DDoS stands for “Distributed Denial of Service” attack which is aimed at a target, preventing the system from serving and preventing users from accessing the system. Each system has a volume of network traffic than it can handle. When these resources of the system are overloaded by attackers, system services slow down and even the services provided by the system collapse completely as a result of these attacks.
History of DDoS attacks
The first Dos attack was carried out by a high school student in 1974, and the first DDoS attack was carried out in 1999 using a vehicle called Trinoo against the University of Minnesota. Dos and DDoS attacks are not intended to infiltrate the system but disrupt the services provided. The target of the attack will cause material and moral damage during the period of service. They are also frequently used in international cyber wars.
Nowadays it has become very easy to do. These attacks can be carried out with simple tools that are easily accessible. With the help of these tools, not only a hacker but also a script-kiddie may generate DDoS attacks on the victim. There are also several websites that provide DDoS services for penetration testing and development companies. But these services may be used maliciously, which may result in a DDoS attack.
Typical targets of DDoS attacks
DDoS (Distributed Denial of Service) on the other hand, denotes that the attack is initiated from a number of different sources rather than a single source. DDoS attacks are more successful than Dos attacks. Since it is carried out from multiple sources to the target, it is difficult to identify the main source. To perform DDoS attacks, botnets consisting of remote-controlled devices called zombies are used.
These zombie computers are electronic devices possessed by hackers and are used for the purposes of attackers. The sources are infected with a Trojan that is used to target a single system, causing a DoS attack. A network of infected computers, controlled as a group without the owners’ knowledge is known as Botnet. An infected computer in a Botnet is called a Zombie Computer.
DDoS attacks may target several infrastructures. The attacks may target a bank, a governmental institution, a school, or a rival company. The following is the list of most common DDoS attack targets:
- Online banking systems
- Internet shopping sites
- Online casinos
- E-Government services
- Universities
- Rival organizations
- All businesses or organizations based on providing online services
How does a DDoS attack work?
The number of requests that network resources, such as Web servers, can simultaneously serve is limited. In addition to the server’s capacity limit, the channel that connects the server to the Internet has a limited bandwidth/capacity. Each time the number of requests exceeds the capacity limit of any component in the infrastructure, the service level will likely encounter one of the following issues:
- Responses to requests are much slower than usual.
- Some (or all) user requests can be completely ignored.
Generally, the attacker’s main purpose is to completely prevent the normal operation of the web resource, that is, to provide a full “denial of service”. An attacker can also charge money to stop the attack. In some cases, the DDoS attack may also be an attempt to damage a competitor’s reputation or damage its business.
Symptoms of a DoS/DDoS attack
Although it is hard to find the source of a DDoS attack, some of the symptoms let the relevant people and the systems understand there is an attack. New generation security devices are better to understand anomalies in the network traffic. You can also ensure that there is a DDoS attack if the following symptoms exist:
- System speed is slower than normal or becomes unusable
- Unusual system network traffic
- Excessive UDP, SYN and GET / POST requests
Main types of DoS/DDoS attacks
Generally speaking, DoS and DDoS attacks can be divided into three types:
Volume-based DDoS
Request packets are sent above the server’s bandwidth. Volume-based DDoS includes UDP floods, ICMP floods, and other spoofed-packed floods. Measured with Bits per second (Bps).
Protocol-based DDoS
Protocol-based DDoS attack is performed using the vulnerability of Layer 3 and Layer 4 of the OSI protocol. This type of attack consumes server resources. Measured in Packets per second (Pps).
Application Layer DDoS
Application layer DDoS attack is performed using the vulnerabilities of the services in the application layer, which is the 7th layer of the OSI protocol. Measured in Requests per second (Rps).
Common DoS/DDoS attack types
Now you know what is a DoS/DDoS attack and the three types of a DDoS attack. Here you can find the list of the common DoS/DDoS attack types below:
HTTP Flood
The attacker forces the system by continuously sending get or post requests to the target page. HTTP floods do not use malformed packets, spoofing or reflection techniques. This type of attack also requires less bandwidth than other attacks.
UDP Flood
UDP Flood attack is performed using the UDP protocol. An attacker sends a large number of UDP packets to the ports of a computer. The computer, which is the target of the attack, checks the use status of the port and responds with the ICMP packet if not used. A large number of ICMP packets are sent in response to a large number of UDP packets.
ICMP Flood
The ICMP protocol sends ICMP request packets to the target system and waits for a response from the other system. This forces the system to respond to a large number of requests. Similar to the UDP flood attack, an ICMP flood wastes the target resource with ping packets.
Ping of Death
The attacker sends multiple malformed or malicious pings to the target. The aim is to disrupt the target machine by sending a packer, larger than the maximum allowed size. Ping of death slows down the target system by sending the large ICMP request packet. The attack may result in freezing or a crash.
Syn Flood
The TCP protocol performs a triple handshake connection. This triple handshake indicates that the client wants to establish a connection by sending an SYN message to the server. The server accepts this message by sending an SYN-ACK message. The client then makes the connection to the ACK side. The SYN flood attack does not send the ACK message that the server is waiting for. Requests increase continuously and the system can no longer connect.
TearDrop
In the UDP protocol, packets are fragmented and sent to a system, which is divided into offsets and numbered. Reassemble according to offset values. These offset values should not overlap. If a conflict occurs, there are situations where the system cannot be processed. In the Teardrop attack, these offsets are performed by overlapping and sending.
Smurf
Ping request packets to the destination are sent to the network’s directed broadcast address, which sends ping request packets to all devices on the network. The return address of the ping request packets is changed to the IP address of the destination. All devices on the network also send ping packets to the target device. This ensures that both the attack and the identity of the attacker are hidden.
DNS Poisoning
DNS is the server that provides IP matches to access the person’s website. The attacker will harm the victim by damaging the malicious drinks he has prepared here by destroying the matching of the website to be accessed and directing him to another IP address.
DoS and DDoS attack prevention methods
As these attacks are now very simple, they are an important threat to organizations and systems. Although there is no definite method to prevent these attacks, especially DDoS attacks, precautions should be taken to alleviate the attacks and the network infrastructure of the system should be configured properly. It is more important to take pre-attack measures and detect them early before the attack is prevented.
- Use a firewall and antivirus software or hardware
- System updates should be made in a timely manner
- Network traffic must be monitored, and network devices should be configured for exceptional situations.
- For routers, methods such as rate-limiting, blocking false and corrupted packets, determining threshold values of SYN, ICMP and UDP packets can be applied
- Bandwidth should be higher than the institution needs
- For large organizations, the use of Content Distribution Network (CDN) data storage across multiple servers around the world can be applied.