18
Dec

Types of DDoS Attacks and Their Prevention and Mitigation Strategy

DDoS stands for Distributed Denial of Service. DDoS is a serious threat to businesses and organizations as it can be quite disruptive. According to the Verisign Distributed Denial of Service Trends Report, DDoS activity picked up the pace by 85% in each of the last two years with 32% of those attacks in 2015 targeting software-as-service, IT services, and cloud computing companies.

So what are DDoS attacks capable of? They take websites and servers down by either bombarding them with a request that looks valid but isn’t or floods the site with data. DDoS attacks are concentrated and automated attempts for overloading a target network with a huge amount of requests that make it useless. Hackers do it by launching a series of data packets at a very fast speed to the target computer system until it begins to lag or completely reach its downtime.

Why and How DDoS Attacks are Launched?

There are various reasons as to why DDoS attacks are launched. The online gaming industry has been a victim of DDoS attacks for a long time. There are DDoS for hire-services too that attack the rival’s website in an attempt to bring it down. Sometimes, there is a political agenda behind these attacks an example of which is Georgia and Estonia that were targeted in 2007. A traffic overload brought all the government and media sites down by Russian nationalists to express their displeasure over the relocation of a Soviet war monument. Georgian websites suffered DDoS attacks in 2008 prior to the Russian invasion of South Ossetia.

Cybercriminals have started using DDoS attacks as a disguise to draw the attention of a business away from more important security breaches. DDoS is used as a bluff to target another vulnerability. So in such an attack, multiple seemingly different attacks are launched by the adversary on the target. Hackers have turned it into a sophisticated diversionary attack to disguise other attacks. Mostly, financial services companies that handle a vast amount of data are susceptible to such attacks. Phishing attacks have been directed at IT administrators in lots of European banks lately.  Malware is launched to penetrate the system of the banks and steal their login credentials. As soon as the criminals access the login details, they launch DDoS attacks against the bank and keep them busy dealing with the DDoS attack. This buys them time to clone private data and steal money.

That’s not the only way cybercriminals launch DDoS attacks. Home routers, IP cameras and other IoT devices infected with malware are being used to launch DDoS attacks too. Attackers have started doing the same with Android devices. They use malicious apps hosted on Google Play and other third-party app stores for this purpose.

A security team from RiskIQ, Team Cymru, Cloudflare, Akamai, and Flashpoint carried out a joint investigation and found a large botnet built of more than 100,000 Android devices located in over 100 countries. [1] The investigation took place because of massive DDoS attacks that hit various content delivery networks and providers. The particular Android botnet (WireX) was used to send tens of thousands of HTTP requests. These requests seemed like they came from legitimate browsers.

Usually, the goal behind launching such attacks is to flood servers with bogus traffic and use their available internet Android, RAM or CPU so that they can no longer serve requests from users. There could be some other motive behind it too. As the infected applications request the device administrator permissions during installation, they allow them to launch a background service and participate in the DDoS attacks even if these apps themselves aren’t actively used or when the device is locked.

DDoS are mass-scale attacks and their victims are mostly giant corporate organizations and even the governments of various states. However, there are consumer-level products available, too, that can pretty much replicate what hackers can do but on a smaller or individual scale. Spying apps, including Xnspy, TrackmyFone, etc. are some of the names that resonate with anything remotely resembling mobile hacking or mobile spying. These when secretively installed on a phone can allow a third-person to remotely access to everything stored on the device. It’s not comparable to a DDoS attack but rather the malware that’s been used to launch a DDoS attack.

Types of DDoS Attacks

Listed below are the main forms of DoS and DDoS attacks:

1. Volume-based

A volume-based attack involves a huge number of requests sent to the target system. The system thinks of these requests as valid (spoofed packets) or invalid request (malformed packets). Hackers carry out volume attack with the intention of overwhelming the network capacity.

These requests could be across a variety of ports on your system. One of the methods hackers use is the UDP amplification attacks in which they send a request for data to a third-party server. And as a result, they spoof your server’s IP address as the return address. The third-party server then sends massive amounts of data to the server in response.

This way, a hacker needs only the dispatch requests but your servers suffer an attack with the amplified data from third-party servers. This form of attack could involve tens, hundreds or even thousands of systems in this form of attack.

2. Application-Based

In this form of attack, hackers use vulnerabilities in the web server software or application software that leads the web server to hang or crash. A common type of application-based attack involves sending partial requests to a server in an attempt to make the entire database connection pool of the server busy so that it blocks the legitimate requests.

3. Protocol-Based

These attacks are targeted on servers or load balancers which exploit the methods systems use for communicating with each other. It is possible that packets are designed to make servers wait for a non-existent response during a regular handshake protocol like an SYN flood.

Prevention of DDoS Attacks and Mitigation Strategies:

Here are some of the best practices to avoid DDoS attacks and mitigation strategies

Purchase more Bandwidth

The first step you have to take, for the prevention of a DDoS attack and make your infrastructure DDoS resistant, is to make sure that you have sufficient bandwidth to handle any spikes in traffic that could be caused due to malicious activity.

It was possible to avoid DDoS attacks in the past by making sure that you had more bandwidth at your disposal compared to any attacker. With the advent of amplification attacks though, this is no longer practical. Having more bandwidth actually raises the bar which the attackers have to overcome before launching a successful DDoS attack. It is a safety measure, but not a DDoS attack solution.

Network Hardware Configuration against DDoS attacks

Some really simple hardware configuration changes could help you with preventing a DDoS attack. For instance, if you configure your router or firewall to drop DNS responses from outside your network or drop incoming ICMP packets, this could help you to an extent in preventing certain DNS and ping-based volumetric attacks.

Protect DNS Servers

Attackers can bring down your website and web servers offline by attacking your DNS servers. So, make sure that your DNS servers have redundancy. DNS is like a phone book for the internet. It matches the website name of the user seeking for the correct IP address. There are more than 300 million domain names keeping millions of internet users around the world connected. The internet wouldn’t really work without it. That’s why it is a critical target for attackers. The DDoS attack on your DNS infrastructure could render your application or website to be completely unreachable. So, network operators need to adequately defend their DNS infrastructure to protect it from DDoS attacks.

Other than this, spread your servers across various multiple data centers if you want to give the attackers a really hard time successfully launching a DDoS attack against your servers. You can make these data centers in different countries or at least in different regions of the same country. If you want this strategy to turn out well, it is necessary that all the data centers are connected to different networks, and no network bottlenecks exist or single points of failure on these networks. When you distribute your servers geographically as well as topographically, it makes it hard for an attacker to successfully attack more than a part of your servers. Also, it would leave other servers unaffected and enable them to bear some of the extra traffic the affected servers would handle normally.

Transparent Mitigation

Hackers could be launching the DDos to make your users lose access to your site. When your site is under attack, you must use a mitigation technology to enable people to continue using it without making it unavailable and without making them see splash screens and outdated cached content. Once the hacker sees that you are not being affected by the attack and your users are still able to access the site, he might stop and not return.

Anti-DDoS hardware and software modules

Along with having your server protected by network firewalls and other specialized web application firewalls, you must use load balancers. You can also add software modules to another web server software for DDoS prevention. For instance, the Apache 2.2.15 ships with a mod_reqtimeout that protects you against the application-layer attacks like Slowloris. They keep the connections to a web server open as long as possible by sending out partial requests till the server is rendered unable to accept any request for new connections.

You could also use hardware modules that come with software protection against DDoS protocol attacks such as the SYN flood attack. This could be done by monitoring how many incomplete connections exist and then you can flush them as the number reaches a configurable threshold value.

What to do During a DDoS Attack?

To ensure that your website or application is ready within a short notice of coming under attack, you have to work on an active mitigation strategy. Here is a course of action you can follow:

  • Have a backup static “temporarily unavailable” website on a separate reputable host provider. Make sure they provide their own DDoS mitigation services.
  • Redirect your store DNS to a temporary site and work with your staff, stakeholders, and partners to determine how to deal with the vulnerable servers. This will help you keep a veil from your customers and they won’t be able to figure out your website is under duress.

Educating yourself and understanding the tactics these hackers use can assist you in identifying and assessing how you can optimize your efforts and measures against them.


Sources
1. https://www.forbes.com/sites/lconstantin/2017/08/28/hackers-use-thousands-of-infected-android-devices-in-ddos-attacks/#44c135a55228


About the Author:

Jennifer Steve is a freelance journalist and a cybersecurity expert. Jennifer has a degree in computer science. She has a vast knowledge of hacker culture and computer security.

  • 76
    Shares
  • 76
    Shares
write-for-ec-council
Write for Us