Websites and applications live outside the data center in the cloud. It is not easy to protect such perimeter, today, but there are intelligent ways to get around these problems. One is to understand the profundity of these attacks. DDoS attacks target either the network layer or the application layer.
Tweet This: DDoS attacks target either the network layer or the application layer.
With network-layer attacks, the goal is to send malicious packets over different network protocols in order to consume target’s available bandwidth, and clog its internet pipes. With application layer attacks, however, the goal is to consume the computing resources, CPU and RAM, that a web server has at its disposal to process requests. There are state-exhaustion attacks, as well, that target the connection state tables in firewalls, web application servers, and other infrastructure components.
Network layer attacks are the ones we read often in the media and that are attributed to the disruption service on many major sites. SYN floods, ACK floods or UDP based amplification attacks can all be classified as network layer attacks. Network layer attacks are typically measured in Gbps (gigabits per second), for the amount of bandwidth they’re able to consume per second. As they “gan-rush” the website, they are also called volumetric attacks. Arbor reported on such attacks in 2015 and described 17% of all attacks they handled as bigger than 1GBps with the average size of the attack at 804 Mbps/ 272K pps. The big ones peaked at 335 Gbps.
Application layer attacks, however, can be small and silent compared to network layer attacks, but just as disruptive, and actually more complex to handle. Application layer attacks generally require a lot less packets and bandwidth to achieve the same goal: take down a site. Application layer assaults are measured in RPS (requests per second), for the amount of processing tasks initiated per second. They are executed by bots— inhuman visitors that are able to establish a TCP handshake to interact with a targeted application.
Let us focus at the network layer attacks, first. Basic attacks that occur here are those of simple flooding or those of amplification. Floods take advantage of specific protocols such as TCP, ICMP, or UDP to send large number of requests to a target and overload network capabilities.
Tweet this: All network layer DDoS attacks explained in detail
SYN Flood – SYN Flood is a popular example of a network layer DDoS attack. In its anatomy, the attacking system sends a TCP SYN request with a spoofed source IP address to a host. While the request looks legitimate, the spoofed address refers to a client that doesn’t exist so the final ACK message is never sent to the victim host.
A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”) that usually runs like this: 1) the client requests a connection by sending a synchronise (SYN) message to the server, 2) the server acknowledges the request by sending acknowledging (SYN-ACK) message back to the client, 3) the client responds with a message (ACK) and the connection is established. In a SYN flood attack, the client will not respond to the server with the expected ACK code, or a server will send the SYN-ACK message to a falsified IP address which will not send the ACK back. The result of an attack is half open connections at the victim site.
These also bind the server’s resources so that no new legitimate connections can be made, resulting in denial of service. At that point, server will not be able to connect to any clients, whether legitimate or otherwise. The connections will be half open and consuming server resources. That’s why SYN flood attacks are sometimes also referred to as, “half-open” attacks.
Tweet this: SYN Flood DDoS Attack Explained
DNS Flood Attack – DNS servers are the roadmap of the internet that run a special-purpose networking software, feature a public IP address and contain a database of network names and addresses for Internet hosts. They communicate with each other using private network protocols and are organised in a hierarchy. In a DNS Flood type of a DDoS attack, an attacker targets one or more DNS servers and tries to overbear it with apparently valid traffic, overwhelming server resources and impeding the server’s ability to direct legitimate requests to zone resources (a DNS zone is a distinct portion of the domain name space in the Domain Name System).
DNS floods are symmetrical DDoS attacks that attempt to exhaust server-side assets (e.g., memory or CPU) with a flood of UDP requests, generated by scripts running on several compromised botnet machines. That’s why a DNS flood attack is sometimes referred to as a variant of a UDP flood attack. DNS servers rely on the UDP protocol for name resolution. To attack a DNS server with a DNS flood, the attacker runs a script, generally from multiple servers. These scripts send malformed packets from spoofed IP addresses. Since these attacks require no response to be effective, the attacker can send packets that are neither accurate nor even correctly formatted. The attacker can spoof all packet information, including source IP and make it appear that the attack is coming from multiple sources.
Tweet this: DNS Flood DDoS Attack Explained
DNS Amplification Attack – Unlike DNS Floods, DNS amplification attacks are asymmetrical DDoS attacks in which the attacker sends out a small look-up query with spoofed target IP, making the spoofed target the recipient of much larger DNS responses. With these attacks, the attacker’s goal is to saturate the network by continuously exhausting bandwidth capacity. Vulnerabilities in DNS servers are exploited to turn initially very small queries into much larger payloads. This, in turn, brings the victim’s servers down.
The reflection is achieved by eliciting a response from a DNS resolvers to a spoofed IP address. During the attack, the perpetrator sends a DNS query with a forged IP address to an open DNS resolver, prompting it to reply back to that address with a DNS response. Because numerous forged queries are being sent out, and because DNS resolvers reply simultaneously, the victim’s network is overwhelmed.
Tweet this: DNS Amplification DDoS Attack Explained
The attack is even more dangerous, if the reflection is amplified. This can be accomplished, for example, by using the EDNS0 DNS protocol extension while sending the DNS request, or by using the cryptographic feature of the DNS security extension (DNSSEC) to increase message size. Spoofed queries of the type “ANY”, that return all known information about a DNS zone in a single request, can also be used. A DNS request message, in this way, that is of some 60 bytes, can be pushed to elicit a response message of over 4000 bytes to the target server, resulting in a 70:1 amplification factor. This increases the volume of traffic the targeted server receives, and accelerates the rate at which the server’s resources will be drained. DNS amplification attacks generally relay DNS requests through one or more botnets, drastically increasing the volume of traffic directed at the targeted servers and making it much harder to track the perpetrator’s activity.
Ping Flood Attacks – A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP Echo Request, also known as pings or ping packets. This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies. Most implementations of ping require the user to be privileged in order to specify the flood option. The attack is most successful if the attacker has more bandwidth than the victim. The attacker hopes that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth. If the target system is slow enough, it is possible to consume enough of its CPU cycles for a user to notice a significant slowdown. Additional methods for bringing down a target with ICMP requests include the use of custom tools or code, such as hping and scapy. This strains both the incoming and outgoing channels of the network, consuming significant bandwidth and resulting in a denial of service.
Ping of Death Attacks – In a POD type of attack, an attacker attempts to crash, destabilize or freeze the targeted computer or service by sending malformed or oversized packets while using a simple ping command. The ping command is usually used to test the availability of a network resource. It works by sending small data packets to the network resource. The ping of death takes advantage of this and sends data packets above the maximum limit, that is 65,536 bytes, that TCP/IP allows. Like other large but well-formed packets, a ping of death is fragmented into groups of 8 octets before transmission. However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code. When fragmentation is performed, each IP fragment needs to carry information about which part of the original IP packet it contains.
Tweet this: Ping of Death DDoS Attack Explained
This information is kept in the Fragment Offset field, in the IP header. The field is 13 bits long, and contains the offset of the data in the current IP fragment, in the original IP packet. The offset is given in units of 8 bytes. This allows a maximum offset 65,528 ((213-1)*8). This means that an IP fragment with the maximum offset should have data no larger than 7 bytes, or else it would exceed the limit of the maximum packet length.
A malicious user can send an IP fragment with the maximum offset and with much more data than 8 bytes (as large as the physical layer allows it to be). When the receiver assembles all IP fragments, it will end up with an IP packet which is larger than 65,535 bytes. This may possibly overflow memory buffers which the receiver allocated for the packet, and can cause various problems, including denial of service. Ping of Death attacks are particularly effective because the attacker’s identity can be easily spoofed. Moreover, a Ping of Death attacker would need no detailed knowledge of the machine he was attacking, except for its IP address.
Smurf Attack – A Smurf attack is a form of a distributed denial of service (DDoS) attack that renders computer networks inoperable. The Smurf program accomplishes this by exploiting vulnerabilities of the Internet Protocol (IP) and Internet Control Message Protocols (ICMP). The attacker will send large number of IP packets with the source address faked, to appear to be the address of the victim. First, the malware creates a network packet attached to a false IP address — a technique known as “spoofing.”
Inside the packet is an ICMP ping message, asking network nodes that receive the packet to send back a reply. These replies, or “echoes,” are then sent back to network IP addresses again, setting up an infinite loop. A smurf attack amplifies a single ping 255 times and relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. When combined with IP broadcasting — which sends the malicious packet to every IP address in a network — the Smurf attack can quickly cause a complete denial of service. It’s possible to accidentally download the Smurf Trojan from an unverified website or via an infected email link. Typically, the program will remain dormant on a computer until activated by a remote user. If a Smurf DDoS attack does succeed, it can cripple company servers for hours or days, resulting in lost revenue and customer frustration.
Tweet this: Smurf DDoS Attack Explained
Nuke Attack – Nuke attack sends corrupt and fragmented ICMP packets via a modified ping utility to the target, repeatedly sending the corrupt data to slow down affected computer until it comes to a full stop. With enough volume, the attack can be successful. Eventually, the target machine goes offline or results in a crash or Blue Screen of Death in case of Windows. The most famous example of a Nuke attack was the 1997 WinNuke which exploited vulnerability in Windows 95. Years later, a newer version of WinNuke surfaced that affected Windows NT, 2000 and XP, but it was quickly patched by Microsoft. Nuke is an old type of DDoS attack and almost no modern operating systems are vulnerable to such an attack.
Tweet this: Nuke DDoS Attack Explained
Teardrop Attack – A teardrop attack is a denial of service attack conducted by targeting TCP/IP fragmentation reassembly codes. This attack causes fragmented packets to overlap one another on the host receipt. The host then attempts to reconstruct them during the process but fails. As a result, the data packets overlap and quickly overwhelm the victim’s servers causing them to fail. This generally happens on older operating systems such as Windows 3.1x, Windows 95, Windows NT and some versions of the Linux.
One of the fields in an IP header is the “fragment offset” field, indicating the starting position, or offset, of the data contained in a fragmented packet relative to the data in the original packet. If the sum of the offset and size of one fragmented packet differs from that of the next fragmented packet, the packets overlap. When this happens, a server vulnerable to teardrop attacks is unable to reassemble the packets – resulting in a denial-of-service condition.
Sophisticated low-bandwith Attack – Sophisticated low-bandwidth DDoS attacks use less traffic and increase their effectiveness by aiming at a weak point in the victim’s system design, that is, the attacker sends traffic consisting of complicated requests to the system. While it requires more sophistication and understanding of the attacked system, a low bandwidth DDoS attack has three major advantages in comparison to a high bandwidth attack: a) lower cost – since it uses less traffic; b) smaller footprint – hence it is harder to detect; and c) ability to hurt systems which are protected by flow control mechanisms.
An example of such attacks is an attack against HTTP servers by requesting pages that are rarely requested (forcing the server to search in the disk). Similar attacks can be conducted on search engines or on database servers by sending difficult queries that force them to spend much CPU time or disk access time. In fact, an example of such a sophisticated attack can be seen even in the classic SYN attack which aims hurting the TCP stack mechanism at its weakest point, the three-way- handshake process and its corresponding queue.
Tweet this: All Application layer DDoS attacks explained in detail
Slow Loris Attack – Slowloris is a DDoS toolkit that sends out partial requests to a target server in an effort to keep the connections open as long as possible. At the same time it does this, it sends out HTTP headers at certain intervals, which ramps up the requests, but never makes any connections. It doesn’t take long for this type of DDoS attack to take down a website. It requires minimal bandwidth to implement and affects the target server’s web server only, with almost no side effects on other services and ports. It works by opening multiple connections to the targeted web server and keeping them open as long as possible. It continuously sends partial HTTP requests, none of which are ever completed. Ultimately, the targeted server’s maximum connection pool is filled and additional connection attempts are denied.
When attacked sockets time out, Slowloris simply reinitiates the connections, continuing to max out the web server. It moves slow, but steadily, and can last for a long period of time. Designed for stealth as well as efficacy, Slowloris can be modified to send different host headers in the event that a virtual host is targeted, and logs are stored separately for each virtual host. More importantly, in the course of an attack, Slowloris can be set to suppress log file creation. This means the attack can catch unmonitored servers off-guard, without any red flags appearing in log file entries.
Tweet this: Slow Loris DDoS Attack Explained
RUDY Attack – RUDY also known as “Are you dead yet?” or “R-U-Dead-Yet?” targets web applications by starvation of available sessions on the web server. It is a popular low and slow attack tool that is designed to crash a web server by submitting long form fields. The attack is executed via a DoS tool which browses the target website and detects embedded web forms. Once the forms have been identified, RUDY sends a legitimate HTTP POST request with an abnormally long content-length header field and then starts injecting the form with information, one byte-sized packet at a time. The information is sent in small chunks at a very slow rate, which explains “low and slow”. RUDY attack generates a slow rate and a low volume of traffic. Ultimately, it is very effective because it will exhaust the targeted server’s connection table, causing the server to crash. The RUDY tool exploits vulnerability in HTTP protocol.
Tweet this: RUDY DDoS Attack Explained
When a user fills in a web form, its web browser sends the data to a web server using an HTTP post request. When a legitimate user sends the data, it is sent over one or two packets to the web server and then the server closes the connection and moves to handle the next request. However, when an attacker uses the RUDY tool, the data from the form is broken into many packets where each packet contains only one byte of the data. The RUDY tool then sends packets in random time intervals preventing the web server from closing the connection, forcing it to wait for the request to be completed. A few thousands requests generated by the RUDY tool over several minutes will cause server to stop handling new requests. And prevent the service from legitimate users. Any website that contains web forms such as login information, feedback forms etc. is susceptible to a RUDY attack. RUDY manages to evade traditional anti DDoS mitigation systems, as it doesn’t generate volumetric traffic or high-rated packets. Each transaction is legitimate as it mimics behaviour of users with slow internet connections. Yet, it is a lethal attack on web servers.
XML Attack – An XML denial-of-service attack, or an XDoS attack, is a content-borne denial-of-service attack whose purpose is to shut down a web service or system running that service. It occurs when an XML message is sent with a multitude of digital signatures and a naive parser would look at each signature and use all the CPU cycles, eating up all resources. An XDoS attack will exhaust the system resources of the server hosting a web service when the server processes SOAP messages. Firstly, a network can be flooded with XML messages (instead of packets), in order to prevent legitimate users to network communication. Secondly, if the attacker floods the web server with XML requests, it will affect the availability of these web services. Thirdly, attackers manipulate the message content, so that the result web server gets crash. An XDOS attack mainly uses three strategies.
Zero Day Attacks – Zero day attacks (or 0days) refer to all new attacks which are undisclosed, or to any previously unseen attack that common methods of DDoS mitigation may not be capable of handling. Because the attack is occurring before “Day 1” of the vulnerability being publicly known, it is said that the attack occurred on “Day 0” – hence the name. Also, because it will take an advantage of a bug or a problem (typically, of a software company) before the patch has been created.
Tweet this: Zero Day DDoS attacks are all new DDoS attacks which are undisclosed at the moment.