DenialofServiceAttackPrevention

DenialofService:Definition
DenialofService(commonlyreferredtoasDoSnottoconfusewithMSDOS)describesa
situationwhereanapplicationorserviceisnotreachableforitsintendedaudienceanymore,ie.
itdeniesservice.

SothedefinitionofDenialofServiceissimplythataserviceorapplicationthatsusually
reachableisnotreachablelikelybecauseofanattackandnotasimplebugwellgointo
moredetailaboutthislateron.

WhatIsDenialofService?
WealreadydiscussedthedefinitionofDenialofServiceabove.Letscontinuewithwhyand
howanonlineservicewouldexperienceaDoS.

ThereasonofaDenialofServicecansimplybearandommalfunctionoftheserviceor
applicationoramalfunctiontriggeredbyanexploit.Forexampleapersonwithmaliciousintent
wouldsendaspecificallycraftedcommandtotheapplicationdesignedtomakeitcrash,
effectivelyresultinginaDenialofService.

HowevermostbugsthatwouldresultinaDoSgetfixedsoonerthanlater.Thatswhythebad
guysinsteadtakeadvantageofflawsintheTCP,UDPandothernetworkprotocolstomakean
intendedtargetunreachabletoitsaudience.

So,whileDenialofServicesimplydefinestheunavailabilityofaservicethatsnormally
available,itmostlyreferstoattackscarriedoutovernetworkssuchastheinternetthatare
designedtotakethetargetoffline.Letscheckthisoutinmoredetail.

WhatIsaDenialofServiceAttack?
Thebestwaytodefinea
DenialofServiceattack
isthatitsatypeofcyberattackthataimsat
makingaparticulartargetserviceunreachabletoitsaudience.BecauseDoSvulnerabilitiesin
applicationsarenottoocommonandforthemostpartgetpatchedratherquickly,mostDenial
ofServiceattacksarecarriedoutbytakingadvantageofflawsinnetworkprotocols.

AsimpleDenialofServiceattackusuallyoriginatesfromasingleorveryfewsourcesthe
sourcenormallybeingaserverorPCconnectedtotheinternet.ADoSattacknormallyaimsat

vulnerabilitiesinanapplicationthatwouldresultonaDoS,ortriestooverloadCPUorRAM
resourcesofthetargetmachine.

Insomecasesasingleattacksourcecanalsohavelargerresources,suchasa10Gbit/s
internetconnection,whichwouldallowtheattackertoinsteadofaimingattheapplicationitself,
justhammerthevictimwithmorenetworktrafficthanitcanhandle.Ifthetargetmachinehas
onlysaya100Mbit/sconnectionandtheattackingmachinehasa10Gbit/s,itwillbeeasyto
clogthenetwork,renderingthevictimunreachableovertheinternet.

IftheDenialofServiceattacktargetstheCPUandRAMresources,theattackingmachine
wouldusuallyfloodthevictimwithrequests,suchasHTTPrequestsifthetargetisawebsite,in
ordertoexhausttheresourcesoftheserverthewebsiteisrunningon.

GenerallytherearetwotypesorkindsofDenialofServiceattacks,whichare:

NetworkLayerAttacks(Layer3andLayer4)
ApplicationLayerAttacks(Layer7)

Networklayerattackstargetlayer3and4oftheOSImodelandasthenamesuggeststheytry
toexhaustthenetworkcapacityofavictim,whichcanbetheuplinkcapacity,thenetwork
interfacecontrollercapacityoftheserveroralsothenumberofpacketsthattheTCP/IPstackof
theoperatingsystemoftheservercanhandle.

Applicationlayerattacksusuallytargettheapplicationitselfthattheattackerwantstomake
unreachable.Thishappensbysendingseeminglylegitimaterequeststotheapplicationthatit
processesasiftheycomefromlegitimateusers.Theattackerusuallysendsthatmanyofsuch
requests,thatitsasifyourapplicationwouldhavemanythousandsofusersatthesametime
thatithastohandleinsteadofafew,effectivelyexhaustingallCPUandRAMresourcesofthe
server.

Therearemanymanydifferentsubtypesofnetworkandapplicationlayerattacks.Mostofthem
are
Distributed
DenialofServiceattacktypes,whichiswhywelllookattheminthenext
chapter.

WhatIsaDistributedDenialofServiceAttack?
WhileasimpleDenialofServiceattackoriginatesjustfromonesingleorveryfewsources,a
Distributed
DenialofServiceattack(a.k.a.DDoSattack)originatesfromanetworkofmany
sources,oftenmanythousands.

Thisnetworkofattacksourcesisoftenasocalled
botnet
,whichdescribesanetworkofinfected
computersand/orserversthatareincontrolofahacker.Thehackercancontrolallofthe
infectedmachinesfromasocalledCommand&Controlserver(CnCorC&C)andmakethem

forexamplesimultaneouslysendHTTPGETrequeststoatarget,whichwouldbeaformof
layer7DDoSattack.

DistributedDenialofServiceattackscandomuchmoreharmthanasimpleDenialofService
attack.ThatsbecauseitofteninvolveswaytoomanyattacksourceseffectivelysourceIP
addressestosimplyblockthesourceIP(s)withafirewallorACL.Theirsizeisoften
tremendousandcantakedownwholenetworksordatacenters,whichmakesthemdifficultto
combat.

Letslookmorecloselyatwhattypesofnetworkandapplicationlayerattackscanbeusedas
partofa(Distributed)DenialofServiceattack.

NetworkandTransportLayerDDoSAttacks(Layer34)
Therearebasicallytwosubsectionsthatnetworklayerattackscanbesplitinto.

1. HighVolumeAttacks
2. HighPacketCountAttacks

Thehighvolumenetworklayerattacksmostlyaimatexhaustingthenetworkcapacityofa
serverorthenetworksegmentofone(readaccessordistributionswitch).Theseattacksare
mostlyusingtheUDPprotocolbecausethatallowsavarietyofamplificationDDoSattacksand
alsomakesitpossibletosendlargesinglepacketstoatargetIP.

Thosevolumetricattacksareusuallymeasuredinbits,suchasMegabitspersecondand
Gigabitspersecond.TherearevolumetricDDoSattacksrangingfrom50Mbit/sto400Gbit/s,the
lattermostlybeingreflectionattacks(a.k.a.DrDoSDistributedReflectedDenialofService).

CommonUDPbasedHighVolumeDDoSAttackTypes:

DNSAmplification
NTPAmplification
SNMPv2Amplification
NetBIOSAmplification
SSDPAmplification
CHARGENAmplification
QOTDAmplification
RIPv1Amplification(NEW)
MulticastDNS(mDNS)AmplificationDDoS(NEW)
PortmapAmplificationDDoS(NEW)
DirectUDPFlood

Wecantcoverhoweachattackworksexactly,howeverDistributedReflectedDenialofService
attacksusuallytakeadvantageofUDPbasedonlineapplicationsthatsendbackalargerequest
toasmallquery.

Theattackerwouldtypicallyspoof(meaningfake)hisIPaddresstomakeitlookasifthe
networkpacketsthattheattackersendsoriginatefromthevictimsIPaddress.Nowifthe
attackersendsmanysmallpacketsrequestingalargerresponsefromoneoftheabovelisted
vulnerableapplications,theapplicationwillsendbacktheresponsetothevictimsIPaddress,
becauseitthinksthevictimrequestedthedata,whereinfactitdidntbuttheattackerdidby
spoofingtheIPaddressofthevictim.

Thisresultsinanamplificationofattackpower,becauseverysmallrequestsresultinrather
largeresponses,meaningtheattackerneedsfewresourcestosendthefakerequests,whilethe
responsestothoserequestsexhausttheresourcesofthevictimquicklyduetothembeing
multiple(upto20ormore)timeslarger.

CommonTCPbasedHighPacketCountDDoSAttackTypes:

SYNFlood
SSYNFlood(SpoofedSYNFlood)
SYNACKFlood
ACKFlood
TCPFragmentFlood
TCPRSTFlood(TCPResetAttack)
TCPFlagAbuseFlood

TCPbasedDistributedDenialofServiceattacksusuallyinvolveahighamountofpacketsper
secondbeingsenttothevictimsIPaddress.Thepacketsaregenerallysmallbutplenty.They
usuallydontoverwhelmthethroughputofanetworkasUDPbasedDistributedDenialof
Serviceattacksdo,buttheycanstilleasilymakeaserversnetworkcardgodownandoverload
theoperatingsystemsTCP/IPstack.

TheamountofpacketspersecondcommonlygetscountedinKpps(kilo/thousandpacketsper
second)andMpps(millionpacketspersecond).TCPbasedattackswithaslittleas50Kpps
(50,000packetspersecond)canalreadytakedownserversorapplicationsonthetargetedport
andmanyattacksrangeupto8Mpps(8millionpacketspersecond)andmore.

TofullyunderstandhowandwhyTCPbasedattacksworksowellinbringingdowntargets,you
havetodigdeepintohowtheTCPprotocolandespeciallytheTCPhandshakeworks.Thisis
outofscopeofthisarticle,butitsagoodstartto
readwhatWikipediahastosayaboutit
ifyou
wanttodigdeeper.

ApplicationLayerDDoSAttacks(Layer7)
WhileanetworkortransportlayerattackmostlyaimsattheIPaddressandtheserverasa
whole,anapplicationlayerDDoSattackdirectlytargetstheapplicationthattheattackerwants
tomakeunavailable.

ThistypeofattackaimsatexhaustingtheCPUandRAMresourcesoftheserver(s)anonline
applicationsuchasawebsiteisbeinghostedon,bybasicallysimulatingatremendousamount
ofusersuntiltherearenoresourceslefttohandletherequestsoftheactualusers.

Layer7DDoSattacksare
oneofthehardestDistributedDenialofServiceattackstodetect
,
becausethemaliciousrequestsoftenimitatetheonesoflegitimateusersoftheapplication,
whichcanmakeitveryhardtodistinguishbetweenwhatsrealtrafficandwhatsmalicious
traffic.

CommonLayer7DDoSAttackTypes:

HTTPGETFlood
HTTPPOSTFlood
HTTPHEADFlood
HTTPConnectionFlood

AsyoumaynoticeallofthelistedapplicationlayerattacksutilizetheHTTPprotocol.Thats
becauseHTTPfloodsarebyfarthemostcommontypeoflayer7attacks.Therearehowever
moretypesoflayer7attacksouttherethatspeaktheprotocoloftheapplicationtheytarget.

TheeffectivenessofHTTPfloodscanbedramaticallyincreasedbysendingthemalicious
requeststoparticularlyresourcehungrypartsofthewebapplication,suchassearchformsor
loginpages.

ApplicationlayerDDoSattacksoftenoriginatefrombotnets,butduringthepastcoupleofyears
therehasbeenahugeincreaseinlayer7attacksthatoriginatefromoutdatedandexploited
WordPressandJoomla!installations.Thenameofaverypopularexploittoolkittoinfectsuch
outdatedCMSesandabusethemforlayer7attacksis
itsoknoproblembro,
whichhasbeen
broadlyusedtoexecuteHTTPGETandPOSTfloodattacks.

AnotherverycommonmethodofstartingHTTPfloodsistoabusethe
Pingback
(XMLRPC)
featureoftheWordPressCMS.Werecentlycoveredthe
anatomyofWordPressPingback
DDoSattacksandhowtomitigateitwithNGINX
.

DenialofServiceAttacks:HowDangerousAreThey?
ADenialofServiceattackcaneasilybringdownanyunprotectedonlineservice.Thethreatof
DenialofServiceattacks(thedistributedonesinparticular)isincreasingdramatically.The
reasonsforthatincreaseddangeristhatDistributedDenialofServiceattacksgetcheaperand
easiertoinitiateeveryday.

Youdonthavetobeageekanymoreorknowanythingabouthowanetwork,anetwork
protocolortheDDoSattackworksallittakesisaPayPalaccount,aninternetconnectionand
theabilitytoreadandfollowsimpleinstructions.Oftenthedumbestpeoplearethemost
dangerousandeventheycaneffortlesslybringdownyouronlineservicenowadaysifyoudont
haveaneffectiveDDoSmitigationstrategyinplace.

DidyouknowthatyoucanrentDDoSasanonlineservice(asocalled
booter)
thatsupportsa
varietyofdifferentattacktypes,includinglayer7attacksandcanbringdownalmostevery
defenselesswebsiteforaslittleas$5permonth?

CommonMotivesofDDoSAttackers:

Hacktivism
Peoplewhotakedownonlinepresencesforthegreatergood,oratleast
theythinktheydo.
Vandalism
Peoplewhotakedownonlineservicesforthelulz.
Revenge
Gotbannedonaforum?WhynotDDoStheheckoutofittoshowthem.
Extortion
Ifyoudontpayus$$$,youronlineservicewontbeonlineagainanytime
soon!
Competition
Ifitjustcosts5bucks,whynottakeallyourdirectcompetitorsofflineto
swiftlyincreasesales?
Politics
Yes,itsactuallycommonthatpeopleandgroupsofpeoplegetattackedfor
politicalreasonsbyanotherparty.

ThisshouldanswerthequestionwhetherDistributedDenialofServiceattacksareathreat.
Theydefinitelyareverydangeroustoeverytypeofonlineservice,beitawebsite,agame
serveroranemailserveroranythingelsethatsconnectedtotheinternet.Evenyourhome
connectioncanbecomethetargetofa(D)DoSattack.

DenialofServiceAttackProtection
Afterreadingthroughallthisscarystuffyoumightaskyourselfhowyoucanprotectyouronline
servicefromDenialofServiceattacks.

ThefirstruleofDenialofServiceattackpreventionis:Dontbe
acunt
.Seriously,weseealotof
revengeattacksonforumsandotherwebsitesbecausepeoplebadmouthotherpeopleor

groupsofpeople.Sonotbeingacuntmightalreadydecreasethechancesofsomeone
attackingyouronlinepresence.

Ofcoursethisstrategywontworkifyourcompetitorsarecriminals,yourethevictimof
extortion,areintopoliticsorworkinthefinancialsector(whichistheonereceivingthemost
heavyDDoSattacksbytheway).

SohowdoyoueffectivelydefendagainstDDoSattacks?

AneffectiveDenialofServiceattackpreventionstrategystartsatthenetworkdesignandends
atyourapplicationscode.Thismeansthatthefirststepistopickadatacenterthathasthe
capacitytoswallowhugeamountsofattackbandwidthwithoutgettingahickup.

Therearedatacentersandhostingprovidersthatspecializeindesigningnetworksthatare
resilienttoDistributedDenialofServiceattacks.Evenifaproviderhasenoughbandwidth
capacity,allthattrafficstillhastobescrubbedtofilteroutthebadattacktrafficuntilonlythe
legitimatetrafficremainswhenitreachesyourapplication.

Duetothesheervolumeofmostattacks,itsimpossibletofilterallofthemdirectlyonyour
server.Itrequiresspecialaccesscontrollists(ACLs)setupontheroutingequipment(ideallyat
carrierlevel)andabunchofhighcapacityDDoSmitigationdevicesthatarebasicallyfirewalls
withsayacapacityof30Gbit/seachparticularlydesignedtodetectandfilterDDoStraffic.This
usuallyinvolvesahugeinvestmentfortheserviceprovider.

AsetuplikethiswillmakeallservershostedinsidethenetworkimmunetoDDoSattacks,
becausetheygetfilteredoutbeforetheycanreachtheserversortheapplication.Rentingor
housingyourhardwareatsuchasecurefacilitywillkeepyousafeandsoundfromthosecyber
villains.

Ifyoudontwanttomoveyourdataandhardwaretoadifferentfacility,thereisalsosomething
called
remoteDDoSprevention
,thatmakesitpossibletoremotelyprotectapplicationsfrom
attacksbyroutingthetrafficthroughaDDoSscrubbingcenterthatthensendsbacktheclean
traffictoyourinsecurelocation.

InanycaseitsunfortunatelyoftenmorecostlytostopDDoSattacksthantoinitiatethem,
makingthethreatevenmorerealandanobstacleformanyonlinestartups.JavaPipe
contributestoasaferonlineworldasaDDoSprotectionproviderthatoffersbusinessgrade
DDoSpreventionsolutionsforsmallmoneytosupporttheneedsofstartupsandsmall
businesses.