What is DDoS Attack? Definition, Attack Types, and OSI ModelBack
Understanding for Mitigation! What does DDoS mean? This article provides explanations on its meaning, operation, various types, and explores the relationship between the OSI model and DDoS. Learn about Layer 7 DDoS attacks in a clear and easily understandable manner.
What is DDoS? How Is It Different from DoS?
DoS Is a One-on-one Attack
A denial of service (DoS) attack is a one-on-one type of malicious attack, its purpose is to disrupt the operation and service availability of the target system. An attacker will use programs to generate large amounts of packets, traffic or requests to either overload the target system, or prevent the target services from being available normally.
DDoS is Many-to-one Attack
As the information technology and network services advances, denial of service attacks (DoS) can now be prevented by internet service providers (ISP). This has led to the emergence of Distributed Denial of Service Attacks (DDoS), which involve multiple zombies (botnets) attacking a target system/server. The attackers aim to cripple or exhaust the functionality and resources of the target network or system using various attack techniques, resulting in the disruption of the target system (service/website/game). As a result, normal users are unable to use the system properly, impacting the operations of the target system.
Common Reasons behind DDoS Attacks
The common reasons of DDoS attacks may include business competition, data theft and ransom by hackers, such as Taiwan’s first case of stock company ransom in 2017, which affected nearly 20 billion TWD of stock trade; they could also be launched by political or religious fanatics, such as the DDoS attack on the website of the Labour Party of the United Kingdom, which lasted two days; finally, it can be launched by any individual, such as a 16 year old American high school student who launched 8 DDoS attacks just to get out of classes, and was later arrested.
However, even as the attacks become more frequent and the attack traffic keeps on growing, even to Tb-class, the ISP vendors do not usually go to the trouble of stopping these DDoS attacks. Normally, ISPs only provide internet services, like how the government paves the road in front of your home; everyone can use the road to go pass your home, as the government usually does not place much restriction on road access. However, if a group of people has surrounded your home and preventing you from entering and exiting your home freely, you will usually seek out help with the police and not the vendors who paved the road. So, in order to prevent DDoS attacks, one must use DDoS mitigation services.
How does a DDoS attack work?
DDoS attacks can be categorized into three types, aiming to disrupt the target’s services: volumetric attacks that flood the bandwidth, protocol attacks that exhaust system resources, and application-layer attacks that overload the server.
Imagine you have a small noodle stand. A volumetric attack is like having a sudden influx of customers all at once, crowding the entrance of your shop and blocking it. A protocol attack is when all the customers sit at their tables, trying to place orders simultaneously, overwhelming your limited staff. An application-layer attack is when multiple customers place orders, but each with complex customizations, causing the kitchen or staff to become overwhelmed and unable to handle the load.
【Bandwidth Exhaustion】Volumetric Attacks
Common types of attacks are ICMP flood attack, UDP flood attack and Amplification attack. Attacker use various methods to create large amounts of traffic to saturate the bandwidth of the victim system, resulting in the packets from normal users unable to arrive or being transmitted away. This type of attack is calculated in bits per second (bps).
【Resource Exhaustion】Protocol Attacks
Common types of attacks include SYN flood attacks. Attackers will create various malicious connection requests (Layer 3 or Layer 4) to exhaust the CPU and memory resources of the victim’s system equipment (such as firewalls, load balancers and servers). These types of attacks are calculated in packets per second (pps).
【Load Exhaustion】Application-layer Attacks
The common types of attacks include HTTP flood attacks, Slow attacks and CC attacks. Attackers will target the vulnerabilities and flaws of various applications and protocols, with the intention to crash the web servers. These types of attacks are calculated in requests per second (rps).
Common Types of DDoS Attacks
The following are an introduction to some of the common DDoS attack types:
ICMP Flood Attack
ICMP flood attack is most manifested by the attacker generating a large number of ICMP Echo Request packets to saturate the network bandwidth of the target system, resulting in normal user packets being unable to reach their destination and impacting user service experience.
For example, on the eve of a long weekend or the first day of it, a sudden influx of vehicles causes a traffic jam, causing people to take more time than usual to reach their destinations.
UDP Flood Attack
Similar to ICMP flood attack, the attacker creates large amounts of UDP packets to occupy the network bandwidth of the victim system, preventing the arrival of packets from normal users and impacting the user’s service experience. When the victim system’s server receives the UDP packets, it will first check whether the port number connected to the packets are currently running a service. If yes, then the packet request is handled according to the content of the service; if no services are running, then the server will return a response that the packet cannot arrive at the ICMP target.
For example, imagine calling a company to speak with salesperson A. The call is initially answered by the receptionist, who needs to check the company directory, the extension number for salesperson A, and if the person is available. If salesperson A is not in the office, the receptionist will need to answer the call again and inform the caller that the salesperson is currently unavailable. If there are a large number of incoming calls at the same time, the receptionist may become overwhelmed and unable to handle all the calls.
The most common forms of amplification attack are DNS amplification attacks or NTP amplification attacks, where attackers create large amounts of target victim system’s IP (forged source IP) packets and send request packets (small packets) to multiple DNS or NTP servers. After handling the requests, the DNS or NTP servers will then send the response packets (big packets) to the target victim.
For example, when the media announces that fuel prices are about to increase, it leads to a rush of people at gas stations, causing congestion and preventing those who urgently need fuel from getting it.
SYN Flood Attack
The SYN flood attack is when an attacker exploits the three-way handshake process of TCP by sending a large number of SYN requests with spoofed source IP addresses. The server responds with SYN/ACK packets, expecting an ACK reply from the client. However, the server never receives the ACK, causing the server to save the SYN request until timeout, occupying the server resources. Sometimes, the SYN flood attack is also used as a volumetric attack, saturating the victim’s network bandwidth since SYN packets are less likely to be blocked by security measures.
For example, when calling a customer service center and hearing that all service representatives are busy, it means that all the lines are occupied, and new incoming calls cannot be processed.
HTTP Flood Attack
Attacker creates large amounts of HTTP packets and send them to the victim’s server. These packets are usually HTTP GET or HTTP POST packets. The GET is used to query the standard static contents, such as an image, and the POST request is to use in accessing dynamically generated resources. Therefore, the server will consume large quantities of system resources to handle these requests, and reply large amounts of traffic back to the users, which sharply increases the bandwidth usage, making it a type of volumetric attack.
For example, a car rental company encounters multiple customers that want to rent a vehicle and leave at the same time. The staff members will be busy confirming the rental agreement, checking the vehicle’s condition and processing customer information. Only after everything check out can the customers drive their vehicles and leave; however, since the driveway of the rental company can only let one vehicle leave at a time, service congestion will occur.
Slow attack is when an attacker exploits the vulnerabilities in the communication protocol and sets ups multiple slower connection with the victim system’s servers, while intentionally prolong the response time to occupy the server connection, which then exhausts the system resources of the victim.
It’s like going to a convenience store to buy something and asking the cashier to issue a separate receipt for each item or counting out coins one by one before paying. This consumes the cashier’s time, preventing them from serving other customers.
Challenge Collapsar Attack (CC Attack)
CC attack mainly targets web applications, where the attacker generates a large number of disguised access requests, consuming the resources of the target system. When a website is flooded with a high volume of connections simultaneously, it can result in slow page loading or even the website crashing.
It’s similar to logging into the course selection system during college or trying to grab concert tickets. When the login opens at a specific time, a massive influx of connections occurs, causing the web pages to keep loading or the website to crash.