Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) attacks are becoming an increasingly popular method among hackers and hacktivists, primarily due to their simplicity. Here, we outline the different types of DDoS attacks and provide resources to combat them.

According to surveys, DDoS remains one of the cyber threats organizations are least prepared for, making it a significant battle in the ongoing cyber war.

What is a DDoS attack?

In the simplest definition of a DDoS attack, hackers flood an IP address with hundreds or thousands of messages (usually leveraging botnets to do so, sometimes working together like in hacktivist-related incidents) that it has no choice but for its network elements not being able to take any additional service requests from legitimate users — hence denial-of-service.

As Tim Pat Dufficy points out, the low costs of executing a DDOS attack ensure that it would remain an great fit for many attackers.
DDoS attacks are relatively easy to execute compared with some other cyberattacks, yet they continue to grow in strength and complexity. 

DDoS attacks are basically classified into three kind

Volume-Based Attacks

 These use high traffic to overwhelm the network bandwidth.

Protocol Attacks

These target server resources by exploiting vulnerabilities in the protocol stack.

Application Attacks:

These emphasize web-based applications and are regarded as the pinnacle of sophistication and severity among DDoS attacks.

Different types of attacks are categorized based on the volume of traffic involved and the specific vulnerabilities they exploit.

Here is a list that Curse Helper compiled on common types of DDoS attacks;

SYN Flood

This attack exploits vulnerabilities of the TCP connection sequence, interrupting the 3-way handshaking process and even leading to some SYN Flood. It floods the host with spoofed SYN messages, it causes it to allocate resources for this and ultimately results in service denial.

UDP Flood

UDP Flood attacks random ports with UDP packets, using the stateless protocol of User Datagram Protocol (UDP). Overwhelming a server with UDP packets, the purpose of this flood is to use up all its resources.

HTTP Flood

HTTP Flood : this kind of application layer DDoS assaults mimics legit GET or POST requests however with a malicious reason. By issuing many HTTP requests, it exhausts a server’s resources and can cause service degradation or unavailability.

Ping of Death

Ping of Death (IP Protocol Manipulation from Defensive perspective) The ping of death is a simple example, sending an oversized Ping packet to the destination thus causing it to crash or misbehave due…medium.com Although less effective today, this used to be a well known DDoS attack during early days.

Smurf Attack

A Smurf Attack uses the ICMP and IP protocols to flood a target with large amounts of packets, by addressing one packet to one host on an Ethernet network that asks for reply (pings), but using as its source address another machine’s, preventing this way access into it. When attacking using this amplification attack, IP-bandwidth can be drowned out.

Fraggle Attack

A Fraggle Attack is essentially a Smurf attack using tons of UDP to DDoS the broadcast network of a router sending multiple hosts (more than one) packets targeting And all at once.

Slowloris

Slowloris keeps HTTP connections open indefinitely by sending partial HTTP requests, preventing the server from processing legitimate requests and eventually causing it to become unresponsive. It is effective at minimal resource usage, making mitigation challenging.

These attacks vary in their methods and targets but share the goal of overwhelming network resources or server capabilities to disrupt service availability.

Application Level Attacks

Application-Level Exploits:

Over time, the pipe paradigm changed as cyber assailants began to target susceptibilities within applications instead of entire servers. In the first method, they are targeting notorious legacy applications with known vulnerabilities.

NTP Amplification: 

NTP (Network Time Protocol) servers, are an essential requirement for synching computer clocks and can be weaponized in NTP Amplification attacks. The attacks flood UDP traffic by reflection amplification. In reflection attacks, the server replies to a spoofed IP address; in amplified forms this reply is significantly larger than what was requested which makes these kinds of attacks even more devastating give their massive bandwidth usage.

Advanced Persistent DoS (APDoS):

 Preferred by adversaries looking for maximum damage, APDoS attacks use a mixture of tactics like HTTP flooding and SYN flooding. These diversified attacks attack multiple avenues of a website at once, send millions of requests every second and remain for weeks. Attack persistence increases when the attackers are able to adapt tactics and create diversions.
 

Zero-day DDoS Attacks:

 We see that cyber attacks continue to evolve; zero-day DDoS exploitation of unpatched vulnerabilities uses new techniques and tactics, resulting in sudden change while striking defenses.

Noteworthy DDoS Incidents

Mirai Malware (Fall 2016) Turns IoT devices into botnets; Used for DDoS against Mr. Krebs, Dyn DNS provider and internet access in Liberia

CloudFlare Attack (March 2013) Hosting service CloudFlare, protecting SpamHaus That became a notable high-water mark that is true at least until this huge DDoS attack, launched against Project Honey Pot. But because of the rapid cleanup, there was no major disruption for SpamHaus. org.

In January 2016, HSBC (UK) was on the receiving end of a DDoS attack which caused its internet banking system to be unavailable for hours on payday. Quick response allowed us to prevent customer data from any breach.

Dyre Wolf Campaign (Malware + DDoS attack) to target bank accounts. The malware, distributed via targeted spear phishing and the DDoS attack were all distractions (as evidenced by the fact stolen money was often quickly removed from accounts), to try ensure wire transfers of funds concurrently happening would not be found until it was too late.