Kinaro's blog of things

Distributed Denial of Service

June 14, 2019

Distributed denial of service results from multiple devices overwhelming servers and load balancers with voluminous traffic. This is achieved using botnets, abusing authentication protocols or misconfigured services. There are many types of DDos attacks.

UDP Flood

Random ports on a target machine are flooded with UDP packets on multiple ports. This causes it to listen for applications on those ports and report with ICMP packets. UDP is a sessionless protocol with no flow control.

SYN Flood

Multiple sources send repeaed spoofed SYN requests to a target server, which responds with an ACK packet to complete the TCP connection. Instead of closing the connection, it is allowed to time out. The hosts resources may be stretched when attempting to fulfil all requests, and the server will go offline.

Reflection Attack

An attacker creates forged packets which are sent out to as many connected devices as possible. The devices respond to a spoofed address which directs traffic to the target. The devices attempt to communicate with the target concurrently, which overwhelms the server with bogus traffic exhausting resources.

Degradation of Service Attacks

These are often confused with an increase in traffic. Tje attacker’s aim is to slow down the page load speed to a crawl, making a site unusable by most people. Botnets are used to generate malicious traffic which slows the response to valid user requests.

Slowloris

Slowloris is a tool that attacks machines by opening connections to a target machine and sending partial requests. The connections are kept open for the maximum time possible, using up resources on the server while fewer resources are used on the attacker’s device. HTTP headers are also sent at intervals, further contributing to the load.

Peer-to-Peer Attacks

In P2P attacks, a P2P server is hijacked to route traffic to a target. Clients using the server are redirected to the target site where their collective requests overwhelm the target. It is particularly ideal for attackers who do not wish to write target-specific malware aimed at specific OS or device.

DNS Reflection

The attacker sends small requests to a DNS server and asks the server to send a larger reply to the target. If for instance a botnet is used to send out the requests, the target can receive traffic that is up to &0 times of the original request

Application specific attacks.

These target specific applications and content management systems such as WordPress or Joomla. The attack can be successful even with a few attacking machines as they are hard to detect.

Multi-Vector Attacks.

This is a complex attack where multiple methods and tools are used to cause denial of service. This can be a combination of malware, botnets and misconfigured services exposed on the internet.

Unintended DDoS.

This is usually caused by a spike in traffic. For instance if running a WordPress site, it may go oofline if the number of requests causes it to exhaust memory.


Felix Kinaro

Github TwitterContact