By David Balaban
Every electronic system has a finite data processing capacity. This threshold is never exceeded under normal conditions, but things may change when anomalous activity kicks in. A distributed denial-of-service (DDoS) attack fits the mold of a stratagem that can drain a web server’s resources and disrupt the associated online service.
DDoS attacks appeared in the mid-1990 as ideological weaponry favored by the Anonymous and like-minded hacktivists. As time went by, it embraced extra motivations ranging from script kiddies’ whim to satisfy their ego and get an adrenaline rush – to unscrupulous entrepreneurs’ plots aimed at sucker-punching business rivals.
Extortion through what is called “ransom DDoS” is the latest evil quirk of threat actors. To set it in motion, an adversary threatens to knock an organization’s website offline unless the would-be victim pays a specified amount of Bitcoin.
Since mid-August 2020, several high-profile hacker gangs, including the infamous Lazarus Group and Fancy Bear, have been sending such ransom notes to thousands of companies around the world, primarily ones from the finance and retail sectors. The felons demand a minimum of 10 BTC (currently worth about $106,000) for not mounting the attack. On August 28, the FBI alerted U.S. companies to the menace by issuing an ad hoc flash warning.
All in all, DDoS has grown into a multipurpose cybercrime heavyweight over time, and it is getting worse. With that said, it is high time organizations stepped up their preparedness to tackle this challenge. This article provides a roundup of known attack methods and shines the light on effective countermeasures.
Demystifying the DDoS Ecosystem
Whereas the fundamental principle of DDoS boils down to swamping a network with a plethora of rogue data packets, security professionals single out a trio of categories that differ in the logic of precipitating a denial-of-service condition. Any DDoS raid falls under one of the following classes:
- Volumetric Attacks. To execute these onslaughts, adversaries hinge on numerous previously compromised devices and spoofed Internet connections to inundate victim networks with more data packets than they can withstand. Effectively, they exhaust a network’s bandwidth with an enormous volume of dodgy traffic.
- Protocol Attacks. Rather than cause a bandwidth shortage quandary, these incursions sap the processing power of a web server via malicious protocol requests. They typically home in on firewalls or network infrastructure equipment such as switches, load balancers, or routers.
- Application Layer Attacks. This attack vector stands out from the rest by depleting the resources allocated to a specific web application. To set it on motion, felons often parasitize zero-day flaws in web applications, which makes such an offensive incredibly hard to pinpoint and thwart.
This broad classification relates to theory, for the most part, and does not give enough insights into the inner workings of a particular cybercrime campaign. To better understand the network disruption repertoire of the present-day crooks, go over a hands-on summary of 33 different DDoS types.
- DNS Flood. To execute this incursion, malefactors deluge a DNS server with a huge number of malformed requests coming from numerous different IP addresses. This is one of the toughest attacks to detect and recover from.
- UDP Flood. An adversary fires out a slew of rogue User Datagram Protocol (UDP) packets at a victim server to make it run out of processing capacity. A serious pitfall in terms of identifying this attack is that UDP connections provide scarce methods to verify source IP addresses.
- SYN Flood. This foul play abuses the TCP three-way handshake, a fundamental mechanism used to set up a connection between a client, a host, and a server in the TCP protocol framework. Criminals flood a target server with multiple SYN (synchronize) packets coming from a rogue IP. For the record, the role of SYN packets in a benign scenario is to request a connection with a server.
- Tsunami SYN Flood. This method harnesses scores of TCP SYN packets that are larger than 1,000 bytes each. This quirk makes it different from a “classic” SYN Flood attack in which the data footprint of malicious requests is much lower.
- SYN-ACK Flood. Unlike the previous type, this one exploits a TCP connection phase at which a web server replies to a client to acknowledge a request it has received. Because these packets are submitted in a disorderly manner that is at odds with the three-way handshake principle, the server reaches its processing threshold trying to sort them out.
- ACK & PUSH ACK Flood. To get this raid going, a crook perplexes a server with a bevy of ACK (acknowledge) and PUSH ACK requests that do not fit the context of the regular TCP mechanism.
- Fragmented ACK Flood. An attacker shells a network with patchy ACK packets. When attempting to organize these requests, routers encounter a denial-of-service condition. This raid is one of the crooks’ favorites because it can disrupt a network with a comparatively small number of partial packets.
- Spoofed Session Flood. The recipe for this attack includes a spoofed SYN packet, several ACK packets, and at least one RST (reset) or FIN (end of the connection) packet. Some network defenses do not examine return traffic, and therefore this offensive might go unnoticed.
- NTP Flood. The purpose of the Network Time Protocol (NTP) is to synchronize the clock parameter between networks. Since many NTP servers are scarcely protected against exploitation, perpetrators can piggyback on them to generate a ton of anomalous UDP traffic and direct it toward a victim computer network.
- SSDP Flood. The Simple Service Discovery Protocol (SSDP) is part of the Universal Plug and Play (UPnP) cluster of networking protocols that provide seamless interoperability between connected devices. To cybercriminals, though, it primarily denotes an instrument for orchestrating one of the common forms of DDoS. A bad actor sends tiny UDP requests carrying the spoofed IP address of a target server to a plethora of networked devices that run UPnP. These devices reply to that IP, only to drain the server’s processing power.
- SNMP Flood. This one capitalizes on the Simple Network Management Protocol (SNMP) that amasses and arranges information relating to Internet-enabled devices. An attacker submits a series of requests containing a victim server’s mimicked IP address to network gear (e.g., a router or a switch) that leverages SNMP. This equipment, in turn, generates reply packets to the specified IP, thereby taking the server down.
- CHARGEN Flood. Having been around for more than three decades, the Character Generator Protocol (CHARGEN) is one of the oldest of its kind. Despite its age, it is still being used by some networked printers and photocopiers. A malefactor can query many such devices with small packets carrying a target server’s IP. This leads to numerous replies rushing to the server.
- Ping Flood. This DDoS attack revolves around fraudulent Internet Control Message Protocol (ICMP) echo requests. The victim server allocates all its resources to spawn packets in response to these numerous pings and denies service to legitimate clients.
- VoIP Flood. To pull off this onslaught, crooks bombard a network with countless Voice over Internet Protocol (VoIP) packets that mimic regular traffic coming from a slew of different IP addresses.
- Media Data Flood. When a server is being targeted this way, it receives multiple spammy audio and video files that drain its capacity. Since these files are sent from different genuine-looking IPs, the attack is likely to fly undetected.
- HTTP Flood. To initiate this incursion, a threat actor shells a web application with malformed GET or POST requests. To imitate natural traffic, this technique may engage a botnet of previously infected devices.
- Recursive HTTP GET Flood. To carry out this attack, a perpetrator requests a series of web pages from a server and examines the replies. Then, each web page element is recurrently queried to overburden the server.
- Random Recursive GET Flood. The usual targets of this DDoS attack are websites that contain recursive pages. Forums and blogs are common examples. An adversary sends numerous GET requests to knock the resource offline. To feign real traffic, the attacker picks page numbers randomly from a valid set.
- Single Session HTTP Flood. A malicious actor establishes a single HTTP session that spawns multiple requests lurking within the same HTTP packet. In addition to magnifying the disruptive effect, this technique can bypass some network protections that do not flag such traffic as abnormal.
- LDAP Amplification. This attack misuses the Lightweight Directory Access Protocol (LDAP) that facilitates username and password verification to access web applications in the enterprise environment. A criminal submits tiny requests conveying a target’s IP address to an unsecured LDAP server, which replies to that IP recurrently. In the aftermath of this flood, the victim network runs out of resources.
- Smurf Attack. By harnessing a strain of malware called Smurf, a criminal torpedoes a large number of Internet-enabled devices with phony ICMP echo requests. Since these packets contain the victim server’s IP address, the devices reply back to that IP and thereby overwhelm the server with traffic it cannot handle.
- Ping of Death Attack. A malefactor deluges a network with ping packets that “weigh” more than 64 bytes, which is the maximum permitted size. The receiving server tries to reassemble these offbeat packets to no avail and eventually crashes.
- IP Null Attack. To launch this incursion, an evildoer targets a server with IPv4 packets in which the header value is set to null. These irregular messages confuse the server to the extent that it can no longer operate properly.
- Fraggle Attack. This foul play involves rogue UDP packets carrying a knockoff IP address of the target’s router. As a result, the network device replies to itself non-stop until it becomes incapable of reacting to legitimate requests.
- LAND Attack. LAND – short for Local Area Network Denial – is a raid relying on dodgy SYN packets in which the source IP and the destination IP are an exact match. The victim server is thereby pulled into a loop of iterative responses to itself, which causes a denial-of-service predicament.
- Slowloris. An attacker initiates a bevy of simultaneous connections to a web server and keeps them active by periodically adding split packets and HTTP headers. These connections stay uncompleted for a long time and waste the server’s processing capacity. On a side note, a single computer can be enough to execute the Slowloris onslaught.
- ReDoS. To mount a ReDoS (Regular Expression Denial-of-Service) attack, a criminal floods a web application with string searches whose algorithmic complexity diminishes the productivity of the associated server.
- Misused Application Attack. At the first stage of this offensive, a hacker gains a foothold in multiple machines running resource-heavy utilities (e.g., peer-to-peer solutions). Next, the villain reflects hefty volumes of web traffic from these devices to an intended victim’s server.
- Low Orbit Ion Cannon (LOIC). Ideally, LOIC is used as a tool that allows security experts to identify the pain points of a network by stress-testing it. However, sometimes criminals turn the original purpose upside down by mishandling it to deplete a server’s resources with fake HTTP, UDP, and TCP packets.
- High Orbit Ion Cannon (HOIC). This is a LOIC spin-off with a much higher stress-testing potential under its hood. DDoS actors often hinge on it to generate myriads of HTTP POST and GET requests and knock a target server offline in a snap. Incidentally, HOIC can concurrently home in on more than 250 domains.
- Zero-Day DoS. This form or a cyber-assault relies on previously unknown flaws in a server, a web application, or the implementation of a network protocol. It comes as no surprise that companies are hardly ever prepared to dodge this attack vector.
- APDoS. The acronym stands for “Advanced Persistent Denial-of-Service.” This mechanism kicks in when attackers blend a series of different techniques to deteriorate the performance of a network or a server. Another hallmark of this attack is that it usually lasts for weeks and survives traditional incident response methods.
- IoT Botnet Attack. This is one of the most destructive types of DDoS as it can generate immense data transfer rates that reach several terabits per second. These attacks parasitize a network of compromised Internet of Things (IoT) devices to generate fraudulent traffic and route it toward a computer network.
DDoS Mitigation Best Practices
DDoS is one of the oldest and the fastest evolving areas of cybercrime, and it is front and center in some of today’s most destructive attacks targeting the enterprise. This type of cybercrime is quickly evolving relying on botnets, open-source network stress testing frameworks, scams, and other means. Therefore, organizations should have effective defenses in place to emerge unscathed if the disaster strikes. A growingly popular and reliable method is to outsource DDoS mitigation to a trusted cloud-based service such as Cloudflare, Sucuri, or Akamai.
It is also a good idea to leverage an intrusion prevention system (IPS) along with a web application firewall (WAF). The former protects a network against malicious code and hacker attacks, while the latter thwarts web application abuse via cross-site scripting (XSS), cross-site request forgery (CSRF), or SQL injection.
In case of limited budgets, timely software updates are a hugely important element of DDoS protection, too. Vulnerability patches raise the bar for malefactors and prevent the network infrastructure from becoming easy prey.
About the Author – David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. https://www.linkedin.com/in/david-balaban/