{"id":2231,"date":"2014-07-14T17:06:44","date_gmt":"2014-07-14T17:06:44","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2231"},"modified":"2020-02-26T10:53:16","modified_gmt":"2020-02-26T15:53:16","slug":"ddos-broken-apart-when-they-all-start-shouting-at-once","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/ddos-broken-apart-when-they-all-start-shouting-at-once\/2231\/","title":{"rendered":"DDoS broken apart: when they all start shouting at once"},"content":{"rendered":"

DDoS attacks is yet another common, but under explained, cybersecurity term, even though it\u2019s been used for ages now.<\/p>\n

\n<\/p>

\u00a0<\/p>\n

What is denial-of-service attack? There are two kinds: a \u201csimple\u201d DoS and a distributed one. What\u2019s the difference?<\/p>\n

Well, imagine that you are talking to a person, then all of sudden they start shouting, and not just shouting but also doing so at an extremely high tempo \u2013 at 1274 words per minute, for instance, which is twice as fast as the standing Guinness World Record.<\/p>\n

Most likely you\u2019d go deaf, and most certainly won\u2019t get a word, and won\u2019t be able to respond.<\/p>\n

That\u2019s what a \u201csimple\u201d denial-of-service attack is. Note that the \u201cassailant\u201d is a single entity.<\/p>\n

Now, the distributed attack: Imagine that you are a speaker before a really large audience \u2013 1000+ people. All of sudden, they all, each and every one of them, start talking to you \u2013 asking questions and demanding answers pronto. Not even shouting, or talking at thousands of words per minute. They may just speak at their normal rate and noise level. But all of them do it at the same time.<\/p>\n

In this case, again, you will most likely go deaf, and \u2013 it\u2019s an absolutely sure thing \u2013 you won\u2019t be able to respond to any one of their questions. None will hear what you say, even if you have a microphone and a decent sound amplification system in the room.<\/p>\n

That\u2019s exactly what a distributed denial-of-service (DDoS) attack is.<\/p>\n

\"800-4\"<\/a><\/p>\n

\u00a0<\/p>\n

Now, of course servers (usual targets for such attacks) aren\u2019t human beings. They aren\u2019t that easy to get overloaded by a large amount of information, but still they \u2013 and their communication channels \u2013 have their limits.<\/p>\n

And that is what attackers are abusing in a large number of ways.\u00a0<\/p>

Imagine 1000 people start talking to you all at once. This is a pure DDoS attack.<\/p>Tweet<\/a><\/blockquote>\n

The most common are various types of flooding. The simplest ones are Ping or UDP flood, in which case attackers are thrashing the target server with ICMP Echo Request packets (ping) or User Datagram Protocol packets, thus consuming the entire bandwidth of the target, which obediently processes and responds to each packet sent.<\/p>\n

In a case of a UDP flood attack, the attacker sends a large number of UDP packets to random ports on a remote host, which will check for the application listening at that port, see none and respond with ICMP Destination Unreachable packet. An attacker will most likely spoof the IP, so that returning packets go elsewhere.<\/p>\n

Another example \u2013 so-called Smurf Attack (named after a source code for an attack program from 1997 \u2013 \u201csmurf.c\u201d).<\/p>\n

In such an attack large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim\u2019s spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim\u2019s computer will be flooded with traffic. It will still be trying to process it, slowing down to the speed of a calculator from 1970s.<\/p>\n

These packets will most likely be senseless trash.<\/p>\n

SYN flood is another somewhat similar attack. In this case attacker abuses TCP connection by disrupting normal \u201cthree-way handshake\u201d. At the beginning of the TCP connection a client sends a SYN (synchronize) message to the server, server responds with SYN-ACK (synchronize-acknowledge), then client sends his ACK and the connection is established.\u00a0<\/p>

Huge botnets are used to launch attacks so it\u2019s no wonder they\u2019re hard to deter.<\/p>Tweet<\/a><\/blockquote>\n

In SYN flood an attacker (a malicious client) either doesn\u2019t send the expected ACK, but keeps sending SYN, multiplying half-open connections; or it feeds the server with spoofed IP, where all of the server\u2019s SYN-ACK go. But since there was no SYN from the client at the falsified IP at first place, it won\u2019t send any ACK back.<\/p>\n

In short time all of the target\u2019s bandwidth is swamped.<\/p>\n

There are a number of other kinds of DDoS-attacks, but in essence they are all based on the same principle: prepare a large number of malware-ridden boxes (a botnet with DDoS-capabilities), send a command, and they will bomb the target hosts with a huge number of trash packets.<\/p>\n

Over the last several months security experts detected a number of \u201cexotic\u201d DDoS-attacks exploiting vulnerable NTP (Network Time Protocol) servers to enhance trash traffic. Since there lots of such vulnerable servers, these attacks are extremely problematic.<\/p>\n

Criminals use DDoS as the means of money extortion: pay up or see yourself going out of business. Every hour of a downtime means large losses, so sometimes businesses prefer to pay rather than deal with consequences.<\/p>\n

DDoS also is actively used by \u201chacktivists\u201d as the Web counterpart of street protests (or at least so said Richard Stallman). There are also many cases of using DDoS for politically-motivated suppression of media outlets, etc.<\/p>\n

And certainly DDoS attacks are occasionally used as a dirty weapon in business wars too.<\/p>\n

So that\u2019s the problem. And the solution?<\/p>\n

Defensive responses typically involve the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. In other words, identify malicious traffic, its sender, block them or re-route trash traffic to a nearest Blackhole (null interface or a non-existent server). Easy. Unfortunately easier said than done.<\/p>\n

Today attacks are pretty sophisticated, easy to launch (just in the recent news: a 17 y.o. had been arrested<\/a> in Norway for a massive distributed denial-of-service attack earlier this week that disabled the websites of major financial institutions and other businesses in the country) and uneasy to beat off, especially since the botnets used to launch them are huge, and very difficult to dismantle. Sometimes dealing with a DDoS requires external expertise<\/a> and\/or even migrating the entire affected infrastructure under the protection of some dedicated anti-DDoS service.<\/p>\n

A very important part of battling DDoS (which currently occur at the rate 28 attacks per hour, or so) is dismantling botnets themselves. One of our next posts will be dedicated to these activities.<\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

DoS\/DDoS attacks is another popular, but somewhat under explained, term in cybersecurity. Explaining it in detail would take a monograph, so we’ll just hit the high points.<\/p>\n","protected":false},"author":209,"featured_media":15919,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[282,2072,422],"class_list":{"0":"post-2231","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cybersecurity","10":"tag-ddos-attacks","11":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ddos-broken-apart-when-they-all-start-shouting-at-once\/2231\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ddos-broken-apart-when-they-all-start-shouting-at-once\/2231\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ddos-broken-apart-when-they-all-start-shouting-at-once\/2231\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cybersecurity\/","name":"Cybersecurity"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2231","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=2231"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2231\/revisions"}],"predecessor-version":[{"id":33234,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2231\/revisions\/33234"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15919"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=2231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=2231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=2231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}