Denial of Service

A Denial of Service attack aims to exhaust the resources at the disposal of a server, network resources, disk, RAM, or a server's processors and can be part of a structured hack, for example to keep a router from giving a response to a peer.

Currently there are three main variations:

  • DoS attacks are carried out by a single host and a firewall or intrusion detection system can defeat it.
  • DDoS attacks start by the adversary placing Zombie scripts in a series of compromised computers hooked by relatively high-bandwidth connections to the Internet. DSL and cable modem connections are primary targets because they often lack the security features to defend against the intrusion. Some Zombies download and install additional applications that can map the local network, capture passwords or keystrokes, and report findings. Network layer attacks can lasts for 48 to 49 hours. Application layer attacks can last up to 70 days.
  • DrDoS, the “new” kid on the block, involves one or more hosts sending series of simple requests to unsuspecting hosts, even hardened hosts, using the “spoofed” source address of the target. When these hosts respond to what appears to be a legitimate, non-threatening request, they collectively create an unsupportable flood of packets aimed at the target.

Applicative DDoS and network DDoS use different methods (and require different defences), but usually the term DDoS refers to a network DDoS. With traffic volumes that become more and more massive (for those concerning the network), the traffic of the attacks reaches several hundred Gigabits per second. These attacks can touch any service: email, SSH, Web, you name it, but the web is mostly targeted.

Typically the 3 key parameters present in a Denial of Service attack are:

  • Some sort of spoofing
  • An amplification factor
    • A DoS (Denial of Service) attack can, for example, send 10 Gb/s from the same IP address to a targeted server to saturate its network connection of only 1Gb/s.
    • A DDoS (Distributed Denial of Service) attack can, for example, send 1Gb/s from 10 different servers and block a targeted server using a 1 Gb/s connection.
    • A DrDoS can have amplification factors of 10 to 50, depending on the vector used.
  • A type of attack vector

Network

  • Historically the attacked IP address is marked as a “Blackhole”: Internet routers are informed through the BGP (Border Gateway Protocol), that it is useless to send traffic to the IP. Works for the host, who will get his connectivity back, but the affected website becomes inaccessible as long as its IP is in the black hole.
  • For network DoS, Routers that filter the protocols that are actually used, and/or identify the patterns and standard samples of sent packets, to only block illegitimate packets.

Applicative

  • For applicative DoS, identify common features to block DoS at the reverse proxy level, and stop the flood from reaching the web servers.