August 2, 2022
Topics
A denial-of-service attack (DoS attack) is a cyber-attack in which an attacker seeks to make a machine or network resource unavailable by disrupting access to that specific machine or network. Denial of service is typically accomplished by flooding the targeted machine or resource with excess requests to prevent legitimate requests from being fulfilled.
A yo-yo attack is a specific type of DoS/DDoS aimed at cloud-hosted applications which use autoscaling to manage spikes in traffic. The attacker generates a flood of traffic until a cloud-hosted service scales outwards to handle the increase in traffic, then halts the attack, leaving the victim with over-provisioned resources. When the victim scales back down, the attack resumes causing resources to scale back up again. This can result in a reduced quality of service during the periods of scaling up and down and a financial drain on resources for the victim.
When a client attempts to create a TCP connection to a server, the client requests a connection by sending a SYN (synchronize) message to the server. The server acknowledges this request by sending SYN-ACK back to the client. The client then responds with an ACK, and the connection is established. This is called the TCP three-way handshake and is the foundation for every connection established using the TCP protocol. A SYN flood attack works by not responding to the server’s final request with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, cause the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it "knows" that it never sent a SYN.
The server will wait for the last acknowledgement because network congestion could also be the cause of the missing ACK. However, in an attack, the half-open connections created by the malicious client clog up resources on the server and may eventually exceed the resources available. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service and may also malfunction or crash the system because other operating system functions are starved of resources.
A distributed denial-of-service attack (DDoS attack) is an attack where the incoming traffic flooding the victim originates from many different sources. DDoS attacks are carried out with networks of Internet-connected machines. These networks consist of computers and other devices (such as IoT devices) which have been infected with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred to as bots and a group of bots is called a botnet. Once a botnet has been established, the attacker is able to direct an attack by sending remote instructions to each bot. Each bot then sends requests to the target’s IP address, causing the server or network to become overwhelmed resulting in a denial-of-service to normal traffic.
This DDoS attack is a reflection-based volumetric attack in which an attacker leverages the functionality of open DNS servers to overwhelm a target with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible. DNS amplification attacks involves an attacker sending a DNS name lookup request to one or more public DNS servers, spoofing the source IP address of the targeted victim. The attacker tries to request as much information as possible, thus amplifying the DNS response that is sent to the targeted victim. Since the size of the request is significantly smaller than the response, the attacker is easily able to increase the amount of traffic directed at the target.
A few different methods of preventing a DDoS attack are black hole routing, network diffusion and using a web application firewall. Black hole routing or blackholing is a method to reduce DDoS attacks by directing unwanted network traffic to an address that goes nowhere. This works well if all the traffic is coming from a single point but without specific restriction criteria, both legitimate and malicious network traffic would be routed to the black hole and dropped from the network. A Web Application Firewall or WAF is a firewall that sits in front of a website and can filter traffic by IP, Port, etc. just like a normal network firewall. WAF’s can also filter if they detect an increase in traffic which could be a sign that a DDoS attack is taking place. Both of these defense techniques fail when more sophisticated attacks are used because an attacker will attempt to make the traffic indistinguishable from normal user behavior. Network diffusion attempts to prevent a DDoS attack from overwhelming a network by scattering the traffic across a network of many different servers. This allows the traffic to be taken in by the network without overwhelming a specific server or network device.
The best method to stop DDoS attacks is a multilayered approach. By combining things like Black Hole Routing, use of a WAF, and network diffusion, defenders can block and break apart large scale DDoS attacks to the point where they cannot harm the network and also let users still access the content they need.
