DDoS Eng: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Amannik (talk | contribs)
No edit summary
Amannik (talk | contribs)
No edit summary
Line 27: Line 27:
'''Attack amplification'''
'''Attack amplification'''


    DNS Reflection - By forging the victims IP address, the attacker can make small requests to the DNS server and allow the victim to be sent the replies. This allows the attacker to amplify the power of his or her botnet by up to 70 times,which makes it much easier to overflow the victim with requests.
DNS Reflection - By forging the victims IP address, the attacker can make small requests to the DNS server and allow the victim to be sent the replies. This allows the attacker to amplify the power of his or her botnet by up to 70 times,which makes it much easier to overflow the victim with requests.
    Chargen Reflection - A vast majority of computers and printers which are connected to the internet support a service called Chargen. This allows random people to ask for a question from the device and the device replies with a random string containing letters. Chargen can be used to amplify the aforementioned DNS type attack.
Chargen Reflection - A vast majority of computers and printers which are connected to the internet support a service called Chargen. This allows random people to ask for a question from the device and the device replies with a random string containing letters. Chargen can be used to amplify the aforementioned DNS type attack.


'''Symptopms of DDoS'''
'''Symptopms of DDoS'''
Line 34: Line 34:
NOTE: All interruptions in a service can not be attributed to a DoS type attack, there are a plethora of reasons and possibilities why a service might be reacting similarily as it would if it were DDoS'ed, like the administrator doing maintenance and because of that, the services are temporarily slowed down or offline. Nevertheless, there are signs which should be paid attention to,which might indicate that the network or service is suffering a DDoS attack.
NOTE: All interruptions in a service can not be attributed to a DoS type attack, there are a plethora of reasons and possibilities why a service might be reacting similarily as it would if it were DDoS'ed, like the administrator doing maintenance and because of that, the services are temporarily slowed down or offline. Nevertheless, there are signs which should be paid attention to,which might indicate that the network or service is suffering a DDoS attack.


    One sign of an attack is that the computer and internet are performing slower than usual. This would be noticeable when you try to open a file or go to a website and it takes longer than usual.
One sign of an attack is that the computer and internet are performing slower than usual. This would be noticeable when you try to open a file or go to a website and it takes longer than usual.
    In addition to a system responding slowly, you might suffer issues with going to a website at all.
In addition to a system responding slowly, you might suffer issues with going to a website at all.
    The increase in mail in your spambox can also be an indication that your computer has just recently suffered a DDoS attack.
The increase in mail in your spambox can also be an indication that your computer has just recently suffered a DDoS attack.
    Internet traffic may be slowed down in a geographic region, like a country experiencing a DDoS attack, the citizen's of the country will suffer from poor connection speed.
Internet traffic may be slowed down in a geographic region, like a country experiencing a DDoS attack, the citizen's of the country will suffer from poor connection speed.


'''Prevention of DDoS'''
'''Prevention of DDoS'''


    The easiest and also most expensive solution would be to buy more bandwith. For example : If you have 10000 systems all of which are capable of sending traffic 1Mbps then that means accumulatively you can send 10 gbps data. A systems administrator might also want to expand out to more servers in different data centers so that the load would be better distributed between servers. If the traffic is spread out well between the servers,then the load on that 1 server can handle the traffic better. Nowadays though, upping the bandwith isn't a cost effective solution but nevertheless it is a solution.
The easiest and also most expensive solution would be to buy more bandwith. For example : If you have 10000 systems all of which are capable of sending traffic 1Mbps then that means accumulatively you can send 10 gbps data. A systems administrator might also want to expand out to more servers in different data centers so that the load would be better distributed between servers. If the traffic is spread out well between the servers,then the load on that 1 server can handle the traffic better. Nowadays though, upping the bandwith isn't a cost effective solution but nevertheless it is a solution.
    One of the most critical parts of a system is a DNS server. Generally it's a bad idea to leave it open for others to access. Restricting access to the DNS servers might be an option so that it couldn't be attacked so easily. Similarily, what  
One of the most critical parts of a system is a DNS server. Generally it's a bad idea to leave it open for others to access. Restricting access to the DNS servers might be an option so that it couldn't be attacked so easily. Similarily, what  


will happen if those servers are under attack? Even if there's access to the website, there's no connection to the DNS server and the domain name cannot be converted into an ip address which is also bad. A majority of providers use two DNS servers when registering a domain but often enough two DNS servers aren't enough.A systems administrator has to make sure that the DNS is as well protected as the web services and other affiliated resources.
will happen if those servers are under attack? Even if there's access to the website, there's no connection to the DNS server and the domain name cannot be converted into an ip address which is also bad. A majority of providers use two DNS servers when registering a domain but often enough two DNS servers aren't enough.A systems administrator has to make sure that the DNS is as well protected as the web services and other affiliated resources.


    When assessing your network there's quite a bit of measures to undertake in order to protect the network layer. You have ascertain that the router doesn't forward bad packets and the ICMP would have to be denied and to use proper firewall software.
When assessing your network there's quite a bit of measures to undertake in order to protect the network layer. You have ascertain that the router doesn't forward bad packets and the ICMP would have to be denied and to use proper firewall software.
Another idea would be to close all unused ports. A lot of ISP's offer a service to not allow access to specified ports which would be better than restricting access to them yourself. Should the company be the recepient of an attack the ISP will help the company manage it.
Another idea would be to close all unused ports. A lot of ISP's offer a service to not allow access to specified ports which would be better than restricting access to them yourself. Should the company be the recepient of an attack the ISP will help the company manage it.
    Something to keep in mind would be how to mitigate an attack. It would be very wise to have a plan to quickly swap dynamic resources for static resources. If doing this, it would be highly advisable to have systems which would pick up attacks. There's not a worse situation for a company than have their systems offline, which is why it's necessary to be ready to go on the counter offensive as soon as tehe attack begins. Stopping a DDoS attack is very complicated because it's incredibly difficult to find the attacks point of origin. Which is why you have to set up an infrastructure from the get go which is hard to break into and would be up to the security standards of today.
 
Something to keep in mind would be how to mitigate an attack. It would be very wise to have a plan to quickly swap dynamic resources for static resources. If doing this, it would be highly advisable to have systems which would pick up attacks. There's not a worse situation for a company than have their systems offline, which is why it's necessary to be ready to go on the counter offensive as soon as tehe attack begins. Stopping a DDoS attack is very complicated because it's incredibly difficult to find the attacks point of origin. Which is why you have to set up an infrastructure from the get go which is hard to break into and would be up to the security standards of today.


'''Mitigating damage'''
'''Mitigating damage'''

Revision as of 15:30, 17 April 2017

Overview


Written by Andris Männik


DDoS (Distributed Denial-of-Service) is an attack in which the goal is to flood a system with requests from a network of computers so that the system buckles under the weight of the bandwith, so that the system cannot process legitimate requests and if the attack is coming from a wide area it is incredibly difficult to filter legitimate and illegitimate traffic. DDoS'ing is most commonly done in botnets, zombie computers infected with malicious software to accept commands from the attacker's own computer, to start and stop flooding a service with requests whenever the attacker chooses.

As technology advances discovering and remedying DDoS attacks will be much more difficult.

DDoS is a more sophisticated version of DoS.

The difference comes from that in DDoS'ing, the requests are coming from a plethora of computers from many different networks, where as DoS'ing is when the requests are coming from a single computer from a single network.

Methods

Attack vectors

Generally, DDoS attacks can be divided into these categories:

Volumetric attacks, for example SYN flooding. This sort of attack is meant to utilize the 3 way TCP handshake in which computers are sending SYN packets and the receiving computer has to reply with an ACK packet. The most basic attack type. Devices which are capable of keeping up with millions of device requests are even brought low by this type of attack.

Application Layer Attack - This attack relies on the disruption of information between computers. This vector of attack is good for an attacker who doesn't have a big botnet, because the attacked server has to use a lot more resources to respond to the HTTP request, and there's little bandwith cost to the attacker, or at least, significantly lower to the attacker than it is to the attacked server or system.

Fragmentation Attacks - Fragmentation normally is done for data transmission, since each network has a unique limit for the size of datagrams that it can process. This pre-configured limit is known as the MTU (maximum transmission unit). In this example, sending a datagram the size of which is larger than the receiving server's MTU, the datagram has to be fragmented so that it can be transmitted wholly. The IP header in the datagram contains the flag detailing whether fragmentation is turned on or not to see if fragmentation is allowed to take place. In cases where the flag is set to no fragmentation in the IP header, then the packet is dropped. If the flag is turned on, then the offset would explain to the recipient device the exact order the fragments should be placed in for reassembly.

Attack amplification

DNS Reflection - By forging the victims IP address, the attacker can make small requests to the DNS server and allow the victim to be sent the replies. This allows the attacker to amplify the power of his or her botnet by up to 70 times,which makes it much easier to overflow the victim with requests. Chargen Reflection - A vast majority of computers and printers which are connected to the internet support a service called Chargen. This allows random people to ask for a question from the device and the device replies with a random string containing letters. Chargen can be used to amplify the aforementioned DNS type attack.

Symptopms of DDoS

NOTE: All interruptions in a service can not be attributed to a DoS type attack, there are a plethora of reasons and possibilities why a service might be reacting similarily as it would if it were DDoS'ed, like the administrator doing maintenance and because of that, the services are temporarily slowed down or offline. Nevertheless, there are signs which should be paid attention to,which might indicate that the network or service is suffering a DDoS attack.

One sign of an attack is that the computer and internet are performing slower than usual. This would be noticeable when you try to open a file or go to a website and it takes longer than usual. In addition to a system responding slowly, you might suffer issues with going to a website at all. The increase in mail in your spambox can also be an indication that your computer has just recently suffered a DDoS attack. Internet traffic may be slowed down in a geographic region, like a country experiencing a DDoS attack, the citizen's of the country will suffer from poor connection speed.

Prevention of DDoS

The easiest and also most expensive solution would be to buy more bandwith. For example : If you have 10000 systems all of which are capable of sending traffic 1Mbps then that means accumulatively you can send 10 gbps data. A systems administrator might also want to expand out to more servers in different data centers so that the load would be better distributed between servers. If the traffic is spread out well between the servers,then the load on that 1 server can handle the traffic better. Nowadays though, upping the bandwith isn't a cost effective solution but nevertheless it is a solution. One of the most critical parts of a system is a DNS server. Generally it's a bad idea to leave it open for others to access. Restricting access to the DNS servers might be an option so that it couldn't be attacked so easily. Similarily, what

will happen if those servers are under attack? Even if there's access to the website, there's no connection to the DNS server and the domain name cannot be converted into an ip address which is also bad. A majority of providers use two DNS servers when registering a domain but often enough two DNS servers aren't enough.A systems administrator has to make sure that the DNS is as well protected as the web services and other affiliated resources.

When assessing your network there's quite a bit of measures to undertake in order to protect the network layer. You have ascertain that the router doesn't forward bad packets and the ICMP would have to be denied and to use proper firewall software. Another idea would be to close all unused ports. A lot of ISP's offer a service to not allow access to specified ports which would be better than restricting access to them yourself. Should the company be the recepient of an attack the ISP will help the company manage it.

Something to keep in mind would be how to mitigate an attack. It would be very wise to have a plan to quickly swap dynamic resources for static resources. If doing this, it would be highly advisable to have systems which would pick up attacks. There's not a worse situation for a company than have their systems offline, which is why it's necessary to be ready to go on the counter offensive as soon as tehe attack begins. Stopping a DDoS attack is very complicated because it's incredibly difficult to find the attacks point of origin. Which is why you have to set up an infrastructure from the get go which is hard to break into and would be up to the security standards of today.

Mitigating damage

It's nigh on impossible to stop a DDoS attack. Which is why instead of trying to stop it, it might be better to mitigate damage instead what the attackers might do. In order for there to be any damage mitigation there has to be a plan at the earliest stages of the attack commencing and for that to happen you must know the early signs of a DDoS attack and to do that you have to monitor the network traffic so you can discover any unusual activity taking place.

Another good approach is to frequently scan the network and web applications to discover vulnerabilities to the system early. Protecting your infrastructure means protecting the laptops,servers and other devices which can be used in making a botnet. There are some applications like IBM Security which protects devices from application layer attacks and have been shown to deter minor DDoS attacks.

Conclusion

Nowadays, DDoS attacks are one of the most common attacks being done in cyberspace, which take place every day. It's an attack, where the attacker takes advantage of other computers, the owners of which are unaware that their computers are being used to make these attacks. These computers are put into a network and they're used to attack one or several targets by sending the victims miljons of data packets. Even though a DDoS attack is nigh impossible to stop, the systems administrator has to do everything in his or her power to insure the safety of hte network. All system administrators should get acquainted with this type of attack because that's the best way to mitigate damage.