DoS and DDoS Attack

  • Published on

  • View

  • Download

Embed Size (px)


DOS vs DDos


DoS and DDoS attack.Denial of service is basically, one to one attack with the use of single internet connection. In this attack, one system floods his packets to server to overload the bandwidth and resources of his target. On the other side, DDoS (Distributed Denial of Service) attack floods his target from many sources and many different IP addresses. According to Akamai's Prolexic Security Engineering and Research Team, numbers of attacks occurring in todays world have increased four-fold and they are getting more and more (Four-fold increase in DDoS attacks, 2014). According to statistics from the surveys, out of people who believe about the reality of attacks and their threats, only 22 percent accept about being target by criminals through DDoS. Apart from this, any system or device of anyone even who doesnt store anything valuable on his system can be a part of any attack by turning it into bot. Bot is basically, an internet robot that start automated job over the internet through remote access.Fig 1.1 shows the attack breakdown on the basis of area of activities.

Fig 1.1. The growth of computing devices is also increasing the probability of DDoS attacks. DDoS attacks basically, develop huge traffic that weakened system resources and bandwidth. There are various tools present in market to produce DDoS attack and one of them is LOIC (Low Orbit Ion Canon), a famous tool, because of it multiple use done by Internet Hacktivist group called Anonymous. They have use this tool on their many targets one of them is with the famous Title of Project Chanology for Church of Scientology and second is Operation Payback to companies that opposed Wiki leaks. Even some countries have already taken action towards people using LOIC for attack (LOIC attack). Types of DDoS Attacks (Denial of Service Attacks)1. Volume based attacks: This attack use UDP, ICMP packet floods. The main motive of this attack is to penetrate the bandwidth of target site. This attack is measured in terms of Bps. In this attack, UDP, attacker floods any arbitrary port on the victims system with a session-less networking protocol packets. This whole thing makes the system to check every time with his listening port and reply to the system ICMP packet of destination unreachable. On the other side ICMP protocol has same use to flood the target system as UDP flood. 2. Application Layer attacks: This attack exploit the vulnerabilities of particular software and application such as Web servers. Most Application attacks include HTTP requests. These attacks are very rare as compare to other because they work on their victims vulnerabilities. For example in year 2011, there was a huge disturbance because of bug present in Apache web server that could give the edge to memory overload. 3. Protocol attack: Most popular attack at accounted for 24 percent of all attacks. In this type attacker use TCP handshake by starting session with SYN packet and obviously, receiver will send SYN/ACK and after this attacker doesnt complete the handshake process and he doesnt send ACK back to victim. Even cheap router offer protection from SYN flood with timing out option. Moreover, by sending these packets of SYN, a normal router can feel overwork quickly. Numbers of SYN packets are more enough to obstruct the bandwidth of victim. As we discussed above in first attack, it send so many unwanted traffic and fill the whole bandwidth with junk stuff and that force to kick off its server. In this attack, cybercriminals build their own botnets by send malware to other people through emails, websites and software. With the help of these botnets they attack their targets, for example Bank websites login page or downloading any PDF file such as annual report, if attacker launch thousands system to open and download same file from website it creates DDoS attack. Second type that is most common is one that related to applications, in this method source system send any server based application command that try to use all the resources and max out their memories and processors. For example, if one will type *.* to search in system, it will use all resources of system including memory and CPU to process this request. (crosman, 2013). To detect an attack, there is very important to have an expertise on the top to look into this attack because automated system can work up to some level. On the other side, if people will analyze the attack, then they would determine the attack vectors easily. This is also one reason of appointing an expertise for analyzing a attack and sometime automated system cause a same level of problem as done by attack. To monitor the traffic, most of the firms have installed correlation and analytical technology in their infrastructure. Apart from this, expert always keep their eye on both side of networks i.e. inside the network through viewing their appliances and outside through internet monitoring. With the help of this they find out any changes in response time, functioning of site and possible site that can be scheduled for an attack (Mansfield-Devine, 2011). There are various steps in way to mitigate these attacks. First step is to confirm that the system is perfect order. It is proven that most of the victim firms have poorly IPS devices and firewalls, but it is not only one stand enough solution to stop DDoS attack. Sometime having huge amount of bandwidth helps a lot and the amount of bandwidth to deal is really expensive and will usable only when attack will happen.Network operation centre has the authority to work within ISP to monitor the traffic and then filter them. But to make it more affecting, they can build connections with other ISPs and only need is to coordinate from different central router around the globe. After this, use of null route will help to stop the attack before two or max three. In this case most of traffic is similar but with the different IP address; same structure, TCP header and sequence number and that makes easy to find out this traffic and then block or redirect them.There are some areas those are needed to look into, in terms of prevention from the successful DDoS (McGregory, 2013). Attack the Victim: The best way to check the status and level of security is to attack the secured area and this way it is easy to calculate the level of mitigation measures. These attacks must be similar to real attack such as help from some professionals to create the same volume of attack.Combine application load and attacks: This will help to understand the scenario where the possibility of attack is high. Administrator can produce large amount of traffic from real application with the possibilities of unique protocols. There are so many applications that generate DDoS attacks such as Slowloris and Rudy. Slowloris opens so many connections to server and try to keep them open for long time. It use the traditional method by send http request to target system and all the request are incomplete (Slowloris|DDoS).Test with application layer attacks: As we discussed above this DDoS can target many application with the only aim of max out the CPU and memory limit of servers. These attacks are more effective than TCP/ UPD attacks with the requirement of very less network connections. Apart from this, these attack are very hard to detect because of the involvement of less number of connections and they are seems like a normal traffic.Test with big range of attacks: Implement the whole system that create and test the infrastructure with attacks. To make the system best, there is always a need to calculate the level of defense against new techniques. There are some listed attacks those are must be considered in library. Slowloris attack DNS flood UDP flood IP fragment attack HTTP fragmentation attack TCP fragmentation flood VoIP flood

Mitigation services are very well known for their DDoS mitigations. Now a days, the attacking pattern has changed from multinational companies to small and medium sized businesses. Verisign is one of the services that offered to large and multinational corporate who were paying huge money. In mitigation services of DDoS, they analyze the network behavior that basically includes monitoring of everything that helps to construct behavioral pattern. It use the very huge number of metrics to measure any out of character traffic. Once it find something that need to be stop it turns in to different mode that advance in mitigation. As we all know DDoS mitigation services are very expensive, so it is very important to analyze the risk. This phase of finding is very tricky, but it can be simple just with the little research on past DDoS attacks. Actually, all type of organization see themselves as possible victim of DDoS attack but the possibilities are very high for E-Commerce, financial services and online gambling. This is not security problem but it is the thing of being reliable for business continuity.

Referencecrosman, P. (2013). How to Block the DDoS Attack. American Banker.Denial of Service Attacks. (n.d.). Retrieved from Incapsula: increase in DDoS attacks. (2014). Network Security, 2.LOIC attack. (n.d.). Retrieved from radware:, S. (2011). DDoS: threats and mitigation. Network Security, 5-12.McGregory, S. (2013). Preparing for the next DDoS attack. Network Security, 5-6.Slowloris|DDoS. (n.d.). Retrieved from Incapsula:


View more >