DDoS

Denial-of-Service & Distributed Denial-of-Service Attacks

/in /by

A denial-of-service attack overwhelms the system’s resources so that it cannot respond to service requests. A distributed denial-of-service attack is also an attack on system’s resources, but it is launched from a considerable number of other host machines that are infected by malicious software all controlled by the perpetrator.

Unlike attacks that are designed to enable the attacker to gain or increase access, denial-of-service does not provide direct benefits for attackers, unless the attacked resource belongs to a business competitor, then the benefit to the hacker is real and measurable. Another purpose of a DoS attack can be to take a system offline so that a different kind of attack can be subsequently launched.

There are several types of DoS and DDoS attacks. The most common are ping-of-death attacks, TCP SYN flood attacks, teardrop attacks, smurf attacks, and botnets.

Ping of death attacks

This type of attack uses IP packets to ping a system with a packet size of over the maximum of 65,535 bytes. IP packets of this size are not allowed, so the attacker will fragment the IP packet. Once the target system reassembles the packet, it can experience buffer overflows making the system vulnerable.

Ping of death attacks can be avoided by using a firewall that checks the total size of fragmented IP packets.

TCP SYN flood attacks

This type of cyberattack aims to make a server unavailable to legitimate traffic by consuming all available server resources. The attacker floods the target system’s connection queue with initial connection request (SYN) packets, but it does not respond when the attacked system replies to those requests. This causes the victim’s system to time out while waiting for the response from the attacker’s device, which makes the system unavailable when the connection queue fills up.

To counter such cyberattacks, you should consider setting up a firewall to stop inbound SYN packets and you can also increase the size of the connection queue while decreasing the timeout interval on open connections.

Teardrop attacks

This attack involves sending fragmented packets to a machine. The attacked system attempts to reconstruct packets during the process but fails and eventually crashes.

If you do not have patches to protect against teardrop attacks, then you should disable SMBv2, and block ports 139 and 445.

Smurf attacks

By utilizing IP spoofing and Internet Control Message Protocol (ICMP) echo requests, hackers can overwhelm a target network with traffic. These ICMP requests originate from a spoofed “victim” address. For instance, if the victim’s IP address is 10.0.0.90, the attacker would spoof an ICMP echo request from 10.0.0.90 to the broadcast address 10.255.255.255. This request would go to all IPs in the range, with all the responses going back to 10.0.0.90, overwhelming the network. Unfortunately, this process can be automated to generate huge amounts of fraudulent network traffic.

To protect your devices from a smurf attack, you should disable IP-directed broadcasts on the routers. This will prevent the ICMP echo broadcast request at the network devices. Another solution would be to configure the end systems to not respond to ICMP packets from broadcast addresses.

Botnets

Botnets are a network of computers infected with malware under the hacker’s control. These bots are used to execute attacks against a victim’s system, often overwhelming the target system’s bandwidth and processing capabilities. These DDoS attacks are difficult to trace because botnets are located in different geographic locations.

Botnets can be mitigated by RFC3704 filtering that denies traffic from spoofed addresses and traces traffic to its correct source.

Another solution is black hole filtering, which rejects undesirable traffic before it enters a network.

Conclusion

NetScout Systems, a network performance software vendor, reported that in the first half of 2021, threat actors launched 5.4 million DDoS attacks. More than 50% of those were DDoS extortion attacks in the financial industry.

According to Kaspersky, in the last quarter of 2021, the total number of DoS attacks increased by 52%, compared to previous quarter, and 4.5 times higher than in Q4 of 2020.

As businesses and financial institutions evolve, it is essential to have a cybersecurity strategy in place that includes not only professional human intervention, but also automated solutions that can detect and block modern DDoS attacks.