It’s no surprise that along with the success and continuing growth of the Internet system as a whole, there have also been some developments in programs that are designed to try and either disrupt the (mostly) harmonious flow or outright try to make it crumble. This can range from a simple virus to a dire malware attack. Whatever the cause of the ‘destruction’ may be and whoever is the one orchestrating it, the overall effect that any of these issues can have on a computer – or even an entire network – can be devastating.
Now there are a good amount of malicious programs that are used to create a dilemma in a computing system. These include ones like “Trojan Horse” (a program that disguises itself as a legit software that looks enticing enough for people to install), “Worm” (a nasty code that copies itself onto other computers), and “Spyware” (as its name suggests, it spies on the user whose device the hacker implanted the program onto). Another way to look at these specific programs is that they are “cyber attacks.”
That being said, they typically work on a comparatively small scope.
What this article will be going over is another kind of attack, but one that functions more on a wider scale. It is called a ‘DDoS attack’ and the intricacy behind it needs more in-depth explanations beyond a concise definition.
What is it? What does it mean?
DDoS (Distributed Denial-of-Service) attacks – a branch from the standard ‘denial-of-service’ attacks – are widely regarded as being one of the primary concerns relating to Internet security nowadays. It is typically defined as being a malicious attempt to upset the conventional traffic of a targeted server, service, or network. This assault is executed by overpowering either the target or the target’s surrounding framework with an excessive amount of Internet traffic.
Its intent is to shut down whatever the system or network may be, ultimately making it inaccessible for the intended users. By overwhelming either the target or the infrastructure, the DDoS attack effectively denies any legitimate users (employees, members, account holders, etc.) of the provided services or resources that they expect from the network.
Kind of like regular DoS attacks, these assaults accomplish their mission by utilizing a number of compromised computer systems as the point of supply of attack traffic. Machines that can be exploited by attackers can include standard computers as well as other network resources, one example being IoT (Internet of Things) devices.
To illustrate what these kind of assaults are from a high-level perspective, a DDoS attack is similar to a traffic jam that actively clogs up the highway, thus preventing regular traffic from moving forward and arriving at their destinations. Victims of these attacks are frequently web servers belonging to high-profile organizations, such as banking, trading, media companies, and organizations that are centred on either trade or the government. Even though DDoS attacks do not usually lead to the theft or loss of vital information or any other types of assets, they can still cost the targeted victim a great deal of time and currency.
How does it work?
In order for these sort of attacks to work, it requires an attacker to garner the proper authority needed to control the network of online machines. Machines, like computers and the aforementioned IoT devices, are infected with malware that will turn each of them into a bot (or in other words, a zombie). From here, the attacker now has remote control over this group of bots, which is referred to as a ‘botnet.’ Once a botnet has been set up, the attacker is granted the ability to direct the machines by way of sending in updated instructions to each of the bots via a method of remote control.
When a victim’s IP address is targeted by the botnet, each one of the bots will react by sending requests to the target, thereby potentially causing the targeted server or network to overflow capacity. This will result in the titular denial-of-service to ordinary traffic. Due to each of the bots being legitimate Internet devices, detaching the attack traffic from regular traffic can be difficult.
The OSI Model
As a whole, different DDoS attack vectors target a variety of components within a network connection, but in order to properly understand how these different DDoS attacks work, it is imperative to know the construction of a network connection. This will not only provide some context but it will also give a better understanding as to what the damage of a DDoS attack could cause.
The conventional network connection on the Internet is made up of numerous types of components, otherwise known as “layers.” Much like how one would build any regular structure from the ground up (ex. A house), each step in the model has its own purpose and significance. The OSI (Open Systems Interconnection) model is a conceptual framework that uses seven distinct layers to describe network connectivity.
To go more into detail, the model was created as a means to enable diverse communication systems to communicate utilizing shared protocols. It is predominantly seen as a universal language for computer networking and it is based on the concept of disconnecting a system into the previously mentioned seven abstract layers, with each one being stacked on top of the last.
From the bottom layer (the first) to the top layer (the seventh), the model goes as follows:
- The physical layer: Transmits raw bitstream throughout the physical medium. This layer embodies the electrical and physical representation of the system, and it includes the cable type and the radio frequency link. Moreover, it also covers the layout of pins, voltages, and other physical necessities. Whenever there is a networking problem, this is the layer that a majority of the networking pros will check before anything else.
- The datalink layer: Specifies the format of data that is on the network. In addition, it handles error correction from the physical layer. There are two sublayers that exist here; those being the Media Access Control (MAC) layer and the Logical Link Control (LLC) layer.
- The network layer: Determines which physical path the data will go down. This layer is what is responsible for data unit forwarding, including transmitting through different routers. A good way to illustrate this is by using a computer in Alberta that wants to connect to a server in Nova Scotia; to make this work, there are millions of paths you will have to take. The routers at this layer are what help make this happen at an efficient rate.
- The transport layer: Transmits the data by using transmission protocols, with TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) being the most notable examples. This layer basically coordinates how much of the data is sent, the rate at which it is sent, where it goes, etc.
- The session layer: Preserves connections and is held accountable for controlling ports and sessions. The functions at this particular layer all involve the setup, the coordination (like how long the system should wait for a response), and the cut-off between the applications at the conclusion of each session.
- The presentation layer: Ensures that the data is moulded into a usable format and is also where data encryption and decryption is done. This is the layer where the data is essentially presented for the application or the network.
- The application layer: Interaction between human and computer; where applications are able to access the network services. This layer is considered to be the closest one to the ‘end user.’ Examples of layer 7 applications are web browsers (like Google Chrome and Firefox) and other apps (such as Skype and Outlook).
For the purpose of this article, it is a good idea that we understand the layers of the OSI model so that we can also understand the different types of DDoS attacks that will be further explored later. However, you may be wondering why one would need to know about this model otherwise.
The most obvious answer is that those working in the IT field likely need to know about and properly understand the seven layers when they are going for their certifications. Much like how a math student needs to know formulas and an art history student needs to know significant art movements, an IT person needs to know what they are talking about when discussing the system of the OSI model.
Vikram Kumar wrote on a Quora post that, “The purpose of the OSI reference model is to guide vendors and developers so the digital communication products and software programs they create will interoperate, and to facilitate clear comparisons among communications tools.”
There have been some people who argue that the OSI model has become obsolete due to its more theoretical nature and is regarded as being less important than the four layers belonging to the arguably more recognizable TCP/IP model. Tom Nolle of the CIMI Corporation states that, “Despite the longevity of the references to the OSI model, the conception of the OSI model has changed over the years. Some ‘layers’ have been added, and some don’t seem to be getting used very much. Most recently, there is talk about concepts like ‘virtual networks’ and ‘abstract topologies’ that don’t clearly relate to the old OSI concepts. To make matters worse, the Internet’s evolution, based on TCP/IP, never strictly followed the old OSI model at all.”
Kumar, however, provides a perceptive rebuttal to these claims by saying that it is difficult to read about anything technological nowadays without seeing some sort of reference to the OSI model and its layers. This is because the structure of the model assists in framing any discussions pertaining to protocols and contrast various technologies
The different types
Generally speaking, there are two primary methods of DDoS (and DoS) attacks: flooding the services or crashing the services. The flood attacks occur whenever the system receives too much traffic for the server to buffer properly, resulting in them needing to slow down and inevitably come to a stop.
The most popular kinds of flood attacks include:
- Buffer overflow attack – The most common attack, this concept is to send out more traffic to a network address than the programmers have designed the system to be able to handle. It includes other types of attacks that are created to exploit bugs that are specific to certain applications or networks.
- ICMP flood – This will influence misconfigured network devices by sending ‘spoofed’ packets (which individually are smaller units of data assembled together to create a message) that ping every single computer on the targeted network, as opposed to just one specific machine. The network is then provoked to intensify the traffic. This particular attack is also known as the ‘ping of death’ or the ‘smurf attack.’
- SYN flood – Sends a request to link to a server, but it never completes the ‘handshake.’ It proceeds until all of the open ports are basically drowning in requests and none are left available for legit users to connect to. This attack will be further discussed later.
An attacker may make use of one or multiple different types of attack vectors, or cycle attack vectors that are conceivably based on countermeasures that are taken by the target.
From here, let’s break down a few key DDoS attacks. These range from assaults on layers to system floods to attacks on protocols.
We will start with an Application Layer Attack. The principal goal of this kind of attack, which is sometimes referred to as a layer 7 DDoS attack as a reference to the seventh layer (the application layer) on the OSI model, is to wear out the target’s resources. These attacks will target the layer that generates the web pages on the server and are delivered in response to HTTP inquiries.
A single HTTP request is pretty cheap to carry out on the client side and it can be pricey for the target server to react to due largely in part to the server needing to load numerous files and run database objections so that a web page can be created. Layer 7 attacks are complicated to defend as the traffic can be difficult to label as malicious.
An HTTP flood is an attack that ranges from being simple to complex. The (arguably) more simple implementations are able to access one URL with the same range of assaulting IP addresses, referrers, and user agents. The intricate versions of the attack will often use a large number of attacking IP addresses and will target URLs at random, utilizing haphazardly chosen referrers and user agents.
To put this in more basic terms, this kind of attack is similar to constantly pressing refresh in a web browser on a wide variety of different computers at the same time. A large number of HTTP requests will lead to the server flooding and will predictably result in denial-of-service.
The goal of protocol attacks, which are also commonly known as ‘state-exhaustion attacks,’ is to cause a service disruption by way of consuming any and all of the available state table capacity of web application servers or central resources, such as firewalls and load balancers. These particular attacks will employ weaknesses in layer 3 and layer 4 of the protocol stack to render the target difficult to access.
The function of a SYN flood is akin to a worker in a supply room that is receiving inquiries from the front of the store. The worker will receive a request, then they will go and get the package, and will finally wait for confirmation before bringing the package out to the front. The worker will suddenly get more package requests and without confirmation until they are unable to carry any more packages. This will lead to the worker becoming overwhelmed, which means that requests will begin to go unanswered.
Moreover, this attack takes advantage of the TCP handshake. It does so by sending a targeted machine a large number of TCP “Initial Connection Request” SYN packets with source IP addresses that are spoofed. The targeted machine reacts to each of these connection requests and then proceeds to wait for the final step in the handshake, which of course will never occur. This will simultaneously exhaust the target’s resources.
The goal of a volumetric attack is to try and create congestion by consuming all of the available bandwidth between the target and the much larger Internet. Huge quantities of data are sent out to a target by utilizing a form of amplification or another method of building massive traffic, such as inquiries from a botnet.
A DNS (Domain Name System) amplification is basically like a scenario wherein someone calls a restaurant and orders one of everything then asks that the restaurant call them back to tell them their whole order. In this case, the callback phone number that they gave the restaurant is the target’s number. With very little effort put into it, a long response is eventually produced.
By placing a request on an open DNS server with some sort of spoofed IP address (which is the real IP address of the target), the target IP address will then receive a reply from the server. The attacker constructs the request in such a way that the DNS server reacts to the target with an exceptionally large amount of data, and as a result, the target will obtain an amplification of the attacker’s original inquiry.
When it comes to lessening the severity of a DDoS attack, there are actually some concerns surrounding it, with the primary one being the act of differentiating between an attack and standard traffic.
A good example of this would be if a product release has the company’s website bombarded with excited customers, then completely cutting off traffic would undoubtedly be a huge mistake. If that company were to have a sudden surge in the traffic from known bad actors, the efforts needed to relieve an attack are most likely necessary to maintain tranquillity and balance. Now, the complications lie with telling the real customer and the attack traffic apart from each other.
In the contemporary Internet system, DDoS traffic can come in many different forms, and the traffic can vary in design from un-spoofed single source attacks to more complex and flexible multi-vector attacks. A DDoS attack of the multi-vector variety harnesses the use of multiple attack pathways as a means to overwhelm a target in different ways, potentially diverting the attention of the mitigation efforts on any trajectory. An attack that will target multiple layers of the protocol stack all at the same, similar to that of a DNS amplification (targeting layers 3 and 4) conjoined with a HTTP flood (targeting layer 7) being a prime example of a multi-vector DDoS attack.
Alleviating a regular multi-vector DDoS attack needs a wide range of strategies if it wishes to counteract different trajectories. On the whole, the more complex the attack is, the more likely it will be that the traffic will be tricky to divorce from normal traffic. The chief goal of the attacker is to blend in as much as they possibly can, thus making the act of mitigating as completely ineffectual.
Any attempts made to decrease the severity of a multi-vector DDoS attack that typically involve aimlessly dropping or restricting traffic has the potential to throw out good traffic along with the bad, not to mention the attack might also modify and adapt to bypass countermeasures. In order for an act of overcoming a complex attempt at the disruption to take place, a layered resolution will unquestionably provide a much greater benefit.
One of the solutions that is available to pretty much all network admins is creating something called a ‘blackhole route’ (or ‘blackholing’) and channel the traffic towards that route. When this type of filtering is put into action without any specific restriction criteria, both the malicious and the valid network traffic is directed to a null route – or a black hole – and eventually dropped from the network altogether.
When utilizing protocol systems that are without connections, such as UDP, no notification of the dropped information will be returned to the point of supply. With protocols that are more connection oriented, such as TCP, which often require a handshake in order to connect with the target system, a notice will be returned if the data were to be dropped. If an Internet property is going through a DDoS attack, then said property’s Internet Service Provider (ISP) may be able to send all of the site’s traffic into a black hole as some sort of defence mechanism.
With all that being said, there is a specific consequence that can come from using this blackhole routing method. That being when good traffic is simultaneously affected, the attacker will have pretty much accomplished their goal of wanting to disrupt traffic to the network or service that is being targeted. However, in spite of the likelihood that blackholing could probably aid the attacker in their malicious goal, blackhole routing can still be rather useful, especially when the target of the attack is a small site that is part of a much larger network. In this sense, blackholing the traffic that is being directed at the targeted site could actually protect the larger network from the effects of the attack.
Another method of mitigating these attacks is limiting the number of requests that a server will accept over a certain period of time. While, overall, rate limiting is beneficial in slowing web scrapers from robbing content and for decreasing any forceful login attempts, this method alone will in all probability be too inadequate to handle a convoluted DDoS attack effectively. Be that as it may, limiting the rate is still a useful component in building a competent DDoS mitigation system.
A handy tool that can assist in mitigating a layer 7 DDoS attack is a ‘Web Application Firewall’ (WAF). When you place a WAF between the Internet and an origin server, the WAF will function as sort of a reverse proxy by protecting the server that is being targeted from certain kinds of ill-mannered traffic. By seeping through the requests that are based on a series of rules used to identify and categorize DDoS tools, layer 7 attacks can then be obstructed. A core value of a sufficient WAF is the ability to promptly implement custom rules that function as a means to react to an attack.
The final method that we will discuss is called the ‘Anycast Network Diffusion,’ which is an approach that utilizes an Anycast network to disperse the attack traffic across a network of distributed servers up until the point where the traffic is eventually absorbed by the network. Much like in the same vein of directing a rushing river down separate channels, this particular approach spreads the effect of the distributed attack traffic to the point where it will become easier to manage, thus diffusing any of the unruly capability.
It should be noted that the general reliability of an Anycast network to mitigate a standard DDoS attack is entirely dependent on the size of the attack, as well as the size and efficiency of the network. All in all, network security frameworks should contain DDoS detection tools that can efficiently identify and inevitably block both exploits and instruments that attackers could use to launch an assault.
There is a considerable amount of complexity when it comes to DDoS attacks. Clearly, it cannot be summed up with a single paragraph as most other malicious programs can. It is important to understand those complexities so that the wide variety of attacks can be recognized and the methods used to mitigate them are emphasized. This way, we can all be aware of their effects and what we can do to prevent them from worsening.