Denial of Service | A Complete guide of Cyber Attacks

DOS- A complete guide

The world of the internet is not as safe as required. Many businesses find themselves sailing in troubled waters due to different kinds of online hacking and spamming attacks. Hackers and spammers are more active than ever, especially in the wake of the rise of the novel coronavirus, which has forced the global population to work from home. Cybercriminals found a great opportunity in this scenario as the people working from home generally don’t have a secure network. The Denial-of-Service (DoS) attacks are the most troublesome and frequent attacks that disrupt everyday business operations. 

This article will offer you a complete set of information about what Denial-of-Service attacks, their types, their damage size, and how companies can guard themselves and their workforce against these cyberattacks.

What is DoS?

The Denial-of-Service is a fundamental cyberattack concept that restricts the person on the receiving end from carrying out any business activities. In most cases, DoS attacks prevent businesses from accessing their network, server, clients, customers, or even employees. The technique is so simple and has so wide scope that cybercriminals are able to create many other variations out of this one basic mechanism. Just imagine you are trying to complete online orders in today’s COVID-19-hit world and you can’t access your web store or orders management system. The result is quite demonic because your orders will be delayed and once you fail to deliver the goods in time, the company-customers trust level drops significantly which affects the future of its sales. This could happen to any business in the world as cybercriminals spare no one. 

DoS attacks function like weeds that grow in a garden and destroy its beauty and growth. They disrupt and destroy productive applications in the ecosystem of an enterprise. It is imperative for any business in the world to make sure it has a stringent set of protocols, tools, and software to deal with persistent cyberattacks threats. In fact, it is always better to prepare in advance for such a situation where your enterprise’s network is under severe attack. However, it has been witnessed that a number of businesses fail to be proactive and hence lose their precious data and also put their customers at the risk. 

Types of DoS Attacks 

It is imperative for companies and enterprises to be proactive, as mentioned above. For that matter, they should be aware of different types of DoS attacks because each one of them has different strategies to tackle the attacks and overcome their damage. Once you are aware of their different types, you are in a better place to devise the counter-measures for DoS attacks. For example, many DoS attacks target applications while many others take an aim at the network. Therefore, there are different strategies to deal with each of them. 

Especially, a majority of businesses now heavily rely on their services hosted online, so it becomes ever so important for them to make sure that their servers are running securely and smoothly during their business hours. 

DoS attacks target businesses in two ways, i.e. specially-crafted data and flooding. In fact, cybercriminals can also use a combination of both to carry out different types of attacks, such as UDP flooding and SYN flooding. 

Specially-Crafted Data

This is quite a lethal kind of DoS attacks as it has the potential of completely thrashing the targeted system or network. It becomes even more dangerous if the targeted enterprise hasn’t established protocols to handle the data. In this scenario, the company’s system or network is bound to crash. Cybercriminals don’t use specially-crafted data to release too much data, rather they send specially-crafted data packets that are too hot to handle for the receiver. Teardrop and Ping of Death attacks are prime examples of this kind of attacks. These attacks manipulate fields in network protocol packets and exploit servers to the extent that they stop functioning and completely crash. 

Flooding

Flooding is another way that cybercriminals ploy to disrupt a system or network. They send too much data to the targeted systems or networks that completely slow them down. It is just like the scenario where you are about to cross the road after your signal turns green but the people who are supposed to stop on the red signal storm into your way and stop you from crossing the road. Similarly, when cyber attackers send too much data to the network, it will have to spend resources on consuming the data sent by the attacker. In this case, the network won’t be able to respond to legitimate data or traffic. Distributed Denial-of-Service (DDoS) attacks are a prime example of this kind of attacks. In this way, cybercriminals flood packets of data to the targeted network from many computers, thereby making it impossible for the targeted network to complete its legitimate job. 

In Denial-of-Service attacks, cybercriminals use a single computer to launch the attack. It is not the case with the Distributed Denial-of-Service (DDoS) attacks. The attackers use many computers to launch a massive strike. It is like attacking an airbase with jets from different airbases. The aim is to completely destroy the functionality of a system or network. The barrage of attacks leaves the targeted system with little to no options to handle the traffic and eventually makes it collapse. You might have also heard about the term ransom DDoS. In this type of attacks, cybercriminals exploit the functionality of internal protocols of the targeted systems and demand extortion money for leaving it in its earlier condition or status. 

Let’s take a look at the 10 most common types of DoS attacks in 2020.

Common types of DoS attacks

Cyber attack concept illustration Free Vector

IP Fragmentation or Teardrop attacks

It is one of the leading kinds of specially-crafted data attacks. Hackers send specially-crafted data packets to the targeted systems or networks. This is more related to the TCP/IP protocol, which fragments IP packets into smaller packets to smoothly transfer data across networks. When this data reaches its destination, they are reassembled to its earliest shape (original data). During the fragmentation process, some fields are included in the fragmented packets to track them at the destination while they reassemble themselves into the original form. In teardrop or IP fragmentation attacks, cybercriminals create some packets that overlap with each other. Eventually, it confuses the operating system at the destination to the extent that it crashes down because it can’t reassemble the packets to its original form.   

User Datagram Protocol (UDP) Flooding

In simple words, you can define the User Datagram Protocol (UDP) as an unreliable packet. What it means is that the attacker doesn’t bother if the data reached its destination or not. Generally, cybercriminals send a number of UDP packets to the target systems at random ports. When the receiving system gets the packets, it looks for a proper application that is listening to that random port. If it fails to find the packet, it responds with an Internet Control Message Protocol (ICMP) packet. The attackers use the ICMP packets to send error messages. Since it is a form of flooding, attackers generally send a huge number of UDP packets to the target systems, which consume a lot of resources to respond back with ICMP packets. It results in a complete traffic jam in the receiving system and stops the flow of legitimate traffic, requests, and data. 

SYN Flood

It is another form of flooding and it is also related to the TCP/IP protocol. TCP is believed to be a reliable connection because it ensures that the receiver completely gets the data. TCP communicates in a three-way handshake between the sender and the receiver. This is where SYN (synchronization packet) and ACK (acknowledgement) come into play. The sender sends an SYN packet and the receiver responds with SYN-ACK. Then, the sender dispatches an ACK packet followed by the data. When it comes to SYN flooding, the receiver becomes the victim while the sender is the attacker. The sender dispatches an SYN packet and the receiver (victim) sends back the SYN-ACK. However, the sender doesn’t respond with an ACK packet. The receiver (victim server) waits for the ACK packet, as is the practice. The attacker then sends a lot of SYN packets and the server keeps waiting for the final ACK until a timeout occurs. Since the server exhausts its resources in waiting for the final ACK, the whole traffic gets disrupted and legitimate traffic doesn’t find away.  

Ping of Death

As mentioned earlier, data is broken into smaller packets for its transmission over the internet. The whole package gets reassembled at its final destination. However, in a Ping of Death attack, cybercriminals send packets that are larger than 65,536 bytes, which is the maximum size of the allowed packets by the IP protocol. These packets are fragmented into smaller chunks but when they reach the final destination where they are reassembled in their original form, this is where the problem arises. The operating system is at loss about how to deal with these bigger packets and eventually succumbs. 

Exploits for Servers

As we know that web applications are generally hosted on web servers like Tomcat and Apache. Exploits for servers can give rise to DDoS vulnerability. Especially, a vulnerability on these servers (Apache and Tomcat) gives the attacker the chance to launch an exploit. It is not necessary for an exploit to completely take control of the target system but it can absolutely tear apart the webserver software, which eventually shapes into a DDoS attack. Many businesses leave their servers on default configurations. It makes the job of hackers a lot easier because they can easily find out the web server’s version. It gives them enough information about the vulnerabilities of the server and they launch exploits for the webserver. Even if a web server is not patched regularly, cybercriminals can easily exploit it.

Botnets

Botnets are another way of carrying out the DDoS attacks. In simple words, a botnet is a collection of compromised computers (bots), which act on commands from a C&C server. These bots or compromised computers are used to dispatch a massive wave of data and packets to the target servers, which makes them overloaded. 

Reflective DDoS Attacks and Amplification Attacks

The Reflective DDoS attacks are launched by legitimate computers. Attackers launch attacks against their targets by hiding their own IP address. Usually, the attacker forges the sender of the packet before dispatching a small packet to a legitimate machine. From the looks of it, the receiver (legitimate machine) identifies it as a victim and responds to it. In a scenario where response data is large in size, the impact becomes amplified. In this situation, the legitimate computers are called reflectors and this activity is known as amplification attack. The reason why it is also called reflective DDoS attacks is the fact that cybercriminals don’t directly use their computers for the attack and instead launch the attacks from legitimate computers. They are also known as Networking Time Protocol (NTP) attacks because the reflectors respond to a particular DNS or NTP request. Some of the most common examples of NTP attacks would be WordPress pingback attacks and DNS amplification attacks, which are all amplification attacks.

Generally, groups of cybercriminals use amplification attacks to carry out ransom DDoS attacks like Armada Collective, DD4BC, MXR-Squad, Fancy Bear, and Lizard Squad. Their modus operandi includes sending different enterprises an extortion email first and then launching the attack if the target doesn’t pay the ransom. 

DD4BC

As discussed above, DD4BC is a group of cybercriminals that demands extortion from enterprises. This group was last seen in action in 2014. Generally, they demanded Bitcoins as ransom fees. Media, entertainment, and financial services were their main targets. They used to send an email threatening the enterprise about a low-intensity DoS attack. They further claimed they could save the enterprise from larger attacks. They also used to threaten to release and publish information on social media about the attack so as to hurt the reputation of the enterprise.

WordPress Pingback Attack

As the name suggests, attackers use WordPress websites to carry out this kind of attacks. You must have heard about pingbacks and how they function on WordPress-powered websites. A WordPress Pingback Attack is a kind of notification to a website from the referrer. The referrer tells the website that it is linking an article or post to the website. The website downloads the referrer site as a pingback request-response, and this is how it is generally done according to the protocol designed by WordPress. When such activity occurs, it is called a reflection and the WordPress sites used in the attack are termed as reflectors. WordPress sites try to connect to the victim and eventually overload it. If the victim has a large web page, WordPress tries to download it, which chokes the bandwidth. This is called amplification.

Armada Collective

This kind of DDoS attack first surfaced in 2015. The Armada Collective group targeted a number of financial and web hosting services in Russia, Thailand, Greece, and Switzerland. They soon vanished from the scene but made another emergence in Central Europe in October 2017. They used demo-DDoS attacks to threaten their targets and launched a series of reflective DDoS attacks through NTP. 

Fancy Bear

Bear vector polar dab dance Premium Vector

Fancy Bear was another group of hackers that emerged in 2010. They used Mirai Botnet to threaten their targets and victims. They generally targeted Linux operating systems which were used in the IoT devices like CCTV cameras.

How to Tackle Them?

Now as you know the 10 most common types of DoS attacks and attackers, now it is time to find out how you can guard against them. As mentioned earlier, all these kinds of attacks have different ways to tackle.

Application-Level Attacks

Many enterprises have come across an application-level DoS event without getting attacked. Companies reported that whenever they found a huge wave of visitors on their websites, they managed to use their own marketing to launch a DoS attack against themselves. They also reported DoS attacks on their application layer, which is known as “Low and Slow”.

The Low and Slow attacks play around with the timeout setting of a server to create enough traffic to make the application function at its full ability or capacity. Timeout is a time between actions before the server lets go of a transaction by terminating the session. 

Apart from using DDoS protected VPS, DDoS proxy, or DDoS protected servers, the enterprises can also use web application firewalls to deal with these kinds of attacks. Since the application-level attacks use HTTP headers, HTTP PUT, HTTP GET, and TCP traffic to carry out their nefarious designs, the best way to tackle them is by creating a firewall, both web application or cloud services firewalls. You may choose either of them depending on the architecture of your application. 

Protocol-Based Attacks 

When it comes to TCP-IP networking, a lot depends on a series of functions and protocols. These protocols are required to operate along with the data on a network, therefore they can’t be stopped by firewalls. 

In order to tackle the protocol-based attacks, you will have to carefully configure server and router files. This would limit down the vulnerability of the system against attackers. It will also cut down the timeout parameters, which resets the pending transactions quickly enough. 

Volume-Based Attacks

Well, these are like a full-fledged army attack. The robotic soldiers attack their targets in a way that totally collapses them. Such attacks generally go viral on the news because of the fact that these can be measured in terabytes per second and generally involve thousands of robotic soldiers to send unwarranted traffic to the targeted system or network.

You would need third-party protection to defend against volume-based attacks. You can also move servers to different providers and networks to create a proper defence system against the volume-based attackers. 

Here are some of the things you can do to guard your system, network, and business against the dangers of DoS attacks.

Create a DoS Response Plan

Developing a DoS response plan should always be on top of the priorities’ list of any enterprise. These are generally developed on the basis of a thorough security assessment. You hardly have time to respond when DoS attacks hit you in the middle of the day. However, a response plan will mention every solution and response to effectively tackle such attacks. Such a DoS response plan should contain systems checklist, form a response team, define notification and escalation processes, and create the list of internal and external contacts.

Secure Your Network Environment

It is imperative for enterprises to develop a multi-layered protection plan against DoS attacks. This plan should include advanced intrusion prevention and threat management systems, which connect firewalls, anti-spam, VPN, load balancing, content filtering, and other layers of defence techniques. If you combine these resources, you can ensure consistent network protection. 

Carry Out Basic Network Security

Apart from investing in advanced network security solutions like DDoS protected VPS, DDoS proxy, DDoS protected servers, you should also pay heed to the basic network countermeasures to guard against DoS or DDoS attacks. This can keep your business from getting compromised and you can focus more on thriving your business activities. 

Build a Robust Network Architecture

Building a strong network structure should always be your top priority as a business. You can create redundant network resources which would allow you to shift your stuff to another network if the original network comes under attack. Another upside of having redundant network resources is the fact that the attackers don’t know your capacity to handle traffic so your networks can easily handle the increased traffic during the attack. Also, make sure to place your servers in different locations geographically.

Invest in Cloud-Based Solutions

You can outsource your DDoS protection tasks to cloud-based service providers. This strategy comes with several benefits. Clouds generally have more bandwidth and resources than a private network, which lets you deal with these attacks effectively. Clouds being a diffuse resource can absorb harmful traffic before it gets to the tipping point. 

Understand Warning Signs

Your network administrators should be agile enough to read and understand different warning signs of DDoS attacks. Symptoms like network slowdown, spotty connectivity, or consistent website shutdowns shouldn’t be strangers to them. 

The Concluding Remarks

The Denial-of-Service attacks compromise the ability of a system or a network to deal with its legit traffic. Enterprises often find themselves on the wrong foot while dealing with the customer transactions in the mid of DoS attacks. It is not only frustrating but is also damaging for the companies because their repute is at stake. Some of the main risks associated with the DoS attacks include server memory, CPU usage, Database space, Hard Disk Space, Database Connection Pool, Network Bandwidth, and Application Exception Handling Mechanism. 

The world is not a safe place to exist or run a business. You always come across malicious elements and it is your duty as a business to make sure that you have placed the right security solutions to stay afloat the dangers of Denial-of-Service attacks.