Distributed Denial of Service (DDoS) attack
DDoS attack is a commonly used approach to paralyze Internet systems unavailable to its intended users by overwhelming servers, network links, and network devices (routers, firewalls, etc.) with bogus traffic until it overloads and ceases to function.
If an attacker mounts an attack from a single host it would be classified as a Denial of Service (DoS) attack. On the other hand, if an attacker uses many systems to simultaneously launch attacks against a remote host, this would be classified as a DDoS attack. Multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine may be different, making it harder to track and shut down. In fact anyone can rent a group of computers (botnet) for a huge DDoS attack. The DDoS client tools which send the attack traffic are also readily available in the Internet.
Some of the common attack types of DDoS include:
Bandwidth Attacks – Network equipment, which is already heavily taxed with production traffic, is vulnerable to minimal increases in traffic, causing availability disruptions. In bandwidth attacks, the amount of traffic to a site is so much so that the site cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. While this is most often junk traffic, such as a SYN Attack or other invalid IP-based attacks, increasingly the traffic appears to be legitimate. SYN floods may appear with a wide range of source IP addresses, giving the appearance of a well DDoS. These flood attacks do not require completion of the TCP three way handshakes and attempt to exhaust the destination SYN queue or the server bandwidth. To make detection even more difficult, such attacks might also spoof the source address so that every SYN appears to be coming from different address to prevent identification. Because the source IP addresses can be trivially spoofed, an attack could come from a limited set of sources, or may even originate from a single host.
Application Attacks – These DDoS attacks use the expected behavior of protocols such as TCP and HTTP to the attacker's advantage by tying up computational resources and preventing them from processing transactions or requests. For example, for a site using standard caching in the database, it is very easy to cause the cache system to write huge numbers of cache entries, being duplicates of cached pages or other cache objects, so rapidly filling disk space.
What makes DDoS attacks so difficult to prevent is that illegitimate packets are indistinguishable from legitimate packets, making detection difficult; typical "signature" pattern matching, performed by Intrusion Detection System(IDS), does not work. Many of these attacks also use spoofed source IP addresses, thereby avoiding source identification by anomaly-based monitoring tools looking for unusually high volumes of traffic coming from specific origins. On top of these issues, current anomaly-based detection systems are also unable to detect all kinds of new attacks, because they are designed to restricted applications on limited environments. Signature based DDoS detection systems also cannot detect new attacks.
Due to the essential commercial value delivered by corporate web sites and the financial revenue impact (and equally customer loyalty / goodwill) of a period offline, it is crucial to have protection against DDoS and other malicious hacking approaches to take a web platform offline. Mitigation techniques to DDoS attacks typically involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. Network prevention and response tools can be summarized into two primary categories: An IP Scrubber and a web application filter or firewall which addresses fundamental network security challenges such as zoning and traffic inspection. At the provider level, attacks can be mitigated based on passing attack traffic across IP scrubbing devices, or employing more basic ACLs (Access Control Lists), if the attacking source IP addresses are few. On application level, certain measures can also be implemented. For example, prevention of cache index in database from growing excessively may not be too difficult to overcome by setting a maximum size for the cache and clear out "least-used" values when database is full.
The next level of mitigation entails equipment that can recognize and reject the problematic HTTP request, or dynamically scale-out your presence in the case of Bandwidth, legitimate traffic requests for the duration of the attack.
A new type of solution that complements existing security solutions such as firewalls and IDSs by not only detecting the most sophisticated DDoS attacks, but also delivering the ability to block increasingly complex and difficult-to-detect attack traffic without impacting legitimate business transactions are proposed by a number of vendors such as Cisco Systems. Such an approach demands more granular inspection and analysis of attack traffic than today's solutions can provide.
For a company which does not have resources for tackling DDoS, it may be good if their websites are hosted in certain service providers which offer this protection. A number of news or political websites have now shifted their servers to US-based CloudFlare, which offers protection against DDoS attacks.
Understanding the basic concept of DDoS is important for each system engineer. We are going to see more and more of DDoS attacks in the cyberspace. In fact taking up the challenge of DDoS is getting more and more interesting nowadays!
If an attacker mounts an attack from a single host it would be classified as a Denial of Service (DoS) attack. On the other hand, if an attacker uses many systems to simultaneously launch attacks against a remote host, this would be classified as a DDoS attack. Multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine may be different, making it harder to track and shut down. In fact anyone can rent a group of computers (botnet) for a huge DDoS attack. The DDoS client tools which send the attack traffic are also readily available in the Internet.
Some of the common attack types of DDoS include:
Bandwidth Attacks – Network equipment, which is already heavily taxed with production traffic, is vulnerable to minimal increases in traffic, causing availability disruptions. In bandwidth attacks, the amount of traffic to a site is so much so that the site cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. While this is most often junk traffic, such as a SYN Attack or other invalid IP-based attacks, increasingly the traffic appears to be legitimate. SYN floods may appear with a wide range of source IP addresses, giving the appearance of a well DDoS. These flood attacks do not require completion of the TCP three way handshakes and attempt to exhaust the destination SYN queue or the server bandwidth. To make detection even more difficult, such attacks might also spoof the source address so that every SYN appears to be coming from different address to prevent identification. Because the source IP addresses can be trivially spoofed, an attack could come from a limited set of sources, or may even originate from a single host.
Application Attacks – These DDoS attacks use the expected behavior of protocols such as TCP and HTTP to the attacker's advantage by tying up computational resources and preventing them from processing transactions or requests. For example, for a site using standard caching in the database, it is very easy to cause the cache system to write huge numbers of cache entries, being duplicates of cached pages or other cache objects, so rapidly filling disk space.
What makes DDoS attacks so difficult to prevent is that illegitimate packets are indistinguishable from legitimate packets, making detection difficult; typical "signature" pattern matching, performed by Intrusion Detection System(IDS), does not work. Many of these attacks also use spoofed source IP addresses, thereby avoiding source identification by anomaly-based monitoring tools looking for unusually high volumes of traffic coming from specific origins. On top of these issues, current anomaly-based detection systems are also unable to detect all kinds of new attacks, because they are designed to restricted applications on limited environments. Signature based DDoS detection systems also cannot detect new attacks.
Due to the essential commercial value delivered by corporate web sites and the financial revenue impact (and equally customer loyalty / goodwill) of a period offline, it is crucial to have protection against DDoS and other malicious hacking approaches to take a web platform offline. Mitigation techniques to DDoS attacks typically involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. Network prevention and response tools can be summarized into two primary categories: An IP Scrubber and a web application filter or firewall which addresses fundamental network security challenges such as zoning and traffic inspection. At the provider level, attacks can be mitigated based on passing attack traffic across IP scrubbing devices, or employing more basic ACLs (Access Control Lists), if the attacking source IP addresses are few. On application level, certain measures can also be implemented. For example, prevention of cache index in database from growing excessively may not be too difficult to overcome by setting a maximum size for the cache and clear out "least-used" values when database is full.
The next level of mitigation entails equipment that can recognize and reject the problematic HTTP request, or dynamically scale-out your presence in the case of Bandwidth, legitimate traffic requests for the duration of the attack.
A new type of solution that complements existing security solutions such as firewalls and IDSs by not only detecting the most sophisticated DDoS attacks, but also delivering the ability to block increasingly complex and difficult-to-detect attack traffic without impacting legitimate business transactions are proposed by a number of vendors such as Cisco Systems. Such an approach demands more granular inspection and analysis of attack traffic than today's solutions can provide.
For a company which does not have resources for tackling DDoS, it may be good if their websites are hosted in certain service providers which offer this protection. A number of news or political websites have now shifted their servers to US-based CloudFlare, which offers protection against DDoS attacks.
Understanding the basic concept of DDoS is important for each system engineer. We are going to see more and more of DDoS attacks in the cyberspace. In fact taking up the challenge of DDoS is getting more and more interesting nowadays!
Comments
Post a Comment