Overview
As DDoS attacks become more sophisticated, the threats they present become more prevalent and dangerous. Just recently the DNS service Dyn suffered an unprecedented coordinated worldwide attack.
There are a few specific types of DDoS attacks but they all share a common mission: to disrupt network operations and bring down a web service. Attackers often do this by utilizing a botnet which is a collection of compromised devices (zombies) that they can force to participate in the attack. A “botmaster” oversees and instructs the devices in the botnet, sending instruction on when and how to implement the attack.
Types of DDoS Attacks
- Volumetric Attack
A volumetric attack is a network-level attack that aims to entirely saturate the target’s available network bandwidth. This is a relatively simplistic approach to a DDoS attack but effective and threatening nonetheless. The rapid rise and availability of botnets has allowed for the expansion of volumetric attacks recently. Using scalable protection schemes can help to prevent and protect against such attacks. - SYN Flood
A SYN flood attack takes advantage of a weakness in the Transmission Control Protocol (TCP). The TCP connection sequence uses a “three-way handshake” method between a client and a server. For a normal TCP connection, the client requests a connection by sending a synchronize (or SYN) message to the server. The server then acknowledges the synchronize message, and the client sends a final acknowledgement to establish the connection.In a SYN flood attack the final client acknowledgement is never sent, so the handshake is never completed. Often the attacker will spoof their IP address, resulting in the SYN acknowledgement message never being received. The attacker continually sends requests faster than they time out, eventually taking up all open ports. This results in a denial of service to anyone trying to access the server. - UDP Flood
A User Datagram Protocol (UDP) flood attempts to overwhelm random ports on a target with UDP packets (or datagrams). UDP is a communications protocol used as an alternative to TCP. When a packet is received, the host checks for an associated application. When the packet is malicious, it won’t find any association and the host sends a packet back saying the destination is unreachable.The UDP is connectionless and sessionless, and doesn’t require the three-way handshake system discussed for TCP. This is useful for things like Voice Over Internet Protocol (VOIP), but does present some vulnerabilities. Due to this property, a large amount of requests can be sent very quickly. As the number of requests becomes overwhelming and the system tries to keep sending out “destination unreachable” packets, the host becomes unresponsive to other potentially legitimate requests.
Example of a DDoS Attack
When it comes to DDoS attacks there’s no shortage of real-world examples. On October 21st, the DNS service Dyn underwent a large-scale attack on a global level. The attack utilized a massive botnet, assembled via open source code that took control of tens of thousands of IoT devices. These devices sent enough requests to overwhelm Dyn’s network resources, resulting in a textbook volumetric DDoS attack.
Conclusion
The massive influx of IoT devices presents a security challenge like nothing developers have yet faced. With an impressive lack of security and regulation, the IoT endangers not only local networks and personal computers, but the world of other connected devices. Having proper DDoS protection in place is more important than ever and will only continue to become a more pressing matter.