption to the system or website.

In a nutshell,

• A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
• DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.
• From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.

DoS vs. DDoS

• A distributed denial-of-service attack is a subcategory of the more general denial-of-service (DoS) attack.
• In a DoS attack, the attacker uses a single internet connection to barrage a target with fake requests or to try and exploit a cybersecurity vulnerability.
• DDoS is larger in scale. It utilizes thousands (even millions) of connected devices to fulfill its goal. The sheer volume of the devices used makes DDoS much harder to fight.

 

Difference between DoS and DDoS

Some of the common differences between DoS and DDoS are mentioned below.

DoS	DDoS
DoS Stands for Denial of service attack.	DDoS Stands for Distributed Denial of service attack.
In Dos attack single system targets the victim system.	In DDoS multiple systems attack the victim’s system.
Victim’s PC is loaded from the packet of data sent from a single location.	Victim PC is loaded from the packet of data sent from Multiple locations.
Dos attack is slower as compared to DDoS.	A DDoS attack is faster than Dos Attack.
Can be blocked easily as only one system is used.	It is difficult to block this attack as multiple devices are sending packets and attacking from multiple locations.
In DOS Attack only a single device is used with DOS Attack tools.	In a DDoS attack, The volumeBots are used to attack at the same time.
DOS Attacks are Easy to trace.	DDOS Attacks are Difficult to trace.
Types of DOS Attacks are:  1. Buffer overflow attacks  2. Ping of Death or ICMP flood  3. Teardrop Attack  4. Flooding Attack	Types of DDOS Attacks are:  1. Volumetric Attacks  2. Fragmentation Attacks  3. Application Layer Attacks  4. Protocol Attack.

Botnets

• Botnetsare the primary way distributed denial-of-service attacks are carried out.
• The attacker will hack into computers or other devices and install a malicious piece of code, or malware called a bot.
• Together, the infected computers form a network called a botnet.
• The attacker then instructs the botnet to overwhelm the victim's servers and devices with more connection requests than they can handle.

Who is responsible for DDoS attacks?

• The motives behind a DDoS attack can be spurred on by political reasons, revenge, business interests, criminality or even activism – leading many to point the finger at governments, terrorist groups, disgruntled employees and sometimes, thrill-seeking lone hackers.
• The main targets of DDoS attacks are usually financial institutions like banks and credit card companies but there have been other high-profile victims of these types of attacks including Microsoft, MI5 and the BBC.
• Sometimes by targeting one company, multiple networks or websites can be brought to a standstill as was the case of Dyn– who manage web traffic for the likes of Twitter, Netflix and Reddit – who have billions of users.

How does a DDoS attack work?

• DDoS attacks are carried out with networks of Internet-connected machines.
• These networks consist of computers and other devices (such as IoT devices) which have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred to as bots(or zombies), and a group of bots is called a botnet.
• Once a botnet has been established, the attacker is able to direct an attack by sending remote instructions to each bot.
• When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-serviceto normal traffic.
• Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.

DDoS Attack Prevention

• Even if it known that is a DDoS attack, it is extremely difficult to avoid attacks because detection is a challenge.
• This is because the symptoms of the attack may not vary much from typical service issues, such as slow-loading web pages, and the level of sophistication and complexity of DDoS techniques continues to grow.
• Further, many companies welcome a spike in internet traffic, especially if the company recently launched new products or services or announced market-moving news.
• As such, prevention is not always possible, so it is best for an organization to plan a response for when these attacks occur.

DDoS Mitigation

• Once a suspected attack is underway, an organization has several options to mitigate its effects.

Risk Assessment

• Organizations should regularly conduct risk assessments and audits on their devices, servers, and network.
• While it is impossible to completely avoid a DDoS, a thorough awareness of both the strengths and vulnerabilities of the organization's hardware and software assets goes a long way.
• Knowing the most vulnerable segments of an organization's network is key to understanding which strategy to implement to lessen the damage and disruption that a DDoS attack can impose.

Traffic Differentiation

• If an organization believes it has just been victimized by a DDoS, one of the first things to do is determine the quality or source of the abnormal traffic.
• Of course, an organization cannot shut off traffic altogether, as this would be throwing out the good with the bad.
• As a mitigation strategy, use an Anycast network to scatter the attack traffic across a network of distributed servers. This is performed so that the traffic is absorbed by the network and becomes more manageable.

Black Hole Routing

• Another form of defense is black hole routing, in which a network administrator—or an organization's internet service provider—creates a black hole route and pushes traffic into that black hole.
• With this strategy, all traffic, both good and bad, is routed to a null route and essentially dropped from the network.
• This can be rather extreme, as legitimate traffic is also stopped and can lead to business loss.

Rate Limiting

• Another way to mitigate DDoS attacks is to limit the number of requests a server can accept within a specific time frame.
• This alone is generally not sufficient to fight a more sophisticated attack but might serve as a component of a multipronged approach.

Firewalls

• To lessen the impact of an application-layer or Layer 7 attack, some organizations opt for a Web Application Firewall (WAF).
• A WAF is an appliance that sits between the internet and a company's servers and acts as a reverse proxy.
• As with all firewalls, an organization can create a set of rules that filter requests.
• They can start with one set of rules and then modify them based on what they observe as patterns of suspicious activity carried out by the DDoS.

DDoS Protection Solution

• A fully robust DDoS protection solution includes elements that help an organization in both defense and monitoring.
• As the sophistication and complexity level of attacks continue to evolve, companies need a solution that can assist them with both known and zero-day attacks.
• A DDoS protection solution should employ a range of tools that can defend against every type of DDoS attack and monitor hundreds of thousands of parameters simultaneously.

PRACTICE QUESTION Q. Consider the following statements with respect to Distributed Denial-of-Service (DDoS) attacks: 1.A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. 2.In a distributed denial-of-service (DDoS) attack the attacker uses a single internet connection to barrage a target with fake requests or to try and exploit a cybersecurity vulnerability. 3.Blackhole routing is a form of DDoS Mitigation measure in which a network administrator—or an organization's internet service provider—creates a black hole route and pushes traffic into that black hole.  4.Botnets are the primary way distributed denial-of-service attacks are carried out. Which of the above statements is/are correct? (a) Only 1 and 3 (b) Only 2 and 4 (c) 1, 3, and 4 only (d) All of the above. Correct Answer: (c) 1, 3 and 4 only

https://www.computerweekly.com/news/366542252/Early-June-Microsoft-outages-were-result-of-large-scale-DDoS-hit