Académique Documents
Professionnel Documents
Culture Documents
DenialofService:Definition
DenialofService(commonlyreferredtoasDoSnottoconfusewithMSDOS)describesa
situationwhereanapplicationorserviceisnotreachableforitsintendedaudienceanymore,ie.
itdeniesservice.
SothedefinitionofDenialofServiceissimplythataserviceorapplicationthatsusually
reachableisnotreachablelikelybecauseofanattackandnotasimplebugwellgointo
moredetailaboutthislateron.
WhatIsDenialofService?
WealreadydiscussedthedefinitionofDenialofServiceabove.Letscontinuewithwhyand
howanonlineservicewouldexperienceaDoS.
ThereasonofaDenialofServicecansimplybearandommalfunctionoftheserviceor
applicationoramalfunctiontriggeredbyanexploit.Forexampleapersonwithmaliciousintent
wouldsendaspecificallycraftedcommandtotheapplicationdesignedtomakeitcrash,
effectivelyresultinginaDenialofService.
HowevermostbugsthatwouldresultinaDoSgetfixedsoonerthanlater.Thatswhythebad
guysinsteadtakeadvantageofflawsintheTCP,UDPandothernetworkprotocolstomakean
intendedtargetunreachabletoitsaudience.
So,whileDenialofServicesimplydefinestheunavailabilityofaservicethatsnormally
available,itmostlyreferstoattackscarriedoutovernetworkssuchastheinternetthatare
designedtotakethetargetoffline.Letscheckthisoutinmoredetail.
WhatIsaDenialofServiceAttack?
Thebestwaytodefinea
DenialofServiceattack
isthatitsatypeofcyberattackthataimsat
makingaparticulartargetserviceunreachabletoitsaudience.BecauseDoSvulnerabilitiesin
applicationsarenottoocommonandforthemostpartgetpatchedratherquickly,mostDenial
ofServiceattacksarecarriedoutbytakingadvantageofflawsinnetworkprotocols.
AsimpleDenialofServiceattackusuallyoriginatesfromasingleorveryfewsourcesthe
sourcenormallybeingaserverorPCconnectedtotheinternet.ADoSattacknormallyaimsat
vulnerabilitiesinanapplicationthatwouldresultonaDoS,ortriestooverloadCPUorRAM
resourcesofthetargetmachine.
Insomecasesasingleattacksourcecanalsohavelargerresources,suchasa10Gbit/s
internetconnection,whichwouldallowtheattackertoinsteadofaimingattheapplicationitself,
justhammerthevictimwithmorenetworktrafficthanitcanhandle.Ifthetargetmachinehas
onlysaya100Mbit/sconnectionandtheattackingmachinehasa10Gbit/s,itwillbeeasyto
clogthenetwork,renderingthevictimunreachableovertheinternet.
IftheDenialofServiceattacktargetstheCPUandRAMresources,theattackingmachine
wouldusuallyfloodthevictimwithrequests,suchasHTTPrequestsifthetargetisawebsite,in
ordertoexhausttheresourcesoftheserverthewebsiteisrunningon.
GenerallytherearetwotypesorkindsofDenialofServiceattacks,whichare:
NetworkLayerAttacks(Layer3andLayer4)
ApplicationLayerAttacks(Layer7)
Networklayerattackstargetlayer3and4oftheOSImodelandasthenamesuggeststheytry
toexhaustthenetworkcapacityofavictim,whichcanbetheuplinkcapacity,thenetwork
interfacecontrollercapacityoftheserveroralsothenumberofpacketsthattheTCP/IPstackof
theoperatingsystemoftheservercanhandle.
Applicationlayerattacksusuallytargettheapplicationitselfthattheattackerwantstomake
unreachable.Thishappensbysendingseeminglylegitimaterequeststotheapplicationthatit
processesasiftheycomefromlegitimateusers.Theattackerusuallysendsthatmanyofsuch
requests,thatitsasifyourapplicationwouldhavemanythousandsofusersatthesametime
thatithastohandleinsteadofafew,effectivelyexhaustingallCPUandRAMresourcesofthe
server.
Therearemanymanydifferentsubtypesofnetworkandapplicationlayerattacks.Mostofthem
are
Distributed
DenialofServiceattacktypes,whichiswhywelllookattheminthenext
chapter.
WhatIsaDistributedDenialofServiceAttack?
WhileasimpleDenialofServiceattackoriginatesjustfromonesingleorveryfewsources,a
Distributed
DenialofServiceattack(a.k.a.DDoSattack)originatesfromanetworkofmany
sources,oftenmanythousands.
Thisnetworkofattacksourcesisoftenasocalled
botnet
,whichdescribesanetworkofinfected
computersand/orserversthatareincontrolofahacker.Thehackercancontrolallofthe
infectedmachinesfromasocalledCommand&Controlserver(CnCorC&C)andmakethem
forexamplesimultaneouslysendHTTPGETrequeststoatarget,whichwouldbeaformof
layer7DDoSattack.
DistributedDenialofServiceattackscandomuchmoreharmthanasimpleDenialofService
attack.ThatsbecauseitofteninvolveswaytoomanyattacksourceseffectivelysourceIP
addressestosimplyblockthesourceIP(s)withafirewallorACL.Theirsizeisoften
tremendousandcantakedownwholenetworksordatacenters,whichmakesthemdifficultto
combat.
Letslookmorecloselyatwhattypesofnetworkandapplicationlayerattackscanbeusedas
partofa(Distributed)DenialofServiceattack.
NetworkandTransportLayerDDoSAttacks(Layer34)
Therearebasicallytwosubsectionsthatnetworklayerattackscanbesplitinto.
1. HighVolumeAttacks
2. HighPacketCountAttacks
Thehighvolumenetworklayerattacksmostlyaimatexhaustingthenetworkcapacityofa
serverorthenetworksegmentofone(readaccessordistributionswitch).Theseattacksare
mostlyusingtheUDPprotocolbecausethatallowsavarietyofamplificationDDoSattacksand
alsomakesitpossibletosendlargesinglepacketstoatargetIP.
Thosevolumetricattacksareusuallymeasuredinbits,suchasMegabitspersecondand
Gigabitspersecond.TherearevolumetricDDoSattacksrangingfrom50Mbit/sto400Gbit/s,the
lattermostlybeingreflectionattacks(a.k.a.DrDoSDistributedReflectedDenialofService).
CommonUDPbasedHighVolumeDDoSAttackTypes:
DNSAmplification
NTPAmplification
SNMPv2Amplification
NetBIOSAmplification
SSDPAmplification
CHARGENAmplification
QOTDAmplification
RIPv1Amplification(NEW)
MulticastDNS(mDNS)AmplificationDDoS(NEW)
PortmapAmplificationDDoS(NEW)
DirectUDPFlood
Wecantcoverhoweachattackworksexactly,howeverDistributedReflectedDenialofService
attacksusuallytakeadvantageofUDPbasedonlineapplicationsthatsendbackalargerequest
toasmallquery.
Theattackerwouldtypicallyspoof(meaningfake)hisIPaddresstomakeitlookasifthe
networkpacketsthattheattackersendsoriginatefromthevictimsIPaddress.Nowifthe
attackersendsmanysmallpacketsrequestingalargerresponsefromoneoftheabovelisted
vulnerableapplications,theapplicationwillsendbacktheresponsetothevictimsIPaddress,
becauseitthinksthevictimrequestedthedata,whereinfactitdidntbuttheattackerdidby
spoofingtheIPaddressofthevictim.
Thisresultsinanamplificationofattackpower,becauseverysmallrequestsresultinrather
largeresponses,meaningtheattackerneedsfewresourcestosendthefakerequests,whilethe
responsestothoserequestsexhausttheresourcesofthevictimquicklyduetothembeing
multiple(upto20ormore)timeslarger.
CommonTCPbasedHighPacketCountDDoSAttackTypes:
SYNFlood
SSYNFlood(SpoofedSYNFlood)
SYNACKFlood
ACKFlood
TCPFragmentFlood
TCPRSTFlood(TCPResetAttack)
TCPFlagAbuseFlood
TCPbasedDistributedDenialofServiceattacksusuallyinvolveahighamountofpacketsper
secondbeingsenttothevictimsIPaddress.Thepacketsaregenerallysmallbutplenty.They
usuallydontoverwhelmthethroughputofanetworkasUDPbasedDistributedDenialof
Serviceattacksdo,buttheycanstilleasilymakeaserversnetworkcardgodownandoverload
theoperatingsystemsTCP/IPstack.
TheamountofpacketspersecondcommonlygetscountedinKpps(kilo/thousandpacketsper
second)andMpps(millionpacketspersecond).TCPbasedattackswithaslittleas50Kpps
(50,000packetspersecond)canalreadytakedownserversorapplicationsonthetargetedport
andmanyattacksrangeupto8Mpps(8millionpacketspersecond)andmore.
TofullyunderstandhowandwhyTCPbasedattacksworksowellinbringingdowntargets,you
havetodigdeepintohowtheTCPprotocolandespeciallytheTCPhandshakeworks.Thisis
outofscopeofthisarticle,butitsagoodstartto
readwhatWikipediahastosayaboutit
ifyou
wanttodigdeeper.
ApplicationLayerDDoSAttacks(Layer7)
WhileanetworkortransportlayerattackmostlyaimsattheIPaddressandtheserverasa
whole,anapplicationlayerDDoSattackdirectlytargetstheapplicationthattheattackerwants
tomakeunavailable.
ThistypeofattackaimsatexhaustingtheCPUandRAMresourcesoftheserver(s)anonline
applicationsuchasawebsiteisbeinghostedon,bybasicallysimulatingatremendousamount
ofusersuntiltherearenoresourceslefttohandletherequestsoftheactualusers.
Layer7DDoSattacksare
oneofthehardestDistributedDenialofServiceattackstodetect
,
becausethemaliciousrequestsoftenimitatetheonesoflegitimateusersoftheapplication,
whichcanmakeitveryhardtodistinguishbetweenwhatsrealtrafficandwhatsmalicious
traffic.
CommonLayer7DDoSAttackTypes:
HTTPGETFlood
HTTPPOSTFlood
HTTPHEADFlood
HTTPConnectionFlood
AsyoumaynoticeallofthelistedapplicationlayerattacksutilizetheHTTPprotocol.Thats
becauseHTTPfloodsarebyfarthemostcommontypeoflayer7attacks.Therearehowever
moretypesoflayer7attacksouttherethatspeaktheprotocoloftheapplicationtheytarget.
TheeffectivenessofHTTPfloodscanbedramaticallyincreasedbysendingthemalicious
requeststoparticularlyresourcehungrypartsofthewebapplication,suchassearchformsor
loginpages.
ApplicationlayerDDoSattacksoftenoriginatefrombotnets,butduringthepastcoupleofyears
therehasbeenahugeincreaseinlayer7attacksthatoriginatefromoutdatedandexploited
WordPressandJoomla!installations.Thenameofaverypopularexploittoolkittoinfectsuch
outdatedCMSesandabusethemforlayer7attacksis
itsoknoproblembro,
whichhasbeen
broadlyusedtoexecuteHTTPGETandPOSTfloodattacks.
AnotherverycommonmethodofstartingHTTPfloodsistoabusethe
Pingback
(XMLRPC)
featureoftheWordPressCMS.Werecentlycoveredthe
anatomyofWordPressPingback
DDoSattacksandhowtomitigateitwithNGINX
.
DenialofServiceAttacks:HowDangerousAreThey?
ADenialofServiceattackcaneasilybringdownanyunprotectedonlineservice.Thethreatof
DenialofServiceattacks(thedistributedonesinparticular)isincreasingdramatically.The
reasonsforthatincreaseddangeristhatDistributedDenialofServiceattacksgetcheaperand
easiertoinitiateeveryday.
Youdonthavetobeageekanymoreorknowanythingabouthowanetwork,anetwork
protocolortheDDoSattackworksallittakesisaPayPalaccount,aninternetconnectionand
theabilitytoreadandfollowsimpleinstructions.Oftenthedumbestpeoplearethemost
dangerousandeventheycaneffortlesslybringdownyouronlineservicenowadaysifyoudont
haveaneffectiveDDoSmitigationstrategyinplace.
DidyouknowthatyoucanrentDDoSasanonlineservice(asocalled
booter)
thatsupportsa
varietyofdifferentattacktypes,includinglayer7attacksandcanbringdownalmostevery
defenselesswebsiteforaslittleas$5permonth?
CommonMotivesofDDoSAttackers:
Hacktivism
Peoplewhotakedownonlinepresencesforthegreatergood,oratleast
theythinktheydo.
Vandalism
Peoplewhotakedownonlineservicesforthelulz.
Revenge
Gotbannedonaforum?WhynotDDoStheheckoutofittoshowthem.
Extortion
Ifyoudontpayus$$$,youronlineservicewontbeonlineagainanytime
soon!
Competition
Ifitjustcosts5bucks,whynottakeallyourdirectcompetitorsofflineto
swiftlyincreasesales?
Politics
Yes,itsactuallycommonthatpeopleandgroupsofpeoplegetattackedfor
politicalreasonsbyanotherparty.
ThisshouldanswerthequestionwhetherDistributedDenialofServiceattacksareathreat.
Theydefinitelyareverydangeroustoeverytypeofonlineservice,beitawebsite,agame
serveroranemailserveroranythingelsethatsconnectedtotheinternet.Evenyourhome
connectioncanbecomethetargetofa(D)DoSattack.
DenialofServiceAttackProtection
Afterreadingthroughallthisscarystuffyoumightaskyourselfhowyoucanprotectyouronline
servicefromDenialofServiceattacks.
ThefirstruleofDenialofServiceattackpreventionis:Dontbe
acunt
.Seriously,weseealotof
revengeattacksonforumsandotherwebsitesbecausepeoplebadmouthotherpeopleor
groupsofpeople.Sonotbeingacuntmightalreadydecreasethechancesofsomeone
attackingyouronlinepresence.
Ofcoursethisstrategywontworkifyourcompetitorsarecriminals,yourethevictimof
extortion,areintopoliticsorworkinthefinancialsector(whichistheonereceivingthemost
heavyDDoSattacksbytheway).
SohowdoyoueffectivelydefendagainstDDoSattacks?
AneffectiveDenialofServiceattackpreventionstrategystartsatthenetworkdesignandends
atyourapplicationscode.Thismeansthatthefirststepistopickadatacenterthathasthe
capacitytoswallowhugeamountsofattackbandwidthwithoutgettingahickup.
Therearedatacentersandhostingprovidersthatspecializeindesigningnetworksthatare
resilienttoDistributedDenialofServiceattacks.Evenifaproviderhasenoughbandwidth
capacity,allthattrafficstillhastobescrubbedtofilteroutthebadattacktrafficuntilonlythe
legitimatetrafficremainswhenitreachesyourapplication.
Duetothesheervolumeofmostattacks,itsimpossibletofilterallofthemdirectlyonyour
server.Itrequiresspecialaccesscontrollists(ACLs)setupontheroutingequipment(ideallyat
carrierlevel)andabunchofhighcapacityDDoSmitigationdevicesthatarebasicallyfirewalls
withsayacapacityof30Gbit/seachparticularlydesignedtodetectandfilterDDoStraffic.This
usuallyinvolvesahugeinvestmentfortheserviceprovider.
AsetuplikethiswillmakeallservershostedinsidethenetworkimmunetoDDoSattacks,
becausetheygetfilteredoutbeforetheycanreachtheserversortheapplication.Rentingor
housingyourhardwareatsuchasecurefacilitywillkeepyousafeandsoundfromthosecyber
villains.
Ifyoudontwanttomoveyourdataandhardwaretoadifferentfacility,thereisalsosomething
called
remoteDDoSprevention
,thatmakesitpossibletoremotelyprotectapplicationsfrom
attacksbyroutingthetrafficthroughaDDoSscrubbingcenterthatthensendsbacktheclean
traffictoyourinsecurelocation.
InanycaseitsunfortunatelyoftenmorecostlytostopDDoSattacksthantoinitiatethem,
makingthethreatevenmorerealandanobstacleformanyonlinestartups.JavaPipe
contributestoasaferonlineworldasaDDoSprotectionproviderthatoffersbusinessgrade
DDoSpreventionsolutionsforsmallmoneytosupporttheneedsofstartupsandsmall
businesses.