By | Mohammad Zailani bin Shato, Muaz bin Ahmad, Ahmad Amieruddin Afiq bin Rahmat & Mohd Masri bin Abd Kamad
Introduction
Denial-of-Service (DoS) is a class of attacks whereby attackers attempt to bring down online services. DoS attacks flood systems, servers or networks with traffic to exhaust resources and bandwidth. As a result, the system is no longer able to fulfill legitimate requests.
Flooding attacks
Flooding is the more common form of DoS attack. It occurs when the attacked system is overwhelmed by large amounts of traffic that the server is unable to handle. The system eventually stops.
ICMP flooding is a type of DoS attack, whereby spoofed packets of information are sent to hit victims in a targeted network to take advantage of misconfigured network devices. An ICMP flood is also known as a ping flood.
A UDP flood attack is nearly the same as ICMP. The only difference is that the IP packets the attackers use against victims contain UDP datagrams of different sizes. In a UDP flood, the attacker sends UDP packets at a very high packet rate. The victim's network (routers, firewalls, IPS/IDS, SLB, WAF and/or servers) is overwhelmed by the large number of incoming UDP packets. This attack normally consumes network resources and available bandwidth, exhausting the network until it goes down.
A SYN flood is a variation that exploits a vulnerability in the TCP connection sequence. This is often referred to as the three-way handshake connection with the host and the server. But in a SYN flood the handshake is never completed. That leaves the connected port occupied and unavailable to process further requests. Meanwhile, the attacker continues to send more and more requests, overwhelming all open ports until shutting down the server.
Crash attacks
Crash attacks occur less often but are when attackers transmit bugs that exploit flaws in a victim’s system.
Both crash and flooding attacks prevent legitimate users from accessing online services, such as public websites, online systems or e-mail systems.
Distributed Denial-of-Service (DDOS) attacks
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources and potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address and it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
The Difference between DoS and DDos Attacks
A DoS attack is different from a DDoS attack. DoS typically uses one computer and one Internet connection to flood a targeted system or resource, whereas DDoS uses multiple computers and Internet connections to flood the targeted network. DDoS attacks are often global attacks distributed via botnets.
Mitigation and Challenges
Mitigation is a set of techniques or tools for resisting or mitigating the impact of DoS attacks on networks attached to the Internet by protecting the target. The first step in any mitigation strategy is understanding when the attacker launches an attack. Analyzing incoming traffic and determining whether or not it is legitimate is the first step in keeping services available and responsive.
Network administrators can deploy various techniques to mitigate DoS attacks. One technique is to use access lists to blacklist the IP addresses: when a DoS attack is taking place, add an access control entry to deny the attack.
Another technique is Remotely Triggered Black Hole (RTBH). RTBH filtering is a popular and effective technique for mitigating DoS attacks by black-hole routing the traffic to a particular victim or from an attacker.
The disadvantage of blacklisting and RTBH is that both malicious and legitimate traffic to a target is denied.
Redirecting Traffic to the Scrubbing Centre
Instead of dropping all the traffic, redirect it to a sink hole for analysis or for scrubbing. When under attack, the traffic is redirected (typically using DNS or BGP) to the scrubbing center where an attack mitigation system mitigates the attack traffic and passes clean traffic back to the network for delivery to destination. A scrubbing centre is normally hosted by an Internet Service Provider (ISP) or cloud provider.
Conclusions
Be alert and knowledgeable about efficient and effective ways to protect online servers. Steps to prevent DoS attacks include:
-
Build redundancy infrastructure
For this strategy to be truly effective, ensure the data centers are connected to different networks and there are no obvious network bottlenecks or single points of failure. -
Configure network hardware against DoS attacks
There are a number of simple hardware configuration changes that can be made to help prevent DoS attacks. For example, configuring the firewall or router to drop incoming ICMP packets or block DNS responses from outside networks (by blocking UDP port 53) can help prevent certain DNS and ping-based volumetric attacks. -
Deploy anti-DDoS hardware and software modules
Specific software modules can also be added to provide DDoS prevention functionality. For example, Apache 2.2.15 contains a module called mod_reqtimeout to protect against application-layer attacks like Slowloris, which opens connections to a web server and then holds them open for as long as possible by sending partial requests until the server can accept no more new connections. -
Deploy a DDoS protection appliance
Many security vendors including NetScout Arbor, Fortinet, Check Point, Cisco or Radware offer appliances that sit in front of network firewalls and are designed to block DoS attacks. -
Protect DNS servers
Malicious actors may be able to bring servers offline by DDoSing DNS servers. For this reason it is important for DNS servers to have redundancy and to be placed in different data centres.
