Basic knowledge of DDOS
This time, learn the basics of DOS (Distributed Denial-of-service) and DDOS (Distributed Denial-of-service).
Definition
Distributed Denial of Service (DDoS) attacks are malicious behaviors that flood the target server or its surrounding infrastructure with large-scale internet traffic to disrupt the normal traffic of the target server, service, or network.
DDoS attacks utilize multiple compromised computer systems as a source of attack traffic to achieve attack effect. The machines exploited can include computers or other networked resources (such as IoT devices).
In general, DDoS attacks are like a traffic jam on a highway that prevents regular vehicles from reaching their intended destination.
Basic principles
DDoS attacks are carried out through computer networks connected to the internet.
These networks consist of computers and other devices (such as IoT devices) that are infected with malicious software and can be remotely controlled by attackers. These individual devices are called bots (or bots), and a group of bots is called a botnet.
Once a botnet is established, attackers can launch attacks by sending remote commands to each robot.
When a botnet targets a victim’s server or network, each bot sends a request to the target’s IP address, which can overwhelm the server or network, resulting in a denial of service to normal traffic.
Since each robot is a legitimate internet device, it may be difficult to distinguish attack traffic from normal traffic.
How to Identify DDoS Attacks
The most obvious symptom of a DDoS attack is when a website or service suddenly slows down or becomes unavailable. However, there are multiple reasons for similar performance issues (such as legitimate traffic surges), so further investigation is usually required. Traffic analysis tools can help you spot some clear signs of a DDoS attack:
- Suspicious traffic from a single IP address or IP range
Large volumes of traffic from users who share a single behavioral characteristic, such as device type, geographic location, or web browser version
Unexplained spike in the number of requests to a single page or endpoint - Strange traffic patterns, such as surges at unconventional times of day or seemingly unnatural patterns (e.g. surges every 10 minutes)
There are other more specific signs of DDoS attacks, depending on the type of attack.
DDoS classification
Application layer attacks
This type of attack is sometimes referred to as Layer 7 DDoS attack (referring to Layer 7 of the OSI model), and its goal is to exhaust target resources.
The target of the attack is the server layer that generates web pages and transmits them in response to HTTP requests. The computational cost of executing an HTTP request in the Client is relatively low, but responding to the target server can be very expensive because the server usually has to load multiple files and run database queries to create a web page.
Layer 7 attacks are difficult to defend against because it is difficult to distinguish between malicious and legitimate traffic.
HTTP
The HTTP flood attack is similar to pressing refresh again and again in the web browsers of a large number of different computers at the same time - a large number of HTTP requests flood the server, resulting in a denial of service.
This type of attack is simple and complex.
Simpler implementations can access a URL with the same range of attack IP addresses, referrers, and user agents. Complex versions may use a large number of attack IP addresses and use random referrers and user agents to target random URLs.
Slowloris
HTTP
Transport layer attack
SYN attack
SYN flooding is like a supply room worker receiving requests from a store counter.
Staff receive requests, go pick up packages, wait for confirmation, and then deliver packages to the counter. Staff get too many requests for packages but don’t get confirmation until they can’t handle more packages, so overwhelmed that no one can respond to requests.
This type of attack utilizes the TCP handshake (a series of communications through which two computers initiate a network connection) and is achieved by sending a large number of TCP “initial connection request” SYN data packets with forged source IP addresses to the target.
The target computer responds to each connection request and then waits for the final step in the handshake, which never happens, thus exhausting the target’s resources in the process.
ACK attack
Network layer attacks
DNS
DNS amplification is like someone calling a restaurant and saying, “Order one of each course, please call me back and repeat the entire order,” when the callback number provided actually belongs to the victim. It takes almost no effort to generate a long response and send it to the victim.
After sending a request to an open DNS server using a forged IP address (the victim’s IP address), the target IP address will receive a response from the server.
ICMP
UDP attack
Memory cache attack
Memory Cache Distributed Denial of Service (DDoS) attack is a type of network attack in which the attacker attempts to overload the network traffic of the target victim. The attacker sends deceptive requests to a vulnerable UDP memory cache * server, which then sends Internet traffic to the target victim, potentially overwhelming the victim’s resources. When the target’s Internet infrastructure is overloaded, new requests cannot be processed, and regular traffic cannot access Internet resources, resulting in a denial of service.
In-memory cache is a database caching system used to accelerate websites and networks.
Memory cache attacks work similarly to all DDoS amplification attacks, such as NTP amplification and DNS amplification. This attack spoofs requests sent to a vulnerable server, which then responds with a larger amount of data than the initial request, thus amplifying traffic.
A memory cache amplification attack is like a malicious teenager calling a restaurant and saying “I want one of everything on the menu, please call me back and tell me the information of the entire order”. When the restaurant asks for the callback number, he gives the phone number of the target victim. The target then gets a call from the restaurant and gets a lot of information they didn’t request.
This method of amplifying attacks is made possible because the memory cache server can choose to operate using the UDP protocol. UDP is a network protocol that allows data to be sent without first obtaining a so-called handshake - a network process in which both parties agree to communicate. The reason why UDP is used is because large amounts of data can be sent to the target host without consulting whether the target host is willing to receive data or obtaining their consent in advance.
The memory cache attack is divided into 4 steps.
The attacker implanted a large amount of data payload * on the exposed memory cache server.
Next, the attacker forges an HTTP GET request using the IP address of the target victim.
- The memory cache server with the vulnerability receives the request, attempts to provide assistance through the response, and therefore sends a large number of responses to the target.
- The target server or its surrounding infrastructure cannot handle the large amount of data sent from the memory cache server, resulting in overload and denial of service for normal requests
How to protect against memory cache attacks?
- Disable UDP - For memory cache servers, make sure to disable UDP support when not needed. By default, memory cache has UDP support enabled, which may make the server vulnerable.
- Firewall protection for memory cache servers - By adding firewall protection between memory cache servers and the Internet, system admins can use UDP as needed without being exposed to risk.
- Prevent IP spoofing - As long as IP addresses can be spoofed, DDoS attacks can exploit this vulnerability to direct traffic to the victim’s network. Preventing IP spoofing is a larger-scale solution that cannot be implemented by specific system admins and requires transport providers to prohibit any data packets with source IP addresses originating outside the network from leaving their network. In other words, companies such as Internet Service Providers (ISPs) must filter traffic so that data packets leaving their network must not pretend to be from other networks elsewhere. If all major transport providers implemented this screening, spoofing-based attacks would disappear overnight.
- Develop software with reduced UDP response - Another way to eliminate amplification attacks is to remove the amplification factor of any incoming requests; if the response data sent due to the UDP request is less than or equal to the initial request, amplification is no longer possible.
How to Defend Against DDoS
Black hole routing
There is a solution that works for almost all network administrators: create a black hole route and import traffic into that route. In its simplest form, when black hole filtering is implemented without specific restrictions, both legitimate and malicious network traffic will be routed to an empty route or black hole and dropped from the network.
If an internet device suffers from a DDoS attack, the device’s Internet Service Provider (ISP) may send all traffic from the site into a black hole as a defense. This is not an ideal solution, as it amounts to allowing attackers to achieve their intended goal: making the network inaccessible.
Rate limiting
Limiting the number of requests the server receives in a certain period of time is also a way to protect Distributed Denial-of-service.
Although rate limiting is helpful in slowing down web crawlers from stealing content and protecting against brute force attacks, rate limiting alone may not be enough to effectively deal with complex DDoS attacks.
However, rate limiting can be an effective means in an effective DDoS protection strategy. Learn about Rate Limiting by Cloudflare
Web
Web Application Firewall (WAF) is an effective tool to help mitigate Layer 7 DDoS attacks. After WAF is deployed between the internet and source sites, WAF can act as a reverse proxy, protecting the target server from specific types of malicious traffic intrusion.