What is a DDoS attack?

DDoS attack stands for Distributed Denial-of-Service attack and represents a cyber-attack that aims to disrupt normal traffic and make the target (website, server, network) unavailable for regular users. There are few different types, but in general, a DDoS attack is an attempt to overwhelm the target (a computer, few connected computers or a whole DNS network) with high traffic from multiple sources.

The cybercriminals can generate this strong wave of traffic by:

• Using a network of pre-infected devices (computers, mobiles, IoT devices, etc.)  called a botnet
• Amplify attack that uses other servers to resend the traffic to a target after significantly increasing the size of the packets
• Occupy the existing connection and not allow new ones
• Exploit the vulnerabilities of a protocol, such as the UDP or another. 

There are many DDoS threats, this is why you want to a DDoS defense too. DDoS attack protection could keep your business safe and notify you of problems.

How does it work?

There are different types of DDoS attacks (volume-based attacks, protocol-based attacks, and application-layer attacks), but in general, they all have the same stages:

1. Pre-production of the attack. At this moment, the cybercriminals will create a network of botnets (infected devices) that later they will use for attacks. For example, hackers can bypass the security of IoT devices, or they can send phishing emails to users, and when the users open the emails, they can get infected with malicious code. 
2. Launching of the attack. Now it is time to use the botnet. Time for choosing a victim and sending the traffic towards the targeted server. There are different reasons for the attacks, but the goal is to saturate the target with traffic and take it out of service. 
3. The success of the attack. After a while, if the target does not have DDoS attack protection, or it is not strong enough, eventually it won’t be able to function correctly. There is a limit to how many active connections a server can have, even if it is very powerful. It will start to deny service and stop working. Normal users will not be able to use the server until the traffic drops again and the server can begin responding to normal queries. 
4. Final result. The bad actors could have achieved different goals, and now they get their reward. It could be money or just satisfaction with the success of the attack.

Signs of DDoS attacks 

DDoS attacks are extremely harmful and could lead to large reputational and financial losses. That is why it is crucial to be mindful and observe for any early signs of an appearing attack. There are specific characteristics of each DDoS attack type, but in general, what you can expect during an attack is: 

• Strange traffic, coming from one IP address or various but similar IP addresses (same range of addresses). 
• Traffic coming from devices with a similar profile (the type of devices, OS, etc.) and same patterns. 
• Out-of-ordinary traffic spikes like a huge spike, in the middle of the night without any sense or repeatable traffic, with a particular interval. 
• Traffic only to a single page, and no further exploration of your website.  

DDoS vs. DoS 

Let’s first briefly define a Denial of Service (DoS) attack. In this type of online attack, a source is maliciously infected in order to send big amounts of traffic to a target. The purpose is to saturate the system, to make it crash by exhausting its technical resources (CPU, RAM, etc.), or by exploiting a specific vulnerability and injecting a proper, harmful input. Then the service for users will be denied.

Now, let’s jump to the differences between DDoS vs. DoS attacks:

• Sources for attacking. In DoS attacks, the perpetrator only needs one Internet-connected device (source) to flood its victim with lots of forged requests or exploit a specific vulnerability within its software. DDoS attacks are executed from multiple sources, thousands, even millions of devices connected to the Internet.
• Way of execution. Generally, DoS weapons are apps like Low Orbit Ion Cannon or homemade codes. DDoS perpetrators use botnet armies, massive groups of malware-infected devices like PCs, routers, mobiles, Internet of Things (IoT) connected to the Internet. The traffic a DDoS attack can produce is heavy, much bigger than a DoS attack can.
• Damage scope. Both attacks can be very aggressive. But still, modern technology makes it easier to defend and even track the malicious source of a DoS attack, increasing the chances of identifying it and defeating it. It becomes a one-to-one fight (DoS). During a DDoS attack, you are fighting against multiple devices, possibly located in different countries or continents. You would have to track and stop all of them simultaneously. This is more like a war, and it definitely will demand so much more time and resources for the victim to defend and try stopping the attack. Thus, the damage scope of a DDoS is wider than the DoS one.

DDoS attacks Protection

There is a solution that can stop most of the DDoS attacks, even a strong attack involving heavy traffic, called DDoS Protection. It is an additional service to a regular managed DNS plan. 

To successfully mitigate a DDoS attack, you need to have the following 3 elements:

1. Active monitoring. You need a Monitoring solution system that checks for signs of attacks like increased traffic, suspicious traffic from particular IP addresses, and strange patterns of requests. 
2. Reactive service. One thing is to see the danger. Another is to take action. Good DDoS protection service must have auto triggers that will take action. This may include load balancing, traffic filtering, and an alarm system. 
3. Traffic load balancing. When we talk about heavy traffic, you need to direct the traffic to more servers. That way, you will balance the hit on one and disperse it to more. The more DNS servers your plan includes, the better possibility you have to resist the DDoS attack. 

You need to have an intelligent DDoS attack protection service that can distinguish between heavy traffic because of your excellent promotion or real danger. You don’t want to block your real users at any moment.

Discover Web monitoring from CloUDNS

What is the motivation of DDoS attackers?

Cybercriminals can have multiple reasons to use a DDoS attack, and the most common are:

• Extortion. The attacks can send waves of traffic towards the target and disturb the functionality of its services, causing technical problems, downtime, and miss of sales, demanding money for stopping the DDoS attack.
• DDoS-for-hire to attack the competition. On the Dark Web, people can hire hackers for DDoS attacks. Some people pay for such an attack to be directed towards their competitors. It is especially popular during important sales moments like Christmas, Black Friday, Cyber Monday, or Easter promotions. If the competitor is down, it won’t receive visitors on its site, and they will go to another place. The one who paid the attack hopes a part of these visitors directs to its site.
• Cyberwarfare. The governments of some countries use DDoS attacks to target the opposition’s news sites, their communication, or other crucial services. The goal is to control the narrative and not allow free speech in their country. These attacks could be especially strong because countries have a lot of money for sponsoring them.
• Gamers’ conflicts. You could be surprised, but the gaming industry has already reached almost 200 billion dollars in revenues per year, so the stakes are high. Rival gamers use DDoS attacks to bother their competitors and try to lower their scores. Sometimes, they use DDoS to stop a competition game they are losing and demand a re-match.
• Hacktivism. Hackers also have an opinion. They might have a problem with the government, with a particular organization or event. Modern activism has many new ways to protest and express a point that includes cyberattacks.

Types of DDoS attacks

Over time, cyber criminals managed to create multiple technical approaches for taking out their victims through DDoS. Each of the techniques falls into one of the three general types of DDoS attacks, which are the following: 

Volume-Based or Volumetric Attacks

These are the most classic type of DDoS attacks. They use different methods for generating massive volumes of traffic to overwhelm the capacity of the victim’s resources. As a result, servers are overwhelmed with requests, networks are overwhelmed with traffic, and databases are overwhelmed with calls. Additionally, they saturate bandwidth and produce large traffic, which results in it being impossible for legitimate user traffic to flow into the targeted website.

Protocol Attacks

Protocol attacks, also known as state-exhaustion attacks, abuse protocols to overwhelm a particular resource, most commonly a server but occasionally firewalls or load balancers. They are designed in a way that allows them to consume the processing capacity of network infrastructure resources. Their target is usually Layer 3 and Layer 4 protocol communications and, more precisely, their weaknesses. These attacks are often measured in packets per second.

Application-Layer Attacks

These DDoS attacks target weaknesses in applications in order to force the application itself to fail. In contrast to other attacks that mainly concentrate on disrupting infrastructure, these attacks are initiated on Layer 7 (the Application layer) by opening connections and starting processes and transaction requests that consume limited resources, such as disk space and available memory. Yet, it can even result in overloaded CPUs or exhausted memory, which impacts the server and other applications. Layer 7 attacks are well-known that are difficult to prevent since it can be challenging to distinguish malicious traffic from regular traffic. Application DDoS attacks are usually measured in requests per second.

In real-world cases, criminals can actually use a combination of these types of DDoS in order to increase the intensity of the attack.

Popular DDoS attacks used by hackers

Let’s talk a little bit more about the most popular types of DDoS attacks initiated by cybercriminals!

Smurf Attack

The Smurf attack is performed over the ping tool (ICMP echo request). The ping tool is used to check the reachability of connected devices.  When you send a ping request to the destination address, you should receive a confirmation. In this DDoS attack, the ping is sent to a device but from a masked IP. The return confirmation doesn’t go to the original source, but it is redirected to the target of the attack. All the infected devices will do the same, and they will send the traffic to the victim.

Teardrop Attack

A Teardrop attack works by sending modified, oversized data packets to the victim’s device to make them inaccessible. Frequently, perpetrators use a specific bug for destabilizing the fragmentation codes or the reassembly feature of the TCP/IP protocol. This opens the door for the teardrop attack to happen.
Reassembling the maliciously modified data packets won’t be possible. This will produce repeated attempts to complete the task. And the constant cycle of these repetitions will cause the overlapping of the packets. Finally, to increase the strain, big traffic loads will be sent to the target for a definitive crash.

Ping Of Death

The Ping Of Death (POD) attacks using a common and valid tool with malicious objectives – the Ping command. Altered or oversized data packets are sent to the target through the ping command.
Consider that a correct IPv4 data packet (IP header included) must be 65,535 bytes. This is the standard allowed by the Internet protocol (IP). Perpetrators violate it and make the target struggle while trying to reassemble altered packets repeatedly. Target’s resources like memory will be exhausted, causing different problems, crashing included.
POD became popular because attackers don’t need deep knowledge about its victim, only its IP address.

Slowloris

A highly dangerous attack executed a single computer vs. a server. A sophisticated technique that takes down a server without disrupting the rest of the network’s ports and services. Slowloris operates by sending many partial requests to the server. It keeps sending more and more HTTP headers continuously but without completing those requests. These forged requests keep many connections open to the server for a longer time than usual to overwhelm the maximum concurrent connection pool. As a result, the system will slow down, additional connections from legit users will be denied.

Zero-day DDoS attack

A Zero-day, also called a zero-minute attack, is one that takes advantage of new vulnerabilities. People are not yet aware of them. Usually, those vulnerabilities appear on new updates or patches, but they can also exist since the software is launched. The name of the attack refers to the fact it is happening before the vulnerability perpetrators used is publicly known.

This attack can have a positive purpose when software companies pay people in exchange for reporting vulnerabilities of new products before their official release. But it also points to the reality that attacks are far from disappearing.

Preparing a DDoS attack

To launch a DDoS attack, first, the criminals need to “recruit” enough connected devices that later will generate the traffic. To do so, they infect those machines with different malicious software (from emails, visiting unprotected sites and more) and create so-called botnets – hijacked devices ready to be used when it is time for the attack. There are even markets for botnets, where you can buy an attack on a website of your choice.

The Consequences of DDoS attack

Experiencing such a harmful threat is highly unpleasant and can have a huge negative impact. Some of the possible outcomes of a successful attack include:

• Operational Disruption: One of the immediate consequences of a successful DDoS attack is the disruption of normal operations. Websites become sluggish or entirely inaccessible, leading to frustrated users, decreased productivity, and financial losses. E-commerce platforms, financial institutions, and online services are especially vulnerable, as downtime translates directly into revenue loss and damage to customer trust.
• Financial Loss: DDoS attacks can cause severe financial harm. Businesses may face not only the direct costs of mitigating the attack and restoring services but also indirect costs associated with reputational damage and lost customers. The financial damage can lead to legal consequences, especially if sensitive client information is compromised during the attack.
• Reputational Damage: Trust is a delicate matter in the digital space, and a DDoS attack can destroy it instantly. When customers cannot access services or experience disruptions, they may lose confidence in the affected organization and its ability to protect their interests. Rebuilding a reputation can be a long and difficult process.

How long does a DDoS attack last?

The duration of a DDoS attack can vary significantly based on the resources available to the attackers and the defensive measures of the target. DDoS attacks can last from a few minutes to several weeks. On average, however, most DDoS attacks last for around 24 hours, though some intense attacks can go on for days or even weeks.

Short-duration attacks can be a part of a coordinated strategy where attackers test a target’s vulnerabilities with brief bursts, estimating the response and preparedness of the target’s systems. These “hit-and-run” style attacks can cause considerable disruption in a short time, particularly if they target time-sensitive operations like financial transactions or sales events.

Prolonged DDoS attacks typically aim to exhaust the target’s resources or force them to pay a ransom in exchange for stopping the attack. Long-term attacks can be devastating as they may prevent an organization from functioning entirely, leading to major operational and financial issues.

Preparedness and robust DDoS protection are essential to mitigate the effects of both short and prolonged attacks.

Which industries are being targeted and why?

Certain industries are more frequently targeted by DDoS attacks due to their high online activity, competitive nature, and dependence on continuous uptime. Here are some of the industries most affected and why they are popular targets:

• Financial Services and Banking: Financial institutions are high-value targets due to their critical role in managing and securing funds and customer data. Attackers may aim to disrupt operations, damage reputation, or extort these institutions for ransom. A successful attack on a bank can lead to significant financial loss, operational chaos, and damage to customer trust.
• E-commerce and Retail: Online retail is another major target, especially during peak shopping seasons like Black Friday and holidays. Attacks during these times can severely impact sales revenue, as website downtime directly translates to lost customers and sales.
• Government and Public Sector: Government websites, especially those related to public communication, law enforcement, and emergency services, are frequent targets. These attacks may be politically motivated, intending to disrupt public access to information. Governments are also targeted to disrupt official communication channels.
• Gaming and Entertainment: The gaming industry is particularly vulnerable, as users expect real-time access and responsiveness. Gamers often participate in competitive or time-sensitive events where even short downtimes can lead to significant frustration and financial loss for companies. DDoS attacks are frequently employed to disrupt gaming servers.
• Media and News Websites: News outlets and media websites are also prime targets. Hacktivists may use DDoS attacks to silence certain news outlets or delay the publication of specific content. Attacks on these sites can reduce public access to information, potentially affecting the narrative on important topics.

How to prevent a DDoS attack and stay safe?

The cyber-criminals can make a vast network of botnets, but it doesn’t mean you can’t be protected. ClouDNS provides you two options to stay away from DDoS troubles.

You can choose and subscribe for a DDoS protected DNS.

All plans provide unlimited Layer 3-7 DDoS Protection. Whichever you pick from them, you will be able to use 4 DDoS protected DNS servers, 50+ Anycast locations and unlimited DNS queries. For big companies, we recommend our DDoS Protection L subscription with 400 DNS zones that you can manage.

DDoS Protected Plans

Or you can use a Secondary DNS as a backup DNS, so you always have a backup copy of your DNS records.

It adds resilience, reduce the outage periods by answering requests even if the Master is down.

Conclusion

The more extensive your DNS network is, the better. The massive traffic from the attackers can be distributed between your servers in the different locations, and it will ease the load. Don’t forget that modern DDoS attacks target different communication layers, so you will need intelligent DDoS protection to respond fast and accurately. 

To be safe, always choose quality DNS service provider like ClouDNS.

The post DDoS attacks and how to protect ourselves appeared first on ClouDNS Blog.

Teardrop attack explained

The Teardrop attack or TCP fragmentation attack is a type of Denial-of-Service attack (DoS attack) that has the main goal to make a network, server, or computer inaccessible by sending them large amounts of altered data packets. 

Computer systems that are a bit older have a bug within the code used for handling large amounts of data. That weak spot is the perfect opportunity for initiating the Teardrop attack. Usually, the system should collect all bits and put them in the proper order. Yet, that never happens, and the system continues to wait for pieces that never arrive. As a result, the network, server, or device crashes.

You have probably guessed that the main targets of such DoS attacks are exactly the TCP/IP fragmentation codes. They are performed via a methodology that includes overlapping the fragmented packets of the device, server, or network. When the host tries to reconstruct the packets to their correct order, it typically fails, and eventually, the system crashes permanently. Moreover, the conditions get even worse because of the large amounts of load that are sent to the targeted device. Furthermore, as this malicious threat uses TCP/IP fragments, it’s also a part of the IP fragmentation attack.

The cybercriminals that are completing the attack are more commonly choosing the old versions of operating systems (OS). So, let’s say, for instance, older versions of Windows like Windows NT, Windows 3.1x, Windows 95, Windows 7, Windows Vista. Additionally, other targets could be Linux versions former to 2.0.32 and 2.1.63. Due to their sluggish processing speed and flawed TCP/IP fragments, these systems are unable to aggregate tainted packets.

You are probably assuming that such type of threat is a little bit outdated based on the fact that the new operating systems are not the main targets. However, it would be best if you did not underestimate the potential damage the Teardrop attack could cause. Just think about how many counties, large government, and healthcare organizations are using exactly a lot older versions of operating systems. 

What inspired the name of the attack?

Let’s now look at how it got its name, ‘Teardrop attack.’ The attack’s glitchy code is relatively tiny and fragmented. It is entered slowly and is only a small portion of a large part. This resembles a teardrop in practically every way. It just makes up a small portion of all the tears that a person can shed throughout their lifetime. When it comes to solo, a teardrop won’t have any impact. But when it’s plentiful, it can lead to a breakdown in emotions.

How does it work?

The majority of the systems are created in a simple way that does not allow the transfer of massive amounts of information from a different source in just one attempt. For that reason, systems manage to divide the data into fragments and transfer it like that. Then, relying on the rules established in the software, the recipient reassembles it. For specifying how much information they can process at a time, networks set maximum transmission units (MTUs). In the most common scenarios, a network uses a 1,500-byte limit. However, if you send something more extensive than that, then the following is going to happen:

• Fragmented – The device that wants to send the information, or the router that is related to it, divides the data into pieces – fragment datagrams.
• Sent – Each piece is transferred to the target destination containing headers that have the purpose of defining the precise order for reassembly.
• Reassembled – The server that is set as a target destination remains until the entire collection of fragments arrives. Once each of them is available, the system arranges the information in the proper order and delivers it. 

As we mentioned, operating systems (OS) that are a bit aged include a bug. That causes confusion through the phase of reassembly, which makes it possible to use that vulnerability.

Here is how the Teardrop attack is performed, step by step:

• First, the extensive amount of information is divided into small fragments before sending it across the Internet.
• Every piece gets a precise number which defines in which order the fragments should be arranged and assembled to receive the original information.
• The destination server uses the included information in the fragments to organize them in the right sequence.
• In this step, the Teardrop attack interferes and disrupts the fragments’ offset field. That makes it difficult for the device to reassemble the pieces.
• Then a lot of fraudulent packets are delivered on the device or server of the victim. So, finally, that causes the crash of the device.

The good news is that most of the current networks and devices are able to efficiently notice damaged fragmented packets because of their development. If a discrepant packet is recognized, it is possible to restrict it and prevent a Teardrop attack.

What are the effects of the Teardrop DoS attack?

Based on the fact that the Teardrop DoS attack is initiated and targets the TCP/IP reassembly mechanisms and disturbs them from setting together fragmented packets of data. That leads to the overlapping of data packets and overwhelming servers of the victim, which causes them to go down.

Whenever the Teardrop DoS attack is completed, the system, server, or network gets confused. Additionally, it pauses for some time and then crashes. As an effect of it, when the server is down, it is not capable of providing the needed resources, and for instance, your employees won’t be able to do their work at all.

Who are the likely victims of this attack type?

There are some organizations that are more likely to be a target of a Teardrop attack. Typically they are a bit more traditional and are hardly willing to implement the new technologies. It is also common for them to have the understanding that new technologies could affect their operations. Therefore they use a bit older technologies and software. Here are some of the common targets and likely victims of the Teardrop attack:

• Healthcare

More than half of healthcare providers are using some of the old versions of operating systems (OS). In the most popular scenarios, it is exactly Windows 7. That is the reason why they are especially vulnerable to these attacks. Mainly because Microsoft announced that it is not going to continue to support that version of their product.

• Government

Other institutions that are using pretty old systems and technology are precisely the ones related to government. There are cases in which the Office of Personnel Management (OPM) was attacked, and all of the information was not encrypted. Why? Because the system was way too old. Systems like that are very likely to become victims of the Teardrop attack.

• Banking, Financial Services, and Insurance (BFSI)

In the past years, we have seen a massive improvement and change in the different financial services, and probably all of them implemented the usage of mobile apps. However, if we take a look at what they are implementing to their backend systems, we are going to notice that in most cases, their technologies are not actually brand new. They prefer to operate with legacy systems, but that makes them very vulnerable to Teardrop attacks.

How to protect ourselves?

• Update the version of your OS.

With just this simple task, you are making sure that your device is hard to become a target to such a DoS attack. It is essential not to use an aged OS that is not supported anymore, and there aren’t any security patches. In case you are using such an operating system, you won’t receive updates anymore. That makes you prone to experience not only a Teardrop attack but also some DDoS attack types. (If you are searching for a reliable DNS protection, check our DDoS Protected DNS Service)

• Monitor your systems

You can add an extra layer of security to your system through a Monitoring service. It includes different types of checks. Especially TCP monitoring and Heartbeat мonitoring in a Teardrop attack situation will help a lot. It is a technique for keeping a close eye on a system’s health by regularly sending heartbeat events to a remote monitoring service. For example, if the data included in the heartbeat event does not match the user-defined assertions, it will be notified that something is wrong. So, this would be a clear signal for a defense action.

• Firewall

These attacks target the network layer, so your system should certainly be protected. You can implement a reliable firewall system that filters unwanted data. There are a lot of different types of firewalls. For sure, one of them is going to fit your network’s requirements. It is crucial to enable an efficient filter that is going to help you detect and stop infected data. It serves as an excellent protection method.

How to detect it?

Detecting the presence of a Teardrop Attack can be challenging, considering its ability to camouflage within the network’s regular traffic. However, there are several signs and symptoms that administrators and security personnel can observe:

• System Instability: One of the primary indicators of a Teardrop Attack is the sudden instability or unresponsiveness of systems and network devices. Sluggish response times, increased latency, and interrupted connectivity can indicate that your system is under attack. Users might experience frequent crashes, freezes, or abnormal behavior in applications and services.
• Unusual Network Activity: Strange network behavior, such as an unexpected surge in network traffic or a sudden increase in packet fragmentation, could be a red flag indicating a potential Teardrop Attack. Monitoring network traffic for irregular patterns becomes crucial in detecting such anomalies.
• System Logs and Error Messages: Regularly reviewing system logs and error messages can reveal clues about attempted attacks or system anomalies caused by a Teardrop Attack. Unusual error messages related to packet handling or IP reassembly could hint at malicious activities.

Why are Teardrop attacks so important?

A great number of people are still using systems that are considered very old. Additionally, the companies that provided these tools are not supporting them anymore. For instance, there are still organizations that hold a device that operates with Windows XP. Yet, the support ended back in 2014. There are various cyber threats, and the Teardrop attack is one of them that proves how important it is to update your systems.

In case you are using software that is modern and you update it on time, it is going to be a lot harder for an attacker to initiate a Teardrop attack towards you or your business. The reason for that is simple. The vulnerability that is required for performing the attack just doesn’t exist, and attackers can’t take advantage of it. Therefore it is essential to know the way IP fragmentation attacks such as Teardrop are made.

Conclusion

So, now you understand actually how dangerous a Teardrop attack is. It could affect your device, network or computer. For that reason, it is extremely important to keep yourself and your network safe and take the required actions to prevent it.

The post What is a Teardrop attack, and how to protect ourselves? appeared first on ClouDNS Blog.