What is a DDoS attack?

DDoS attack stands for Distributed Denial-of-Service attack and represents a cyber-attack that aims to disrupt normal traffic and make the target (website, server, network) unavailable for regular users. There are few different types, but in general, a DDoS attack is an attempt to overwhelm the target (a computer, few connected computers or a whole DNS network) with high traffic from multiple sources.

The cybercriminals can generate this strong wave of traffic by:

• Using a network of pre-infected devices (computers, mobiles, IoT devices, etc.)  called a botnet
• Amplify attack that uses other servers to resend the traffic to a target after significantly increasing the size of the packets
• Occupy the existing connection and not allow new ones
• Exploit the vulnerabilities of a protocol, such as the UDP or another. 

There are many DDoS threats, this is why you want to a DDoS defense too. DDoS attack protection could keep your business safe and notify you of problems.

How does it work?

There are different types of DDoS attacks (volume-based attacks, protocol-based attacks, and application-layer attacks), but in general, they all have the same stages:

1. Pre-production of the attack. At this moment, the cybercriminals will create a network of botnets (infected devices) that later they will use for attacks. For example, hackers can bypass the security of IoT devices, or they can send phishing emails to users, and when the users open the emails, they can get infected with malicious code. 
2. Launching of the attack. Now it is time to use the botnet. Time for choosing a victim and sending the traffic towards the targeted server. There are different reasons for the attacks, but the goal is to saturate the target with traffic and take it out of service. 
3. The success of the attack. After a while, if the target does not have DDoS attack protection, or it is not strong enough, eventually it won’t be able to function correctly. There is a limit to how many active connections a server can have, even if it is very powerful. It will start to deny service and stop working. Normal users will not be able to use the server until the traffic drops again and the server can begin responding to normal queries. 
4. Final result. The bad actors could have achieved different goals, and now they get their reward. It could be money or just satisfaction with the success of the attack.

Signs of DDoS attacks 

DDoS attacks are extremely harmful and could lead to large reputational and financial losses. That is why it is crucial to be mindful and observe for any early signs of an appearing attack. There are specific characteristics of each DDoS attack type, but in general, what you can expect during an attack is: 

• Strange traffic, coming from one IP address or various but similar IP addresses (same range of addresses). 
• Traffic coming from devices with a similar profile (the type of devices, OS, etc.) and same patterns. 
• Out-of-ordinary traffic spikes like a huge spike, in the middle of the night without any sense or repeatable traffic, with a particular interval. 
• Traffic only to a single page, and no further exploration of your website.  

DDoS vs. DoS 

Let’s first briefly define a Denial of Service (DoS) attack. In this type of online attack, a source is maliciously infected in order to send big amounts of traffic to a target. The purpose is to saturate the system, to make it crash by exhausting its technical resources (CPU, RAM, etc.), or by exploiting a specific vulnerability and injecting a proper, harmful input. Then the service for users will be denied.

Now, let’s jump to the differences between DDoS vs. DoS attacks:

• Sources for attacking. In DoS attacks, the perpetrator only needs one Internet-connected device (source) to flood its victim with lots of forged requests or exploit a specific vulnerability within its software. DDoS attacks are executed from multiple sources, thousands, even millions of devices connected to the Internet.
• Way of execution. Generally, DoS weapons are apps like Low Orbit Ion Cannon or homemade codes. DDoS perpetrators use botnet armies, massive groups of malware-infected devices like PCs, routers, mobiles, Internet of Things (IoT) connected to the Internet. The traffic a DDoS attack can produce is heavy, much bigger than a DoS attack can.
• Damage scope. Both attacks can be very aggressive. But still, modern technology makes it easier to defend and even track the malicious source of a DoS attack, increasing the chances of identifying it and defeating it. It becomes a one-to-one fight (DoS). During a DDoS attack, you are fighting against multiple devices, possibly located in different countries or continents. You would have to track and stop all of them simultaneously. This is more like a war, and it definitely will demand so much more time and resources for the victim to defend and try stopping the attack. Thus, the damage scope of a DDoS is wider than the DoS one.

DDoS attacks Protection

There is a solution that can stop most of the DDoS attacks, even a strong attack involving heavy traffic, called DDoS Protection. It is an additional service to a regular managed DNS plan. 

To successfully mitigate a DDoS attack, you need to have the following 3 elements:

1. Active monitoring. You need a Monitoring solution system that checks for signs of attacks like increased traffic, suspicious traffic from particular IP addresses, and strange patterns of requests. 
2. Reactive service. One thing is to see the danger. Another is to take action. Good DDoS protection service must have auto triggers that will take action. This may include load balancing, traffic filtering, and an alarm system. 
3. Traffic load balancing. When we talk about heavy traffic, you need to direct the traffic to more servers. That way, you will balance the hit on one and disperse it to more. The more DNS servers your plan includes, the better possibility you have to resist the DDoS attack. 

You need to have an intelligent DDoS attack protection service that can distinguish between heavy traffic because of your excellent promotion or real danger. You don’t want to block your real users at any moment.

Discover Web monitoring from CloUDNS

What is the motivation of DDoS attackers?

Cybercriminals can have multiple reasons to use a DDoS attack, and the most common are:

• Extortion. The attacks can send waves of traffic towards the target and disturb the functionality of its services, causing technical problems, downtime, and miss of sales, demanding money for stopping the DDoS attack.
• DDoS-for-hire to attack the competition. On the Dark Web, people can hire hackers for DDoS attacks. Some people pay for such an attack to be directed towards their competitors. It is especially popular during important sales moments like Christmas, Black Friday, Cyber Monday, or Easter promotions. If the competitor is down, it won’t receive visitors on its site, and they will go to another place. The one who paid the attack hopes a part of these visitors directs to its site.
• Cyberwarfare. The governments of some countries use DDoS attacks to target the opposition’s news sites, their communication, or other crucial services. The goal is to control the narrative and not allow free speech in their country. These attacks could be especially strong because countries have a lot of money for sponsoring them.
• Gamers’ conflicts. You could be surprised, but the gaming industry has already reached almost 200 billion dollars in revenues per year, so the stakes are high. Rival gamers use DDoS attacks to bother their competitors and try to lower their scores. Sometimes, they use DDoS to stop a competition game they are losing and demand a re-match.
• Hacktivism. Hackers also have an opinion. They might have a problem with the government, with a particular organization or event. Modern activism has many new ways to protest and express a point that includes cyberattacks.

Types of DDoS attacks

Over time, cyber criminals managed to create multiple technical approaches for taking out their victims through DDoS. Each of the techniques falls into one of the three general types of DDoS attacks, which are the following: 

Volume-Based or Volumetric Attacks

These are the most classic type of DDoS attacks. They use different methods for generating massive volumes of traffic to overwhelm the capacity of the victim’s resources. As a result, servers are overwhelmed with requests, networks are overwhelmed with traffic, and databases are overwhelmed with calls. Additionally, they saturate bandwidth and produce large traffic, which results in it being impossible for legitimate user traffic to flow into the targeted website.

Protocol Attacks

Protocol attacks, also known as state-exhaustion attacks, abuse protocols to overwhelm a particular resource, most commonly a server but occasionally firewalls or load balancers. They are designed in a way that allows them to consume the processing capacity of network infrastructure resources. Their target is usually Layer 3 and Layer 4 protocol communications and, more precisely, their weaknesses. These attacks are often measured in packets per second.

Application-Layer Attacks

These DDoS attacks target weaknesses in applications in order to force the application itself to fail. In contrast to other attacks that mainly concentrate on disrupting infrastructure, these attacks are initiated on Layer 7 (the Application layer) by opening connections and starting processes and transaction requests that consume limited resources, such as disk space and available memory. Yet, it can even result in overloaded CPUs or exhausted memory, which impacts the server and other applications. Layer 7 attacks are well-known that are difficult to prevent since it can be challenging to distinguish malicious traffic from regular traffic. Application DDoS attacks are usually measured in requests per second.

In real-world cases, criminals can actually use a combination of these types of DDoS in order to increase the intensity of the attack.

Popular DDoS attacks used by hackers

Let’s talk a little bit more about the most popular types of DDoS attacks initiated by cybercriminals!

Smurf Attack

The Smurf attack is performed over the ping tool (ICMP echo request). The ping tool is used to check the reachability of connected devices.  When you send a ping request to the destination address, you should receive a confirmation. In this DDoS attack, the ping is sent to a device but from a masked IP. The return confirmation doesn’t go to the original source, but it is redirected to the target of the attack. All the infected devices will do the same, and they will send the traffic to the victim.

Teardrop Attack

A Teardrop attack works by sending modified, oversized data packets to the victim’s device to make them inaccessible. Frequently, perpetrators use a specific bug for destabilizing the fragmentation codes or the reassembly feature of the TCP/IP protocol. This opens the door for the teardrop attack to happen.
Reassembling the maliciously modified data packets won’t be possible. This will produce repeated attempts to complete the task. And the constant cycle of these repetitions will cause the overlapping of the packets. Finally, to increase the strain, big traffic loads will be sent to the target for a definitive crash.

Ping Of Death

The Ping Of Death (POD) attacks using a common and valid tool with malicious objectives – the Ping command. Altered or oversized data packets are sent to the target through the ping command.
Consider that a correct IPv4 data packet (IP header included) must be 65,535 bytes. This is the standard allowed by the Internet protocol (IP). Perpetrators violate it and make the target struggle while trying to reassemble altered packets repeatedly. Target’s resources like memory will be exhausted, causing different problems, crashing included.
POD became popular because attackers don’t need deep knowledge about its victim, only its IP address.

Slowloris

A highly dangerous attack executed a single computer vs. a server. A sophisticated technique that takes down a server without disrupting the rest of the network’s ports and services. Slowloris operates by sending many partial requests to the server. It keeps sending more and more HTTP headers continuously but without completing those requests. These forged requests keep many connections open to the server for a longer time than usual to overwhelm the maximum concurrent connection pool. As a result, the system will slow down, additional connections from legit users will be denied.

Zero-day DDoS attack

A Zero-day, also called a zero-minute attack, is one that takes advantage of new vulnerabilities. People are not yet aware of them. Usually, those vulnerabilities appear on new updates or patches, but they can also exist since the software is launched. The name of the attack refers to the fact it is happening before the vulnerability perpetrators used is publicly known.

This attack can have a positive purpose when software companies pay people in exchange for reporting vulnerabilities of new products before their official release. But it also points to the reality that attacks are far from disappearing.

Preparing a DDoS attack

To launch a DDoS attack, first, the criminals need to “recruit” enough connected devices that later will generate the traffic. To do so, they infect those machines with different malicious software (from emails, visiting unprotected sites and more) and create so-called botnets – hijacked devices ready to be used when it is time for the attack. There are even markets for botnets, where you can buy an attack on a website of your choice.

The Consequences of DDoS attack

Experiencing such a harmful threat is highly unpleasant and can have a huge negative impact. Some of the possible outcomes of a successful attack include:

• Operational Disruption: One of the immediate consequences of a successful DDoS attack is the disruption of normal operations. Websites become sluggish or entirely inaccessible, leading to frustrated users, decreased productivity, and financial losses. E-commerce platforms, financial institutions, and online services are especially vulnerable, as downtime translates directly into revenue loss and damage to customer trust.
• Financial Loss: DDoS attacks can cause severe financial harm. Businesses may face not only the direct costs of mitigating the attack and restoring services but also indirect costs associated with reputational damage and lost customers. The financial damage can lead to legal consequences, especially if sensitive client information is compromised during the attack.
• Reputational Damage: Trust is a delicate matter in the digital space, and a DDoS attack can destroy it instantly. When customers cannot access services or experience disruptions, they may lose confidence in the affected organization and its ability to protect their interests. Rebuilding a reputation can be a long and difficult process.

How long does a DDoS attack last?

The duration of a DDoS attack can vary significantly based on the resources available to the attackers and the defensive measures of the target. DDoS attacks can last from a few minutes to several weeks. On average, however, most DDoS attacks last for around 24 hours, though some intense attacks can go on for days or even weeks.

Short-duration attacks can be a part of a coordinated strategy where attackers test a target’s vulnerabilities with brief bursts, estimating the response and preparedness of the target’s systems. These “hit-and-run” style attacks can cause considerable disruption in a short time, particularly if they target time-sensitive operations like financial transactions or sales events.

Prolonged DDoS attacks typically aim to exhaust the target’s resources or force them to pay a ransom in exchange for stopping the attack. Long-term attacks can be devastating as they may prevent an organization from functioning entirely, leading to major operational and financial issues.

Preparedness and robust DDoS protection are essential to mitigate the effects of both short and prolonged attacks.

Which industries are being targeted and why?

Certain industries are more frequently targeted by DDoS attacks due to their high online activity, competitive nature, and dependence on continuous uptime. Here are some of the industries most affected and why they are popular targets:

• Financial Services and Banking: Financial institutions are high-value targets due to their critical role in managing and securing funds and customer data. Attackers may aim to disrupt operations, damage reputation, or extort these institutions for ransom. A successful attack on a bank can lead to significant financial loss, operational chaos, and damage to customer trust.
• E-commerce and Retail: Online retail is another major target, especially during peak shopping seasons like Black Friday and holidays. Attacks during these times can severely impact sales revenue, as website downtime directly translates to lost customers and sales.
• Government and Public Sector: Government websites, especially those related to public communication, law enforcement, and emergency services, are frequent targets. These attacks may be politically motivated, intending to disrupt public access to information. Governments are also targeted to disrupt official communication channels.
• Gaming and Entertainment: The gaming industry is particularly vulnerable, as users expect real-time access and responsiveness. Gamers often participate in competitive or time-sensitive events where even short downtimes can lead to significant frustration and financial loss for companies. DDoS attacks are frequently employed to disrupt gaming servers.
• Media and News Websites: News outlets and media websites are also prime targets. Hacktivists may use DDoS attacks to silence certain news outlets or delay the publication of specific content. Attacks on these sites can reduce public access to information, potentially affecting the narrative on important topics.

How to prevent a DDoS attack and stay safe?

The cyber-criminals can make a vast network of botnets, but it doesn’t mean you can’t be protected. ClouDNS provides you two options to stay away from DDoS troubles.

You can choose and subscribe for a DDoS protected DNS.

All plans provide unlimited Layer 3-7 DDoS Protection. Whichever you pick from them, you will be able to use 4 DDoS protected DNS servers, 50+ Anycast locations and unlimited DNS queries. For big companies, we recommend our DDoS Protection L subscription with 400 DNS zones that you can manage.

DDoS Protected Plans

Or you can use a Secondary DNS as a backup DNS, so you always have a backup copy of your DNS records.

It adds resilience, reduce the outage periods by answering requests even if the Master is down.

Conclusion

The more extensive your DNS network is, the better. The massive traffic from the attackers can be distributed between your servers in the different locations, and it will ease the load. Don’t forget that modern DDoS attacks target different communication layers, so you will need intelligent DDoS protection to respond fast and accurately. 

To be safe, always choose quality DNS service provider like ClouDNS.

The post DDoS attacks and how to protect ourselves appeared first on ClouDNS Blog.

Historical evolution of the Ping of Death attack

The Ping of Death (PoD) attack has a rich history. In the early days of the internet, networks and devices were less sophisticated and more susceptible to various forms of cyber attacks, including the Ping of Death. The original PoD attack involved sending malformed or oversized packets using the ICMP protocol, which could crash systems or cause network interruptions. This vulnerability was particularly prevalent in older operating systems that didn’t properly handle these packets.

Over time, as operating systems and network hardware became more advanced, they were patched to resist these types of attacks. This led to the evolution of PoD tactics, with attackers finding new methods to exploit different vulnerabilities within network protocols and systems.

What is Ping of Death (PoD)?

Ping of Death (PoD) is a popular type of DoS (Denial of Service) attack. The cybercriminal that initiates it aims to destabilize or completely crash the device, server, or service of the victim. In order to achieve that, the attacker sends malformed or oversized packets with the help of the Ping command. Unfortunately, the moment when the victim’s system processes the data packet, the system faces an error that forces it to crash.

The concept of the Ping of Death (PoD) attack is commonly compared to a mail bomb: If the recipient opens the package, a mechanism is triggered, and the target is attacked or completely destroyed. 

On the other hand, the Ping command, from which the attack gets its name, is a popular tool for testing the reachability of a network. The command is designated based on the Internet Control Message Protocol (ICMP), which serves for providing status information on the Internet.

Ping of Death attacks could occur on patched and unpatched systems that have legacy weaknesses on the target systems. The cybercriminal does not even need any additional details about the target’s device or its operating system (OS). The only required information is the IP address and nothing else.

So, now that you are familiar with what a Ping of Death attack is, it is time to dive a little bit deeper and explain how it actually works.

How does it work?

To enable a Ping of Death attack, criminals use the ping command to send oversized data packets to their target to destabilize or crash it. 

An Internet Control Message Protocol (ICMP) echo-reply message, also known as “ping”, is a network utility that serves for testing a network connection. It sends out pings and waits for an ICMP echo reply, which contains information about the condition and environment of a precise network. That means the connection is successful.

In order to launch a Ping of Death attack, attackers create an ICMP packet that’s larger than allowed. The packet is separated into smaller pieces for transportation. When the receiver puts them back together, the maximum allowed size is exceeded. That leads to an overflow in the memory buffer, forcing the system to crash.

To bring it all together, the maximum packet size for IPv4 is 65,535 bytes, including a total payload of 84 bytes. Thus in order to launch a PoD attack, cybercriminals send bigger than 110k ping packets to the victim’s device.  

Attackers can also perform this DoS attack over the User Datagram Protocol (UDP), Internet Packet Exchange (IPX), and Transmission Control Protocol (TCP). Anything that sends an Internet Protocol datagram can be put into action.

Here’s what a Ping of Death looks like on Windows and Linux :

Ping of Death Windows:

ping <ip address> -1 65500 -w 1 -n 1

Ping of Death Linux:

ping <ip address> -s 65500 -t 1 -n 1

Does the Ping of Death still work?

The Ping of Death (PoD) is actually quite an old attack that first occurred back in the mid-1990s. Since then, the majority of devices and computers have been protected against these types of attacks. Additionally, a lot of websites keep blocking ICMP ping messages in order to stop and avoid future variations of this DoS attack.

Yet, an organization’s defenses can weaken due to malicious content on any computer, server, or network and still be vulnerable to the threat. It is threatened by this attack if the following are unpatched:

• Vulnerable Legacy Equipment
• Kernel driver in TCPIP.sys
• Windows XP and Windows Server 2013 copies on systems already vulnerable to a weakness in OpenType fonts

Recent Ping of Death attacks

Let’s explain a little bit more about some of the recent appearances of the Ping of Death attack.

• PoD attacks officially made their return in August 2013 by threatening the Internet Protocol version 6 (IPv6) networks. Then the attacker took advantage of a weakness in the soon-to-be discontinued Windows XP and Windows Server 2013 operating systems, more precisely in OpenType fonts. A flaw in the IPv6 implementation of ICMP allowed the attacker to send massive ping requests that smashed the victim when it reassembled the packets. This precise threat could have been avoided simply by disabling IPv6.
• Back in October 2020 was found a flaw in the Windows component TCPIP.sys, which represents a Kernel driver that would get to the core of any Windows system if used for an attacker’s advantage. The result would be a hard crash and total shutdown of the device, followed by a reboot. Yet, it was a bit complicated for cyber criminals to actually use this vulnerability. So, users started patching their devices in order to prevent the threat. 

The Ping of Death seems to be a simple and small-in-scale attack, and that makes it an efficient weapon against particular machines. Yet, we should not underestimate it! If a group of devices comes together, there is a great chance a handful of these to bring down a website that does not have the suitable infrastructure to deal with this threat. These examples from the past indeed show that Ping of Death could still appear. Therefore, it is highly recommended for organizations to take the needed measures to protect themselves.

Preventing measures against PoD attack

There are several ways you could prevent, stop and protect yourself from a Ping of Death (PoD) attack. Most of them are easy and simple to implement. Let’s see which are they and how they can help you avoid Ping of Death. 

• Configure your firewall to block ICMP Ping Messages. This will protect your network from the PoD threat, yet it will also stop legitimate pings. Additionally, invalid packet attacks can be launched through other listening ports, such as FTP (File Transfer Protocol). So, it is not an ideal solution.
• Monitoring with ICMP Ping. If you don’t like the idea of completely blocking ICMP Ping messages, Ping monitoring which is a part of the ClouDNS Monitoring service, would be your preferred solution. It spots network problems quickly and helps you improve your overall security. 

Suggested article: What ICMP Ping traffic monitoring is?

• Implement DDoS Protection. A DDoS protection service provides you with a brilliant technique for network security and protecting against DDoS attacks and Ping of Death attacks.
• Update your software regularly. When a flaw appears, commonly shortly after, the patches are released too. It is important to accept them and keep your device safe.
• Implement a buffer. Improve your capability to accept large packets with an overflow buffer. 
• Filter your traffic. You can stop just fragmented pings from reaching any device in the network. That will allow you to use the ping command’s utility without being at risk of an attack.
• Enable a checker in the assembly process. If it detects large bits of data, it will stop the abnormal packets and prevent crashing.

How to block Ping requests using iptables?

To block ping requests coming to and from your server using iptables, follow these instructions:

First, to reject incoming ping requests, execute the following command:

$ sudo iptables -A INPUT -p icmp –icmp-type echo-request -j REJECT

This will lead to an error message being displayed for each blocked ping. If you prefer to silently drop these requests without generating error messages, use the following commands instead:

$ sudo iptables -A INPUT -p icmp –icmp-type echo-request -j DROP

$ sudo iptables -A OUTPUT -p icmp –icmp-type echo-reply -j DROP

The first command silently blocks incoming ping requests, while the second one prevents sending out ping replies from your server.

Implementing network protocols against PoD attack

In the previous section, we examined the most popular ways to safeguard against Ping of Death attacks. Now, let’s delve into how network protocol-level measures can further fortify your defenses:

• Deep Packet Inspection (DPI): This technique goes beyond basic header analysis to examine the actual data content of packets. DPI can identify, categorize, and block packets that exhibit patterns typical of PoD attacks, such as unusual fragmentation or payload anomalies.
• Intrusion Detection Systems (IDS): IDS can be configured to recognize signatures or patterns of PoD attacks. By monitoring network traffic in real-time, IDS can alert administrators and automatically take action against suspicious packets.
• Protocol Anomaly Detection: This method involves analyzing the behavior of protocols like ICMP, TCP, and UDP against established norms. Any deviation from these norms, such as fragmented ICMP packets that could signal a PoD attack, can be flagged for further inspection or blocked.

Suggested article: Full Guide on TCP Monitoring vs. UDP Monitoring

• Stateful Packet Inspection (SPI): Unlike stateless firewalls that only examine packet headers, SPI firewalls track the state of active connections and make decisions based on the context of the traffic. This approach can effectively block malformed packets characteristic of PoD attacks.

Conclusion

You may think that Ping of Death is outdated and it does not have a chance in modern networks. The truth is that this threat should not be neglected. It may find its way and crash your system. Therefore, it is best to take all of the precious measures in order to prevent and stop such malicious attacks.

The post Ping of Death (PoD) – What is it, and how does it work?  appeared first on ClouDNS Blog.