(D)DoS – congestion attacks
Denial of Service (DOS)
DoS stands for Denial of Service and refers to computer system overload attacks. The attack is performed by sending a large number of messages to a computer system with the aim of causing it to crash due to the server not being able to handle all the messages.
Distributed Denial of Service (DDoS)
The most common and effective way to perform an overload attack is to have a large number of computers make a simultaneous attack on the system. Such attack is called DDoS ( Distributed Denial of Service).
Botnets
To gain access to these large numbers of computers for an attack, attackers often use a so-called botnet . A number of computers are hijacked by infecting them with Trojans (a type of computer virus) that are installed in these computers without the owners noticing. With the help of such a virus program, the attackers can remotely control the hijacked computers. Each individual computer in such a network is called a bot or zombie .
Crash due to overload
When the remote botnet collectively sends a large volume of messages to the target of the attack, the recipient will eventually be unable to handle all the calls. There will be a traffic jam in the information and no more messages will arrive. Legitimate users are prevented from accessing the attacked web server. The system crashes and it may take time to restore it.
Multi-vector attacks
Such attacks exploit several different routes into the system. A multi-vector attack can be very complex and difficult for the attacked party to handle.
Different types of DDoS attacks
There are different types of congestion attacks that attack different targets in the network connections. In order to understand how these different types of attacks work, one must have a fairly in-depth knowledge of how network connections work.
Some examples of common types of attacks are:
Flow attack
Attacks the system by using a large number of computers to overload the system with IP traffic and here can ICMP (Internet Control Message Protocol ) and UDP ( Datagram Protocol ) be used
Amplification Attack
An amplification attack uses agents to send messages that are sent to all systems in a subnet . When the routers receive the packets, they copy the messages and forward them to the victim's system.
Syn-attack
When an attack occurs, the first two steps (synchronization, synchronization, and acknowledgment) are performed, but the user skips the last step by discarding the ACK packet or not responding to it. This causes the user to take up one of the few slots available in the TCP service's queue. If the user then sends a sufficient number of handshakes, this eventually blocks other users from using the service.
Teardrop attack
The attacker sends packets that are malformed and too large to the attacked computer. The effort that occurs when the recipient's computer tries to put the pieces together causes it to crash.
Signs of a DDoS attack
Since every single zombie in a botnet is actually a legitimate Internet connection, it can sometimes be difficult to distinguish attack traffic from normal Internet traffic, but some signs can usually be discerned.
Suspected high traffic from individual or ranges of IP addresses.
Traffic flow from users with similar profiles.
Inexplicably high increase in requests to a single page.
Odd traffic patterns at odd times of the day.
There are traffic analysis tools that can track certain suspicions.
How can you protect yourself?
It is difficult to protect yourself against DDoS attacks, but you can take some preventive measures:
The organization's ISP is the first link to the Internet, and they may be able to offer some protection, such as restricting access to critical systems from IP addresses in regions they are not interested in connecting with.
Ensure that critical systems have a bandwidth in the Internet connection that exceeds normal load by a good margin.
Make a plan for how to act in the event of a DDoS attack, with a clear division of responsibility and ready contact routes.
Effective firewall logs can provide information that can limit the impact of attacks.
Contact professional security experts. There are companies that offer services that can provide some protection against DDoS attacks.
Blackhole routing or null routing
If you experience a DDoS attack, you can redirect the traffic to a so-called null route that leads to nowhere, i.e. a black hole in cyberspace. The problem is that it is difficult to distinguish malicious traffic from legitimate traffic, so if you do this without implementing restriction criteria, you stop all traffic to your system and lose even traffic that you would like to keep. But this can be a stopgap solution to stop really big attacks.