Michael's Blog

Denial of Service Dos & Distributed Denial of Service DDos

Denial of Service Dos & Distributed Denial of Service DDos

Michael's photo
Michael
·

6 min read

An attacker can generate sufficient traffic to starve your server of resources, they can make deny service to legitimate users. Denial-of-service attacks are designed to make a site unavailable to regular users.

  • In a DoS attack, a single computer or a small group of computers sends an overwhelming amount of traffic or requests to a target server or network resource.

  • The goal of a DoS attack is to disrupt or deny access to the targeted resource by consuming its available bandwidth, processing capacity, or other system resources.

  • Typically, the attacker controls and directs all the attack traffic from their own system or a few compromised systems.

It is relatively easy to trigger this maximum limit by querying the site in a continuous loop, using a tool like cURL. There are only two lines needed in order to create a valid HTTP 1.1 request.

#!/bin/bash

# Set the target URL
TARGET_URL="http://example.com"

# Loop indefinitely
while true; do
    # Send an HTTP GET request to the target URL using cURL
    curl -sS -X GET "$TARGET_URL" > /dev/null
done

The curl allows you to send custom HTTP requests with various methods such as GET, POST, PUT, DELETE .

In the OSI model, the Transport Layer (Layer 4) is responsible for ensuring reliable, end-to-end communication between devices across a network. TCP, being a connection-oriented protocol, manages the establishment, maintenance, and termination of connections between hosts. It also handles error detection, retransmission of lost packets, and flow control.

A SYN flood is a type of DoS (Denial of Service) attack that targets the TCP (Transmission Control Protocol) handshake process, which is used to establish connections between two devices over a network. In a SYN flood attack, the attacker sends a flood of TCP SYN (synchronize) packets to the target server, overwhelming it with connection requests and ultimately causing it to become unresponsive to legitimate traffic. The server ends up with a significant number of half-open connections, where resources are allocated but the connections are not fully established.

Various methods can be used to send large number of TCP SYN packets to a target server while preventing the completion of the TCP handshake and subsequent ACK packets.

The attacker can use techniques such as IP address spoofing to make it appear as if the SYN packets are coming from legitimate source IP addresses. This makes it harder for the target server to differentiate between legitimate and malicious traffic.

There are specialized software tools available (e.g., hping, Scapy) that allow attackers to craft and send customized packets, including TCP SYN packets, to target servers. These tools provide options to specify various parameters of the packets, such as the source IP address, destination IP address, and TCP flags.

Slow read attack the attacker sends data to a server very slowly, bit by bit, instead of all at once. This tricks the server into keeping connections open longer than necessary.

The attacker sends data to the server very slowly, making it seem like a legitimate request for a webpage or file.

The server waits patiently for more data to arrive before processing the request fully.

While the server is waiting, it keeps the connection open, tying up resources.

With enough slow connections, the server becomes overwhelmed and can’t handle new requests from legitimate users, causing a denial of service.

Reflected attacks also known as reflection attacks, involve an attacker sending requests to a third-party server that will reflect or bounce those requests to the target server.

In a reflected attack:

The attacker sends requests to a third-party server, making it look like the requests are coming from the target server.

The third-party server, thinking the requests are legitimate, responds by sending data back to the target server.

The target server receives the data, believing it originated from the client, and processes it accordingly.

This creates a situation where the attacker can exploit the third-party server’s responses to indirectly attack the target server. Common examples of reflected attacks include DNS amplification attacks, where the attacker sends DNS queries to open DNS resolvers with spoofed source IP addresses, causing the resolvers to send large responses to the victim’s IP address, overwhelming it with traffic.

In essence, reflected attacks leverage the unwitting participation of intermediary servers to amplify and direct malicious traffic towards the target, making them appear as the origin of the attack.

Protection against DoS attack

Blocking Specific IPs: Firewalls have the ability to block traffic based on specific IP addresses. If an IP address is identified as malicious, the firewall can be configured to block all traffic originating from that IP address.

Use of IP Netmasks: IP netmasks are used to define ranges of IP addresses. Instead of blocking individual IP addresses, administrators can specify a range of IP addresses to block. For example, they can block all IP addresses within a certain range or subnet. For example, let’s say you have an IP address of 192.168.1.100 and a netmask of 255.255.255.0. Applying the netmask, you find:

  • Network Address: 192.168.1.0 (the first three numbers remain unchanged)

  • Host Address: 0.0.0.100 (the last number represents the host within the network)

Now, let’s apply this concept to blocking ranges of IP addresses:

  • If you want to block a specific range of IP addresses, you can specify a netmask that covers all the IP addresses in that range. For example, if you want to block all IP addresses from 192.168.1.0 to 192.168.1.255, you would use a netmask of 255.255.255.0.

  • If you want to block a larger range of IP addresses, you can adjust the netmask accordingly. For example, if you want to block all IP addresses from 192.168.0.0 to 192.168.255.255, you would use a netmask of 255.255.0.0.

Isolating Malicious Traffic: When a DoS attack occurs, network administrators can use a firewall to monitor incoming traffic. If they detect malicious behavior from a particular source, they can block all traffic from that source, effectively isolating it from the network.

While using IP netmasks and firewalls to block specific IP addresses or ranges of IP addresses can be effective in mitigating certain types of attacks, such as those originating from a single or a few sources, they are often insufficient in defending against large-scale DDoS (Distributed Denial of Service) attacks.

In a DDoS attack, the malicious traffic originates from a large number of distributed sources, often spanning across multiple networks or even continents. These sources can include compromised devices in botnets, spoofed IP addresses, and other methods to mask the true origin of the attack traffic.

Here’s why traditional IP-based blocking techniques are ineffective against DDoS attacks:

High Volume of Traffic: DDoS attacks generate an overwhelming amount of traffic, far beyond what a single server or network can handle. Blocking individual IP addresses or ranges of IP addresses becomes impractical when dealing with such a massive volume of attack traffic.

Changing Attack Sources: Attackers frequently change the sources of their attack traffic, making it challenging to keep up with blocking strategies based solely on IP addresses. By the time administrators identify and block one set of IP addresses, the attackers may have already shifted to new sources.

IP Address Spoofing: Attackers often use techniques like IP address spoofing to disguise the origin of their attack traffic. This makes it difficult to distinguish between legitimate and malicious traffic based solely on IP addresses.

To effectively mitigate DDoS attacks:

  • Traffic Scrubbing: Filtering incoming traffic to remove malicious packets while allowing legitimate traffic to pass through.

  • Rate Limiting: Implementing rate-limiting policies to mitigate the impact of high-volume traffic spikes.

  • Anomaly Detection: Using anomaly detection systems to identify abnormal patterns in network traffic and trigger mitigation measures.

  • Content Delivery Networks (CDNs): Distributing content across multiple servers and data centers to absorb and mitigate DDoS attacks closer to the source. Allowing frequently accessed resources to a 3rd party service are designed to withstand large amount of traffic.

dos attack#cybersecurityowaspOWASP TOP 10ddos attacks