What is DDOS? Why do we hear so often nowadays?
Denial-of-service attacks, It's been classified as “cyberattacks,” have been used by perpetrators since the mid-1980s. Aimed primarily at specific sites and networks, denial-of-service attacks block the access of legitimate users, rendering the entire site or network unavailable. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
I will highlight major types of attacks, tools & methods the attackers use and latest controls to avoid attacks. In coming days i am planning to write in detail on each topic.
Nowadays the attacks are more severe and frequent. In Akamai's Q1 2016 State of the Internet - Security Report, the content delivery network company found there's been a 125 percent increase in distributed denial of service (DDoS) attacks year over year.
Looking ahead, Akamai expects "the heavy barrage of DDoS attacks against the gaming industry to continue, as players keep looking for an edge over competitors". As for web service attacks, retailers will continue to suffer the most, given the potential financial gains for attackers. Akamai predicts, "SQLi and LFI will remain favourite vectors, because free and open-source tools are plentiful to find these vulnerabilities".
There are two major types of DOS attacks,
1) Distributed DoS-A distributed denial-of-service (DDoS) is a cyber-attack where the perpetrator uses more than one, often thousands of, unique IP addresses. The scale of DDoS attacks has continued to rise over recent years, even reaching over few TB's nowadays. Nowadays hackers do use many different kinds of IOT's which are connected to internet, it can vary from normal Desktops to a security cameras in streets.
2) An advanced persistent DoS (APDoS) is more likely to be perpetrated by an advanced persistent threat (APT): actors who are well resourced, exceptionally skilled and have access to substantial commercial grade computer resources and capacity. APDoS attacks represent a clear and emerging threat needing specialised monitoring and incident response services and the defensive capabilities of specialised DDoS mitigation service providers.Recent examples are some coutries do attack each other using advance computing capacity with explicit motivation.
Tools used for attacks include, Malware, Stacheldraht, zombie agents, Botnets, handlers by the attacker using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. LOIC Along with HOIC a wide variety of DDoS tools are available today, including paid and free versions, with different features available.
Methods used to attack -
1) DDoS tools like Stacheldraht still use classic DoS attack methods centered on IP spoofing like smurf attacks / fraggle attacks and SYN floods. Newer tools can use DNS servers for DoS purposes.
2) HTTP POST attack sends a complete, legitimate HTTP POST header.
3) Internet Control Message Protocol (ICMP) flood.
4) Peer-to-peer attacks, Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks.
5) Permanent denial-of-service (PDoS), also known loosely as phlashing, is an attack that damages a system so badly that it requires replacement or re-installation of hardware.
6) R-U-Dead-Yet - RUDY attack targets web applications by starvation of available sessions on the web server.
7) Slow Read attack sends legitimate application layer requests but reads responses very slowly, thus trying to exhaust the server's connection pool.
8) A SYN flood occurs when a host sends a flood of TCP/SYN packets.
9) A teardrop attack involves sending mangled IP fragments with overlapping, oversized payloads to the target machine.
10) TDOS, Voice over IP has made abusive origination of large numbers of telephone voice calls inexpensive and readily automated while permitting call origins to be misrepresented through caller ID spoofing.
How is it controlled today?
1) Application front-end hardware is intelligent hardware placed on the network before traffic reaches the servers.
2) Application level Key Completion Indicators
3) With blackhole routing, all the traffic to the attacked DNS or IP address is sent to a "black hole".
4) Intrusion prevention systems (IPS) are effective if the attacks have signatures associated with them.
5) More focused on the problem than IPS, a DoS defense system (DDS) can block connection-based DoS attacks and those with legitimate content but bad intent.
6) Firewalls / Routers / Switches and Network upstream filtering.