dos attack and ddos attack

This was one of the first DoS attacks to attract major media attention.❖ Taiwan Cable TV Network Attack 2015: A group of hackers from China launcheda DoS attack on Taiwan''''s cable TV netw

DoS Attack And DDoS Attack

Group 4

Members:

Nguyễn Thùy Dương Chử Quang Long Nguyễn Văn Thiện Phạm Thanh Vỹ

Table of Contents

A Members’ Responsibilities

B Aims of the Presentation

C Topic: DoS Attack and DDoS Attack

I Introduction to Denial-of-Service Attack 3

1) What is DoS? 3

2) What is DDoS? 3

3) Effects of DoS and DDoS attacks 4

4) Examples of famous DoS and DDoS attacks 4

II Types of DoS Attack 5

1) SYN/ACK Flooding 5

2) HTTP Flood Attack 6

3) DNS Amplification 7

4) Slowloris Attack 9

III Prevention and Control methods of DoS and DDoS attacks 10

1) Protections against the DoS and DDoS attacks 10

2) How to control the attacks 10

IV Conclusion 11

1) Summary of the Topic 11

2) The significance of understanding and dealing with DoS and DDoS attack 12

D References

❖ Nguyễn Thùy Dương: Aggregate and control the quality of final products;

Responsible for content and slides for part IV

❖ Chử Quang Long: Responsible for content and slides for part I

❖ Nguyễn Văn Thiện: Responsible for content and slides for part II

❖ Phạm Thanh Vỹ: Responsible for content and slides for part III

B Aims of the Presentation

❖ To distinguish DoS Attack from DDoS Attack

❖ To comprehend their mechanisms and their consequences to the system and users

❖ To learn how to prevent DoS and DDoS attacks and control their risks

C Topic: DoS Attack and DDoS Attack

I Introduction to Denial-of-Service Attack

1) What is DoS?

DoS, short for Denial-of-Service, is a type of attack where your computer is overwhelmed with traffic from a hacker's system It is typically an online attack that targets a specific website or server By overloading the system's resources, the computer's performance

is significantly slowed down This attack can lead to your computer becoming unresponsive

or shutting down abruptly, causing severe disruptions to the system

2) What is DDoS?

DDoS, short for Distributed Denial-of-Service, means denial of service from multiple sources through multiple locations It is designed to flood a server with traffic to overwhelm its infrastructure Attackers, after gaining control of multiple computers, leverage

them to send malicious data and requests to other devices through websites or email addresses

3) Effects of DoS and DDoS attacks

❖ Website Downtime: The most immediate and obvious effect is that your website is

overwhelmed and becomes unavailable This means any business you gain via your website won’t be available to you until you get the site working again It also impacts

on your reputation as a website owner And if you don’t fix the site quickly, it can affect your SEO as if Google crawls your site and finds it out of action, you will lose rank

❖ Website Vulnerability: A DDoS attack could render your site more vulnerable to

hacking as all of your systems are focused on getting the site back online, and security systems may have been put out of action by the attack Hackers might then find it easier to make their way onto your site via a back door once the DDoS attack has succeeded in paralyzing your site

❖ Lost Time and Money: Repairing a website that has been subject to a DDoS attack

takes time It can also take money While the site is down, you could be losing money

in revenue, especially if your site is an ecommerce store And you may have to pay money to hire a security expert or web enveloper to rebuild your site and make sure it’s protected from future attacks

4) Examples of famous DoS and DDoS attacks

These attacks often result in operational disruptions, financial losses, and heightened security concerns This makes DoS and DDoS attacks significant threats to organizations and online systems worldwide

a) Famous DoS attacks

❖ Yahoo Website Attack (2000): In 2000, the Yahoo website became the target of a

large-scale DoS attack This was one of the first DoS attacks to attract major media attention

❖ Taiwan Cable TV Network Attack (2015): A group of hackers from China launched

a DoS attack on Taiwan's cable TV network in 2015, causing millions of users to lose access to television

b) Famous DDoS attacks

❖ WikiLeaks Website Attack (2010): After WikiLeaks published classified documents

from the U.S government, its website became the target of a significant DDoS attack

in 2010, rendering it inaccessible for an extended period

❖ Dyn DNS System Attack (2016): In 2016, a massive DDoS attack disrupted Dyn's

DNS system, a domain name management company, affecting large websites, including Twitter, Amazon, and Netflix

❖ GitHub Website Attack (2018): In 2018, the code repository website GitHub

experienced a significant DDoS attack involving large-scale requests, causing disruptions for several crucial open-source projects

II Types of DoS Attack

1) SYN/ACK Flooding

a) Description

A SYN-ACK flood is an attack method that involves sending a target server

spoofed SYN-ACK packet at a high rate It is a Layer 4 (transport layer) DDoS attack in the OSI model

b) How it works

SYN-ACK packets are part of the TCP handshake, a series of three steps that start a conversation between any two connected devices on the Internet The three steps of the TCP handshake are shown in the following image

The device that opens the connection – say, laptop A – starts the three-way handshake

by sending a SYN (short for "synchronize") packet The device at the other end of the connection, server B, replies with a SYN-ACK packet Finally, laptop A sends an ACK packet, and the three-way handshake is complete

Usually a server sends this SYN-ACK packet in response to a SYN packet from a client device In a SYN-ACK DDoS attack, the attacker floods the target with SYN-ACK packets These packets are not part of a three-way handshake at all; their only purpose is to disrupt the target's normal operations Because a server requires significant processing power

to understand why it is receiving such packets out-of-order (not in accordance with the normal SYN, SYN-ACK, ACK, which is TCP three-way handshake mechanism), it can become so busy handling the attack traffic, that it cannot handle legitimate traffic and hence the attackers achieve a denial-of-service condition

2) HTTP Flood Attack

a) Description

An HTTP flood attack is a type of volumetric DDoS attack designed to overwhelm a

targeted server with HTTP requests HTTP flood attacks are a type of “layer 7” DDoS

attack

b) How it works

In order to achieve maximum efficiency, malicious actors will commonly employ or create botnets in order to maximize the impact of their attack There are two varieties of HTTP flood attacks:

❖ HTTP GET attack: multiple computers or other devices are coordinated to send

multiple requests for images, files, or some other asset from a targeted server When the target is inundated with incoming requests and responses, denial-of-service will occur to additional requests from legitimate traffic sources

❖ HTTP POST attack: typically when a form is submitted on a website, the server

must handle the incoming request and push the data into a persistence layer, most often a database The process of handling the form data and running the necessary database commands is relatively intensive compared to the amount of processing power and bandwidth required to send the POST request This attack utilizes the disparity in relative resource consumption, by sending many post requests directly to

a targeted server until its capacity is saturated and denial-of-service occurs

3) DNS Amplification

a) Description

DNS amplification attack is a reflection-based volumetric distributed

denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS

resolvers in order to overwhelm a target server or network with an amplified amount of

traffic, rendering the server and its surrounding infrastructure inaccessible

A single bot in a DNS amplification attack can be thought of in the context of a

malicious teenager calling a restaurant and saying “I will have one of everything, please

call me back and tell me my whole order.” When the restaurant asks for a callback number,

the number given is the targeted victim’s phone number The target then receives a call

from the restaurant with a lot of information that they did not request.

As a result of each bot making requests to open DNS resolvers with a spoofed IP address, which has been changed to the real source IP address of the targeted victim, the target then receives a response from the DNS resolvers A DNS amplification can be broken down into four steps:

❖ The attacker uses a compromised endpoint to send UDP packets with spoofed IP addresses to a DNS recursor The spoofed address on the packets points to the real IP address of the victim

❖ Each one of the UDP packets makes a request to a DNS resolver, often passing an argument such as “ANY” in order to receive the largest response possible

❖ After receiving the requests, the DNS resolver, which is trying to be helpful by

❖ The IP address of the target receives the response and the surrounding network infrastructure becomes overwhelmed with the deluge of traffic, resulting in a denial-of-service

While a few requests is not enough to take down network infrastructure, when this sequence is multiplied across multiple requests and DNS resolvers, the amplification of data the target receives can be substantial

4) Slowloris Attack

a) Description

Slowloris is a denial-of-service attack program which allows an attacker to

overwhelm a targeted server by opening and maintaining many simultaneous HTTP

connections between the attacker and the target.

b) How it works

Unlike bandwidth-consuming reflection-based DDoS attacks such as DNS

amplification, this type of attack uses a low amount of bandwidth, and instead aims to use up

server resources with requests that seem slower than normal but otherwise mimic regular traffic It falls in the category of attacks known as “low and slow” attacks.

The targeted server will only have so many threads available to handle concurrent

connections Each server thread will attempt to stay alive while waiting for the slow

request to complete, which never occurs To prevent the target from timing out the

connections, the attacker periodically sends partial request headers to the target in order to keep the request alive In essence saying, “I’m still here! I’m just slow, please wait for me.” The targeted server is never able to release any of the open partial connections while waiting for the termination of the request Once all available threads are in use, the server will

be unable to respond to additional requests made from regular traffic, resulting in

denial-of-1) Protections against the DoS and DDoS attacks

Several methods of DDoS protection exist to prevent or mitigate its effects, including:

Restricting Traffic: Restricting traffic to addresses that are trusted and known can

help prevent a DDoS attack from interrupting services Additionally, services that are not needed can be shut down or blocked in a similar manner

Cloud-Based Protection: Cloud-based protection involves using a third-party

service to monitor and filter incoming and outgoing traffic to a server or website This approach provides an additional layer of security by identifying and stopping malicious requests

Intrusion Prevention Systems (IPS): IPS solutions analyze network traffic patterns

in real-time and can identify malicious activity that could lead to a DDoS attack This approach blocks known malicious traffic and can stop an attack in its tracks

Content Delivery Network (CDN): CDNs distribute incoming traffic to several

different servers to reduce the strain on a single server This approach can help prevent DDoS attacks by reallocating traffic throughout multiple servers

2) How to control the attacks

a) Prevention approaches

Preventing a DoS attack can be challenging, but there are several effective techniques:

❖ Network segmentation: Segmenting networks into smaller, more manageable pieces,

can limit the impact of a DoS attack This can be done by creating VLANs, and firewalls can limit the spread of an attack The optimal solution is zero trust microsegmentation Adding device-level and device-cloaking firewalling, external to the operating system, remains the most reliable form of DoS protection

❖ Load balancing: Distributing traffic across multiple servers, a DoS attack can be

prevented from overwhelming a single server or resource Load balancing can be achieved using hardware or software solutions

❖ IP blocking: Blocking traffic from known or suspected malicious sources can prevent

DoS traffic from reaching its target

❖ Rate limiting: Limiting the rate of traffic to reach a server or resource can prevent a

DoS attack from overwhelming it

b) Mitigation approaches

If a DoS attack is underway, there are several steps that can be taken to mitigate its impact:

❖ Traffic filtering can eliminate known or suspected malicious sources.

❖ Blackhole routing involves redirecting all traffic to a null route, effectively dropping

all incoming traffic This can be an effective way to mitigate a DoS attack, but it can also impact legitimate traffic

❖ Scrubbing services identify and filter out malicious traffic, allowing legitimate traffic

to reach its destination

IV Conclusion

1) Summary of the Topic

Both DoS and DDoS attacks share the same primary goal: to disrupt service

availability They aim to overwhelm a network, service, or server with more traffic than it can handle, rendering it useless to its intended users

In a DoS attack, the victim's website or server is targeted by a single system, while in

a DDoS attack, the victim is targeted by multiple systems This multi-pronged approach makes DDoS attacks harder to stop, as blocking one source won’t end the attack It’s like

Several types of DDoS attack that are commonly used are: SYN-ACK Flood, HTTP

Flood, DNS Amplification, Slowloris Attack, and so on.

Restricting traffic, cloud-based protection, IPS, CDNs are some of the methods to

ensure protection against DDoS attacks

It can be challenging to prevent a DoS or DDoS attack However, there are still some

techniques to implement, such as Network Segmentation, Load Balancing, IP Blocking, and Rate Limiting Besides, there are also some ways to mitigate its impact, such as Traffic Filtering, Blackhole Routing, and Scrubbing Services.

2) The significance of understanding and dealing with DoS and DDoS attack

Understanding the mechanisms and risks of DoS and DDoS attacks is crucial in cybersecurity While both aim to disrupt services, their mechanisms and impacts vary

significantly Knowing what you are up against can help you prepare more effectively

and ensure your organization’s stability and security.

Each successful DDoS attack can result in your site malfunctioning, customers leaving for a competitor, and profit decline If a web resource is socially relevant or provides important services (such as information, communications, or financial transfers), something far worse can happen: loss of reputation and customers’ trust The reputational consequences

of a denial of service are long-term and hard to tackle, which is incomparable to the time and effort it takes to launch an attack All of these emphasize how important it is to protect your site from DoS and DDoS attacks Furthermore, since the success of these services depends on

their availability, investing in DDoS protection means safeguarding the commercial

viability of the service In other words, companies that depend on the internet to run their

operations should treat DDoS protection as a priority investment