DDoS (Distributed Denial of Service Attack) are cyber-attacks that are carried out to prevent the broadcast of sites and render them dysfunctional by creating a fake density that is much more than what systems such as websites, e-mail systems, online payment systems can meet, or by consuming the resources of the target system at high rates. The main purpose of DDoS attacks is not to leak information or to profit, but to cause the target system to become inoperable. DDoS attacks are carried out with “botnets” created using “zombie” machines in the general framework.
Zombie: These are computer systems that have been seized with viruses or trojans and used for various purposes without the knowledge of the owner. The main reasons for creating zombie computers; It is the desire of attackers to perform transactions and strengthen their attack networks by hiding without putting themselves in danger. For these reasons, zombies are an important source for DDoS attacks.
Botnet: It can be defined as the virtual computer armies created using zombies. Botnets are created for purposes such as sending unsolicited e-mails, spreading viruses and malware, and being used in cyber-attacks and are used as intermediate elements in DDoS attacks.
DDoS and DoS Types
Volume Based DDoS: It is the sending of request packets above the bandwidth of the server. With a rate of 65%, it is the most common and simplest type of DDoS attacks. It is realized with UDP, ICMP and other spoofed-packet floods and the aim is to saturate the bandwidth of the target system.
Protocol Based DDoS: It is realized by using the vulnerability in Layer 3 (Network) and Layer 4 (Transport) of the OSI protocol. The most common example of protocol-based DDoS attacks involving syn flood, ping of death, Smurf DDoS and more types of attacks is TCP Syn flood.
Application Layer DDoS: Attacks are made using the vulnerabilities of the services in the application layer, which is the 7th layer of the OSI protocol. It is a more sophisticated DDoS type that is harder to detect and mitigate than other types of DDoS that include low and slow attacks, GET / POST floods, attacks targeting Apache, Windows or OpenBSD vulnerabilities and more.
Some types of DDoS when we consider subcategories
When we consider it in lower categories, some DDoS types are as follows;
SYN Flood DDoS
SYN flood attacks are the most common type of DDoS attack today. The purpose of SYN flood attacks is to cause the system’s resources to become inoperable by sending an SYN flagged TCP packet to the target system. It is generally carried out for web servers and web pages are prevented from serving.
You can use the “Netstat –an –p tcp” command in Linux and Windows operating systems to see if you have received an SYN flood attack. When you run this command, if you see that there are too many “SYN_RECEIVED” lines, you are likely to be attacked by an SYN flood.
Some SYN FLOOD ATTACK TOOLS are as follows:
- Windows-based tools
- Botnet management systems
Example SYN FLOOD ATTACK
root@omer:~# hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.254.134
HPING 192.168.254.134 (eth0 192.168.254.134): S set, 40 headers + 120 data bytes
hping in flood mode, no replies will be shown
It is to force the system by constantly sending get or post requests to the target page.
The attack is carried out using the UDP protocol. Multiple UDP packets are sent to a computer’s ports by the attacker. The computer that is the target of the attack checks the usage status of the port and responds with an ICMP packet if not used. Multiple ICMP packets are sent in response to a large number of UDP packets. The system thus becomes inaccessible.
ICMP (Internet Control Message Protocol) is primarily used in error messages and does not exchange data between systems. ICMP packets can accompany TCP packets during connection to servers. ICMP flood is a DDoS attack against Layer 3 infrastructures. It aims to overload the target network’s bandwidth by sending ICMP packets.
It is a very rare attack. The attacker sends Ethernet frames from different MAC addresses to the target. Network switching devices handle MAC addresses separately, thus allocating a specific resource for each request. When all memory in the switching device is used up, the device turns off or becomes unresponsive. In some types of routers, MAC Flood may cause cancellation of all routing operations, thus affecting the entire network in the router’s area.
Ping of death
It is the fatigue of the target system by sending a large ICMP request packet to the target system.
DNS domain names are servers that provide access to the website by providing IP matches. The attacker damages the victim with the harmful drinks he has prepared by disrupting the match of the website to be reached and directing it to another IP address.
In UDP protocol, packets are fragmented and sent to a system and these packets are divided into offsets and numbered. It is combined again according to the offset values. These offset values should not overlap. If there is a conflict situation, situations such as the inability to operate on the system occur. In the Teardrop attack, these offsets are overlapped and sent.
Ping request packets to the target are sent to the directed broadcast address of the network. The packet thus sends ping request packets to all devices on the network. The IP address of the target is made by changing the return addresses of Ping request packets. All devices on the network also send ping packets to the target device. Thus, both the attack is carried out and the identity of the attacker is hidden.
Dos and DDoS Attack Prevention
Since these attacks are very simple to perform today, they are a significant threat to institutions and systems. Although there is no certain method to completely prevent these attacks, especially DDoS attacks, precautions should be taken to mitigate the attacks and the network infrastructure of the system should be configured. It is more important to take pre-attack measures and early detection before the attack is prevented.
- Packets sent to target systems first pass through the router and are forwarded to other systems. With this feature, routers are the first systems to encounter an attack and the measures to be taken over the routers are very important in terms of meeting the attack from the first moment. If some adjustments to be made on the routers and the properties of the packets that come during the attack can be determined, the attacks can be prevented or reduced with the access control list to be created.
- They are measures that can be taken at the firewall level. One of these measures is to use the “rate-limiting” feature. If the relevant device supports this feature, the maximum number of packets coming from a specific IP address can be determined by rate limiting, and IPs that exceed the maximum value can be prevented.
- Firewall and antivirus software or hardware must be used.
- System updates should be done on time.
- Network traffic should be monitored, network devices should be configured for unusual situations. For routers, methods such as rate-limiting feature, preventing fake and bad packets, determining the threshold values of SYN, ICMP and UDP packets can be applied.
- Bandwidth should be more than what the institution needs.
- Content Delivery Network (CDN) data can be stored on multiple servers around the world for large-scale organizations.
From the perspective of individual users;
- Timely and complete system updates
- Using antivirus programs
- Active use of the firewall
- Using the necessary filters for secure e-mail traffic and blocking spam traffic