Welcome to Hawatel's blog!
April 29, 2019 | Cyber security / Infrastructure management
Types and sources of distributed denial of service (DDoS) attacks
Distributed Denial of Service (DDoS) attacks aim to disrupt the proper functioning of applications and portals, primarily by blocking them. These malicious activities are often organized and unfortunately effective. Infected computers, whose users are unaware of their involvement in criminal activities, are commonly used for such attacks. Virtual criminals sometimes utilize dedicated services employing the Botnet network for this purpose.
According to a report by Kaspersky Lab, using a Botnet network consisting of approximately 1,000 computers to carry out attacks costs an average of $5 for a 300-second DDoS attack, up to $400 per day. Such services are widely available to any user. It seems reasonable to assume that for $5, significant damage can be inflicted on various services, such as e-commerce platforms, especially during the pre-holiday periods.
Types of DDoS attacks
Among distributed attacks, several are most popular and relatively easy for any internet user to execute:
- UDP Flood: This involves sending a large number of UDP packets to the target, which responds with an ICMP packet indicating that nothing is listening on that port (ICMP Destination Unreachable). Additionally, the attacker can spoof the source IP address, causing the targeted server to send the ICMP packet to another server not involved in the attack.
- ICMP (Ping) Flood: This involves sending a large number of ICMP Echo Request packets, which force the server to respond (ICMP Echo Reply).
- SYN Flood: This simulates an attempt to establish a TCP connection by sending only the first packet (SYN) of the three-way handshake, forcing the targeted server to respond (SYN-ACK) and wait for a reply (ACK) that never comes. The attack aims to exhaust the server's resources, making the application unavailable or significantly slowed down.
- Slowloris: This method involves opening the maximum number of sessions to a web server and keeping them open as long as possible, causing the web server to reject real users' connections due to reached application limits.
- HTTP Flood: This involves sending a large number of HTTP GET and POST packets, aiming to exhaust the web server's resources.
Sources of attacks
According to the Kaspersky Lab report from Q4 2018, the largest source of Botnet networks used for DDoS attacks is the United States, accounting for 43.48% of all disclosed attacks. The United Kingdom ranks second with 7.88% (Diagram 1).
Diagram 1 – Locations of Botnet Networks Used for DDoS Attacks (Q4 2018)
DDoS attacks often simultaneously employ several of the aforementioned attack types, making them extremely dangerous for the operation of applications and IT systems. Diagram 2 shows the distribution of DDoS attack types in 2018.
Diagram 2 – Types of DDoS Attacks in 2018
Protection against DDoS
Protecting against DDoS attacks like UDP Flood, SYN Flood, and ICMP Flood is relatively easy to implement. For UDP and ICMP, the simplest method is to block the packets at the firewall. For SYN Flood, a mechanism called SYN Cookies can be enabled on the system, which significantly reduces the server's resource usage during the attack.
In the case of HTTP Flood or Slowloris attacks, the situation is not as straightforward. Application layer attacks are challenging to defend against because the connection source must be allowed through the firewall to later assess its intentions. Therefore, organizations should implement mechanisms to analyze user behavior, collect HTTP activity metrics, prioritize selected connections, block non-standard HTTP requests, and block sources with a bad reputation on the Internet.
One comprehensive solution for protecting organizations against DDoS attacks that we implement for clients is Citrix Netscaler ADC / WAF. In the article “Citrix Netscaler as a Central Protection Against DDoS,” I described what I consider the priority functionalities of Citrix solutions, which make it more effective to block distributed attacks on web applications.
Sources:
- Kaspersky Lab Report – DDoS Attacks in Q4 2018
- Kaspersky Lab – Cost of Carrying Out a DDoS Attack
- Cloudflare Blog