A long time ago, when I heard for the first time in my life what had been one of the first denial of service attacks (DDoS), I was in a class on “networks”, when the teacher talked about ping of death, something that caught my attention and stayed with me.

For those who do not know what I am talking about, ping of death, is an attack that at the beginning of the Internet and networks could leave a network card completely out of work, only sending an ICMP packet larger than the one established in TCP/IP stack.

When they designed the first network cards, they did not realize what would happen if a packet with a size greater than the one defined by the TCP/IP stack limits arrived. As it would be verified later, the network cards did not know what to do, and went into a “shock” that left them out of the game.

Something so simple is the basis of any denial of service attack and a multitude of attacks against services, applications or infrastructure. Today, everything has changed a lot, but everything still has some similarity to “ping of death”.

In 2020, when communications and networks have spread almost infinitely, facilitating our work and personal activity, we find the counterpart to this technological evolution. More technology, more equipment with design flaws, more protocols in use that have not been designed from a functional point of view, etc … means that, with the increase in this technology, attacks, information thefts, etc. also increase.

 

DDoS

Distributed Denial of Service is a term that most of us in the IT world are familiar with. In recent years there have been very serious attacks on large infrastructures that have left millions of people without access to services that we use in our daily lives (visa, youtube, amazon, banking entities …).

 basic service denial attack diagram

Basic service denial attack diagram

 

WHAT IS DDoS?

When we talk about DDoS we refer to any type of attack that aims to create unavailability in a service, application or resource. In other words, these attacks do not seek to steal information or control devices remotely, their sole purpose is to deny the service (to a legitimate user).

DoS and DDoS are two very similar terms, the main difference being the use of one device or several, to carry out a denial of service. In the early days of the Internet, with a single team we could create unavailability in critical infrastructures.

Over time, servers and applications have increased their resources both at the bandwidth and machine level, which makes it very difficult for us to deny a service using only a single device. DDoS attacks use multiple devices attacking a single target at the same time. These attacks have increased in recent years with the use of “botnets” (thousand of devices networks controlled by cyber criminals) and today, it has become a very profitable activity.

 

TYPES OF DDoS ATTACKS

We will delve into the types of DDoS attacks and some techniques that are used to understand the scope and damage that these attacks have in any sector.

 

Volumetric Attacks

Volumetric attacks involve a large amount of traffic sent to the target or victim. The word volumetric does not necessarily imply saturating the bandwidth of a line, although it is common.

 

Volume attacks involve a large amount of traffic sent to the target or victim.

 

The victim considers these packets as valid and processes them, which ends up saturating bandwidth or server resources. These attacks are usually measured in bps, the best known are:

  • Amplification / Reflection. Hackers use a remote system to make requests with the spoofed IP of the victim, that is, they pose as the computer they want to saturate. There are many protocols that by design respond with a much larger amount of data than the initial request. Hackers use these systems to send a small request many times in a short period of time and the “amplifier” system responds with a large amount of information to the victim.
  • ICMP / UDP. Attackers take advantage of the “echo” listener to send large requests to the target. Since they are not connection oriented, ICMP and UDP can be used with false IP addreses, since the purpose is not to receive the responses, but rather to saturate them by not being able to process all the received requests. These attacks saturate the resources of the machines and drain the bandwidth.
  • SMURF. It is a variant first used in 1997 of an ICMP Flood attack. Smurf uses the victim’s address as the source IP and many requests are made to broadcast addresses. The victim begins to receive thousands of responses from all the hosts grouped by the broadcast address.
 reflection DDoS attack diagram

Reflection DDoS attack diagram

 

Application/Protocol Attacks

Attacks on applications and protocols are very common and seek to exploit some weaknesses in the design of applications in layers 4 to 7 of the OSI model. These attacks finally exhaust the physical resources of the target and therefore a denial of the service or application happens, filling connections / sessions tables or exhausting the attacked machines resources (CPU, memory …).

There are many attacks against applications, on the Internet the most common is to attack web servers, databases or applications that are providing a service to users. By using malformed packages or incomplete packages at the application layer, they are running out of server resources.

 

They are large-scale attacks in terms of traffic, but their main objective is not to degrade or saturate communication lines, but rather the servers that are running applications.

 

Let’s see some of the most common:

  • HTTP POST / GET. This type of attack exploits a weakness in HTTP design. A delayed HTTP header is used. The web server has to wait for the first part of the web header to arrive and leave the “delayed” header on hold. When receiving many packets of this type, it ends up saturating the buffer and the Web server memory. With the post method, something similar is done, but using packages with an incomplete “body”.
  • SLOWLORIS. In this attack the attacker will try to populate the web server connection table, opening partial connections and sending parts of those connections every so often. Web servers must have these connections active and on standby, which ends up filling the connection table and occupying machine resources.
  • TCP FLOOD. The attacker will send a large number of TCP packets with the SYN flag. The server opens the connection and waits to receive the following packets to complete the “3 way handshake”, and thus begin the information exchange. The attacker never sends the ACK to continue the process, so the server has to save this connection in its connection table for 75 seconds, which is the time that TCP has assigned as “timeout”. Attackers use this attack by flooding the server with requests, and populating its TCP connection table, until it cannot process any more connections, since they have many waiting.

 

Multi-Vector Attacks

Currently, the systems for performing DDoS attacks are very sophisticated. Attackers control large “botnets”. A “botnet” is an infected network of devices that usually have a “trojan” or “backdoor”. These computers are controlled from a Control Center (CC), and hackers can issue a command from the CC to thousands of computers that will execute the command at once.

Most DDoS attacks use a combination of several attacks. In our experience in this field working with operators, we have observed that targeted attacks are very sophisticated and difficult to mitigate. They generally start with basic attacks, and as flaws are mitigated and patched, attack patterns begin to change, using a combination of multiple attacks from multiple IP addresses simultaneously. This makes very difficult to distinguish this illegitimate traffic from legitimate traffic.

They also use many IoT devices that are designed for very specific operation and often have no security measures.

The increase in IoT, IPV6 and symmetrical domestic lines has made it very easy to perform DDoS attacks and very cheap for those who hire them. Without good protection and security measures, any company can have economic losses, due to unfair competition, contrary interests or be the victim of hacktivism.

 

In the next article in this series, we will discuss the most effective solutions against DDoS attacks and success stories. Meanwhile, you can take a look at our Cybersecurity Solutions. See you soon!