Understanding Distributed Denial of Service Attacks
A Distributed Denial of Service (DDoS) attack is an attempt to crush a web server or online system by overwhelming it with data. DDoS attacks can be simple mischief, revenge, or hactivism, and can range from a minor annoyance to long-term downtime resulting in loss of business.
Hackers hit GitHub with a DDoS attack of 1.35 terrabytes of data per second in February of 2018. That’s a massive attack, and it’s doubtful that it will be the last of its kind.
HOW DOES A DDOS ATTACK WORK?
Application Layer Attacks
Application layer DDoS attacks aim to exhaust the resources of the target and disrupt access to the target’s website or service. Attackers load the bots with a complicated request that taxes the target server as it tries to respond. The request might require database access or large downloads. If the target gets several million of those requests in a short time, it can very quickly get overwhelmed and either slowed to a crawl or locked up completely.
An HTTP Flood attack, for example, is an application layer attack that targets a webserver on the target and uses many fast HTTP requests to bring the server down. Think of it as pressing the refresh button in rapid fire mode on your game controller. That kind of traffic from many thousands of computers at once will quickly drown the webserver.
Protocol DDoS attacks target the networking layer of the target systems. Their goal is to overwhelm the table spaces of the core networking services, the firewall, or load balancer that forwards requests to the target.
In general, network services work off a first in, first out (FIFO) queue. The first request comes in, the computer processes the request and then it goes and gets the next request in the queue so on. Now there are a limited number of spots on this queue, and in a DDoS attack the queue could become so huge that there aren’t resources for the computer to deal with the first request.
A SYN flood attack is a specific protocol attack. In a standard TCP/IP network transaction, there is a 3-way handshake. They are the SYN, the ACK, and the SYN-ACK. The SYN is the first part, which is a request of some kind, the ACK is the response from the target, and the SYN-ACK is the original requester saying “thanks, I got the information I requested.” In a SYN flood attack, the attackers create SYN packets with fake IP addresses. The target then sends an ACK to the dummy address, which never responds, and it then sits there and waits for all those responses to time out, which in turn exhausts the resources to process all of these fake transactions.
The goal of a volumetric attack is to use the botnet to generate a major amount of traffic and clog up the works on the target. Think of like an HTTP Flood attack, but with an added exponential response component. For example, if you and 20 of your friends all called the same pizza place and ordered 50 pies at the same time, that pizza shop wouldn’t be able to fulfill those requests. Volumetric attacks operate on the same principle. They request something from the target that will vastly increase the size of the response, and the amount of traffic explodes and clogs up the server.
DNS Amplification is a kind of volumetric attack. In this case, they are attacking the DNS server directly and requesting a large amount of data back from the DNS server, which can bring the DNS server down and cripple anyone that is using that DNS server for name resolution services.
DDOS ATTACKS TODAY
Just like everything else in computing, DDoS attacks are evolving and becoming more destructive to business. Attack sizes are increasing, growing from 150 requests per second in the 1990s – which would bring a server of that era down – to the recent DYNDNS attack and GitHub attack at 1.2 TBs and 1.35 TBs respectively. The goal in both of these attacks was to disrupt two major sources of productivity across the globe.
These attacks used new techniques to achieve their huge bandwidth numbers. The Dyn attack used an exploit found in Internet of Things (IoT) devices to create a botnet, called the Mirai Botnet attack. Mirai used open telnet ports and default passwords to take over wifi enabled cameras to execute the attack. This attack was a childish prank but presented a major vulnerability that comes with the proliferation of the IoT devices.
The GitHub attack exploited the many thousands of servers running memchached on the open internet, an open-source memory caching system. Memchached happily responds with huge amounts of data to simple requests, so leaving these servers on the open internet is a definite no-no.
Both of these attacks show a significant risk of future exploits, especially as the IoT universe continues to grow. How fun would it be for your fridge to be part of a botnet? On the bright side, GitHub wasn’t even brought down by the attack.
What’s more, DDoS attacks have never been easier to execute. With multiple DDoS-as-a-Service options available, malicious actors can pay a nominal fee to “rent” a botnet of infected computers to execute a DDoS attack against their target of choice.