In this article, we will discover the DDoS attacks which are increasingly powerful and which regularly target certain companies, as well as many other types of attacks. Before talking about DDoS attacks in themselves, it seems essential to me to talk about the DoS attacksto then address the subject of DDoS attacks.
It’s a subject I bring up from time to time in my news-related articles, especially with titles like “Europe: Akamai blocked a record DDoS attack with 659 million packets per second”, or “DDoS HTTPS : Cloudflare blocked an attack of 26 million requests per second”.
II. DoS attacks (denial of service)
First of all, you should know that the acronym DoS stands for Denial of Serviceor in French “denied service“. The objective of denial of service attacks is to make the target service unavailable by overloading it until it drops. In fact, we will try to send a lot of requests to a target server in order to’exhaust one’s resources, and since it will no longer be able to respond, it will saturate and the service it hosts will no longer respond. For example, the network card of a machine can saturate because of too many requests received on the interface. In some cases it is exploiting a security flaw in an application or system which can make it possible to carry out a “denial of service” type attack.
In a DoS attack, it is a source machine with a single connection that attacks a target machine, saying to itself “I am stronger and more powerful than you, I will overload you until you are exhausted“. We can imagine a machine with a 10 Gbit/s network connection which will attack a machine with a 1 Gbit/s network connection: the duel is unbalanced.
Quite quickly, we see that this “1 VS 1” duel has its limits and that it is very far from sufficient when seeking to attack important sites or online services. However, each system has its limits. This is where the DDoS method that we are going to discover now comes into play.
III. DDoS attacks (distributed denial of service)
A. The principle of a DDoS attack
The acronym DDoS stands for Distributed Denial of Service, that is to say a denial of service distributed in French. Like a DoS attack, the goal of a DDoS attack is to saturate a target machine until it becomes unavailable and create a service interruption. For example, a DDoS attack against a website will aim to make it unavailable.
To send an extremely large number of requests to the target machine in order to saturate it, cybercriminals will use a set of machines under a DDoS attack. It is important to understand thata DDoS attack is emitted from several machines to the same target.
To benefit from these numerous sources of attacks in order to have the power necessary to bring down the target host, cybercriminals will rely on a network of infected computers (botnet) made up of several hundred or even thousands of machines. These infected machines integrated into the botnet can be distributed all over the world and they are controlled by cybercriminals: either servers (a VPS in the Cloud, for example), a computer or a connected object. Each of these pieces of equipment will allow you to have a greater strike force and trigger an overpowered DDoS attack : this is why we hear about DDoS attacks where the target receives several tens or hundreds of millions of packets per second.
B. Who are the targets of DDoS attacks?
DDoS attacks particularly target services available on the Internet, as they are easily accessible. Thus, websites and companies that provide online services represent the ideal target for a DDoS attack. Then, it remains to identify the motivation of this DDoS attack, because it is generally not for fun. Indeed, there may be a religious, political motivation or linked to competition between several companies.
Keep in mind that your business or website doesn’t have to be the direct target of a DDoS attack to be impacted, because if it’s your service provider that’s affected, you can be too. For example, the cloud service provider you rely on to host your website.
C. The different DDoS attack techniques
Certain terms are commonly associated with DDoS attacks, including the words “flood” or “saturation” (flood), “amplification” et “reflection“. In fact, DDoS attacks can be of different types depending on the target. They can be based on the volume of requests (hence the term flooding), on a specific protocol or even on an application weakness.
To saturate a machine from a DDoS attack emitted by the network, one can play on the volume of packets sent to the target machine as well as the total volume of bandwidth: it all depends on the characteristics of the target. For example, a firewall will have limited bandwidth, but it will be able to handle a very high volume of packets per second. When targeting a website, we can hope to saturate the web servers at the CPU and RAM level, because some pages can consume a lot of resources. This is called resource overload.
Here are some examples of DDoS attack techniques.
- UDP Flood or UDP Flood
Since the UDP transport protocol, unlike TCP, does not require a connection to the remote host to start sending data, we can send data to a target machine on random ports. The system that receives the packets will try to process them and it will return an error to the sender to indicate that the packet cannot be processed. Thus, if a very large number of packets of this type are sent to a machine, a saturation of the resources can be caused.
- Ping Flood and Ping Flood
In a similar vein, Ping Flood attacks consist of flooding the target machine with ICMP packets of type “Echo Request“ modified. The machine that receives this very high amount of ping will have to respond to these different pings because it is the very principle, which will create a slowdown or even a blockage of the machine, because it will not be able to manage this important flow.
Amplification attacks rely on specific protocols, because what is important is to take into account the operation of the protocol. In some cases, such as with NTP which works with UDP, the size of the responses generated by the NTP protocol is much greater than the size of the requests (query monlist in the case of NTP).
You have to imagine that the attacker, from his network of machines, will solicit servers by sending small NTP requests. These requests will be modified, because the source IP address will not be that of the attacker’s machine, but that of the target IP address, i.e. the host that we want to target with the DDoS attack. Thus, when the servers will send their NTP responses (of a much larger size), it is the target server that will receive them. Thanks to this amplification process, the volume of data destined for the target machine is increased, with the aim of leading to saturation.
Here I take the example of NTP, but this is also the case with DNS, for example. As the ANSSI specifies in its guide “An entity can be the victim of a volumetric DDoS attack exploiting a protocol although it does not expose a service based on this same protocol“.
D. Protect against DDoS attacks
For a company, the unavailability of a service caused by a DDoS attack can have consequences on several levels. First, there will be costs associated with interventions to stop the attack, but there will also be full or partial unavailability on the affected services, which can lead to financial loss and reduced productivity. Therefore, one can ask a legitimate question: how to protect against DDoS attacks?
To fight against DDoS attacks, protection systems should be put in place, in particular to block malicious IP addresses (a system like CrowdSec can help you), but also for block malicious requests. It also goes through monitoring to detect an abnormal flow, but also the redundancy and load balancing between multiple servers to be more resistant to these attacks. In addition, and in particular on Linux, it is advisable configure the server to adapt its behavior when it receives too many requests on the network interface.
Also, if your online service relies on Cloudflare or Akamai, for example, be aware that these companies integrate DDoS protections to protect their customers on the one hand, but also to keep their infrastructure operational. The French OVHcloud also integrates an anti-DDoS system to its hosting offers, for the same purpose. In fact, they make it possible to benefit from advanced network filtering and as these solutions rely on very large infrastructures, they are capable of processing a very large volume of data.
IV. Difference: DoS vs DDoS
If you’ve read the entire article, you already know the answer! Indeed, a DoS attack uses a single connection while a DDoS attack uses many different sources in order to have a much greater strike force. In both cases, it is a real balance of power.
After reading this article, you know more about DoS and DDoS attacks, two concepts to know when working in IT. If you want to know more, I recommend reading this ANSSI guide: