Preparing for the denial of service attack
Tue 22 Apr 2014
Denial of service attacks come in many forms but their effect can be devastating for the victim business. David Barker, the technical director of 4D Hosting, describes the different types of attack and what the service provider can do to protect their network.
Historically, distributed denial of service (DDoS) was just an annoyance, but in today’s online world there is both a reputational and financial impact. DDoS attacks can come from hackers, competitors, disgruntled staff or clients, and their goal is to overwhelm a service to the point where it no longer works.
The pressure is on for hosting companies to offer resilient networks with DDoS protection in mind. They also have to supply geographically diverse connectivity and an option of having multiple connections to the hosted solution, while also offering a backup power option should the power fail. It’s worth saying that these measures to ensure uptime cannot always be guaranteed by all hosting companies.
There are several types of DDoS:
UDP flood: the User Datagram Protocol (UDP) is a sessionless networking protocol that floods a system with numerous UDP packets on random ports from a remote machine. This attack causes the server to repeatedly check the port for an application and (when no application is found) the server will reply with an Internet Control Message Protocol (ICMP) Destination Unreachable packet. This process saps the resources of the machine, and can ultimately lead to inaccessibility.
ICMP (Ping) flood: This is similar to the UDP flood attack, but the difference is that the target resource will be overwhelmed with ICMP Echo Request (ping) packets. Packets will be sent as fast as possible without waiting for replies. It means that this form of attack can use up both outgoing and incoming bandwidth, as the target server will still try to send out responses to the ICMP Echo Reply packets which will cause the whole system to slow down.
SYN flood: This attack exploits a known weakness in the TCP connection sequence. To initiate a TCP connection between two devices a SYN (synchronise) request is sent from the requestor to the target server. This request must be answered by a SYN-ACK (synchronise-acknowledge) response from the target server, which in turn will be confirmed by an ACK response from the requester. In an attack, the requester sends multiple SYN requests, but either does not respond to the target server’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service.
Ping of death: The attacker sends multiple, malformed or malicious pings to a target computer. A large IP packet is sent, but it is so large that it needs to be split across multiple IP packets (known as fragments), and the target machine reassembles the IP fragments into the complete packet. A ping of death is where the multiple fragments will exceed the maximum size of a standard IP packet. This overflows memory buffers allocated for a packet, causing denial of service for legitimate packets.
Slowloris: This highly-targeted attack enables a web server to take down another server, without affecting other services or ports on the target network. It is achieved by holding as many connections to the target server open for as long as possible. The attack accomplishes this by creating connections to the target server, but sending only a partial request. It constantly sends more HTTP headers, but never completes a request. The targeted server keeps each of these false connections open. This exceeds the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.
Zero-day DDoS: A ’zero-day’ is simply an unknown or new attack exploiting vulnerabilities for which no patch has yet been released. The term is well-known amongst the members of the hacker community, where the practice of trading zero-day vulnerabilities has become a popular activity.
So what can you do to protect your network?
Prepare in advance: Reducing the cost of an attack is critical. Early detection can be crucial in saving yourself money and reputation. Run a script on your server that sends a message periodically with the recent traffic count: You’ll get a warning, either if the count jumps significantly, or the message doesn’t arrive.
Alternatively you can use remote monitoring programs that will check your service availability.
Larger DDoS attack may block the remote access monitoring and access to the server. Make sure that your hosting company is on-site 24/7 to be able to manage the server and help in times of attack.
Identify the attack: Early detection is essential, but it is only one piece of the puzzle; identifying the type of attack can be just as important.
Look at the characteristics of the attack to determine which type it is. DDoS usually relies on brute force, which means that the traffic from all of the attackers will have unique similarities, and once identified you can perform a packet capture of the attack.
Block the attack: Once you know what type of attack you have been subjected to, you can stop it by setting up a block within the firewall or router. This block will drop the majority of packets which are the cause of attack. However, it is possible that a high-bandwidth attack may exhaust your WAN link, which will result in your service still being unreachable. Sometimes you may need help from your connectivity provider/ISP, who may need to do the blocking for you.
Ask your web host if it offers ’clean pipe’ hosting with automatic DDoS suppression. Alternatively you could search for a host who could simply absorb the DDoS attack, but this could result in high bills.
As cybercrime gets more sophisticated, businesses must be able to adapt to these new security threats. There are no methods or tools that can completely prevent DDoS attacks from happening, but preparing and having measures in place to help your company overcome them is a great step in ensuring you are prepared.