i DDOS Overview – All things in moderation

DDOS Overview

DDoS-Diagram

Hi guys! Today, In this post i will write DDOS overview. I will help you with an overview DDOS attacks and its enormous harm.
DDoS is the abbreviation of Distributed Denial of Service. DDoS is a type of cyber-attack where multiple compromised systems will be used to target a single system (Network, Server, Application) causing a Denial of Service provided by the system targeted.
The following is the summary of Kaspersky DDoS Intelligence Report for Q2 2016:
– Resources in 70 countries were targeted by DDoS attacks in Q2 2016.
– 4% of targeted resources were located in China.
– China, South Korea and the US remained leaders in terms of the number of DDoS attacks and number of targets.
– The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days).
– SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter.
– In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets, which is almost double the figure for the first quarter.

Some typical DDOS attack

UDP Flood
DDOS_overview_1
This DDoS attack leverages the User Datagram Protocol (UDP), a sessionless networking protocol. This type of attack floods random ports on a remote host with numerous UDP packets, causing the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP Destination Unreachable packet. This process saps host resources, and can ultimately lead to inaccessibility.
Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:
– Check for the application listening at that port
– See that no application listens at that port
– Reply with an ICMP Destination Unreachable packet
ICMP (Ping) Flood
DDOS_overview_2
Similar in principle to the UDP flood attack, this is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies. Most implementations of ping require the user to be privileged in order to specify the flood option. It is most successful if the attacker has more bandwidth than the victim. The attacker hopes that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth.
SYN Flood
DDOS_overview_3

Normally when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
3. The client responds with an ACK, and the connection is established.

A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.

Ping of Death
A ping of death (“POD”) attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size – for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets.

HTTP Flood
HTTP flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application.
HTTP flood attacks are volumetric attacks, often using a botnet “zombie army”—a group of Internet-connected computers, each of which has been maliciously taken over, usually with the assistance of malware like Trojan Horses.
A sophisticated Layer 7 attack, HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server.

Sources of DDoS Attacks
During the Q4-2011, one survey found 45% more DDoS attacks compared to the parallel period of 2010, and over double the number of attacks observed during Q3-2011. The average attack bandwidth observed during this period was 5.2G bps, which is 148% higher than the previous quarter.(www.incapsula.com)

Another survey of DDoS attacks found that more than 40% of respondents experienced attacks that exceeded 1Gbps in bandwidth in 2013, and 13% were targeted by at least one attack that exceeded 10G bps.(www.incapsula.com)

In this post, I only give a general overview of DDOS attack. Details about each type of attack I would say in the next post.

Leave a Reply