DDoS

(Distributed Denial of
Service)

What is DDoS ?

A denial-of-service attack is characterized by an explicit attempt by

attackers to prevent the legitimate use of a service. A distributed
denial-of-service attack deploys multiple machines to attain this goal.

A DDoS attack is a malicious attempt to bring down networks, Web-based

applications, and/or services by overwhelming these resources with too
much data or impairing them in some other way.

The scale of DDoS attacks has continued to rise over recent years, even
reaching over 400Gbit/s.

$40,000 is the average cost per hour for a website victimized by a

DDOS attack, a 2014 survey found.

In 2014, it was observed a 29 percent increase in overall DDoS attack

frequency with a 64-fold increase in amplification attacks.

DDoS OVERVIEW

A DDoS attack deploys multiple machines to attain this goal. There are many ways to
perpetrate a denial-of-service attack.

One frequently exercised approach is for the attacker to send a stream of packets to
a victim; this stream consumes some key resource, thus rendering it unavailable to
the victim's legitimate clients.

Another common approach is for the attacker to send a few malformed packets that
confuse an application or a protocol on the victim machine and force it to freeze or
reboot. (IP spoofing)

And the list is ever exhausting.

What makes DDOS Attacks possible?

The Internet was designed with functionality, not security, in mind,

and it has been very successful in reaching its goal.

The Internet is managed in a distributed manner; therefore, no

common policy can be enforced among its participants. The Internet
design opens several security issues concerning opportunities for
distributed denial-of-service attacks:

1.

Internet security is highly interdependent

2.

Internet resources are limited

3.

Intelligence and resources are not collocated

4.

The power of many is greater than the power of few

5.

Accountability is not enforced

6.

Control is distributed

What are the goals a ddos attacker?

The goal of a DDoS attack is to inict damage on the victim.

Sometimes the motives are personal reasons where a signicant number of DDoS
attacks are perpetrated against home computers, presumably for purposes of
revenge.

Other times it is prestige where successful attacks on popular Web servers are
done to gain the respect of the hacker community.

However, it is not unlikely that some DDoS attacks are performed for material gain
(damaging competitors resources) or for political reasons (a country at war could
perpetrate attacks against its enemys critical resources, potentially enlisting a
signicant portion of the entire countrys computing power for this action).

In some cases, the true victim of the attack might not be the actual target of the
attack packets, but others who rely on the targets correct operation.

Types Of Attacks
1. Volumetric Attacks (connectionless):
Also known as floods,
the goal of this type of
attack is to cause congestion
and send so much traffic that
it overwhelms the bandwidth of the
site. Attacks are typically executed
using botnets, an army of computers
infected with malicious software
and controlled as a group by the
hacker.

2.Reflected attack
A reflected attack is where an attacker creates forged packets that will be
sent out to as many computers as possible. When these computers receive
the packets they will reply, but the reply will be a spoofed address that
actually routes to the target. All of the computers will attempt to
communicate at once and this will cause the site to be bogged down with
requests until the server resources are exhausted.

3.UDP Flood
One common DDoS attack method is referred to as a UDP
flood. Random ports on the target machine are flooded
with packets that cause it to listen for applications on that
those ports and report back with a ICMP packet.

5. Ping of Death
A ping of death ("POD") attack involves the attacker sending multiple malformed or
malicious pings to a computer. The maximum packet length of an IP packet (including
header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum
frame size - for example 1500 bytes over an Ethernet network. In this case, a large IP
packet is split across multiple IP packets (known as fragments), and the recipient host
reassembles the IP fragments into the complete packet.
In a Ping of Death scenario, following malicious manipulation of fragment content, the
recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled.
This can overflow memory buffers allocated for the packet, causing denial of service for
legitimate packets.

Degradation of service attack

The purpose of this attack is to slow server response times. A DDoS attack
seeks to take a website or server offline. That is not the case in a
degradation of service attack. The goal here is to slow response time to a
level that essentially makes the website unusable for most people. Zombie
computers are leveraged to flood a target machine with malicious traffic
that will cause performance and page-loading issues. These types of
attacks can be difficult to detect because the goal is not to take the
website offline, but to degrade performance. They are often confused
with simply an increase in website traffic.

6. Slowloris
Slowloris is a highly-targeted attack, enabling one web server to take down another
server, without affecting other services or ports on the target network. Slowloris
does this by holding as many connections to the target web server open for as long
as possible. It accomplishes this by creating connections to the target server, but
sending only a partial request. Slowloris constantly sends more HTTP headers, but
never completes a request. The targeted server keeps each of these false
connections open. This eventually overflows the maximum concurrent connection
pool, and leads to denial of additional connections from legitimate clients.

7. HTTP Flood
In HTTP flood DDoS attack the attacker exploits seemingly-legitimate HTTP GET or
POST requests to attack a web server or application. HTTP floods do not use
malformed packets, spoofing or reflection techniques, and require less bandwidth
than other attacks to bring down the targeted site or server. The attack is most
effective when it forces the server or application to allocate the maximum
resources possible in response to each single request.

Common targets

TARGETS OF DDOS

Typical targets of DoS attacks include all kinds of (prominent or not so

prominent) sites or services such as financial and

Banking institutions,

online e-commerce establishments,

News & media sites,

Online gaming communities,

Public sector

Even entire countries.

Attack Targets->

DDoS attacks are designed to target any aspect of a business and its
resources, and can easily:

disable a specific computer, service or an entire network

target alarms, printers, phones or laptops

hit system resources like bandwidth, disk space, processor time or

routing information

execute malware that affects processors and triggers errors in

computer microcodes

exploit operating system vulnerabilities to drain system resources

crash the operating system

DDoS Case Study: DDoS Attack Mitigation Boston

Childrens Hospital

In 2014, Boston Children's Hospital became the first health care organization
to be targeted by DDoS attacks from a hacktivist group. Because the hospital
uses the same Internet Service Provider (ISP) as seven other area health care
institutions, the organized DDoS attacks had the potential to bring down
multiple pieces of Boston's critical health care infrastructure.

The DDoS Attacks on Boston Children's Hospital: A Timeline

Purportedly the work of hacktivist group Anonymous, the DDoS attacks

launched against Boston Children's Hospital began with a threat and then
involved three major strikes.

Pre-Strike Doxing :On March 20, 2014, leaders at Boston Children's Hospital
received word of a threatening Twitter message attributed to Anonymous. The
message related to a high-profile child-custody case in which a 15-year-old
girl with a complex diagnosis was taken into custody by Massachusetts
protective services. The message threatened retaliation if the hospital did not
take disciplinary action against certain clinicians and return the child to her
parents. Attackers even posted personal informationhome addresses, email
addresses, and phone numbersof some of the people involved. (This activity
is known as "doxing.")

DDoS Attack Strike #1 - Low-Rate Attacks

Starting in early April 2014, the attackers made good on their threats, targeting the
hospital's external website with a DDoS attack.
DDoS Attack #2 - Attacks Ramp Up
Over the course of a week, the attacks increased to the point that they slowed
legitimate inbound and outbound traffic. This second string of attacksDDoS
attacks, scans, and intrusion attemptsincluded TCP fragmented floods, out-ofstate floods, and DNS reflection floods (including UDP fragment floods). DDoS
attack mitigation efforts were able tostop DDoSattacks from reaching the
targeted servers.
DDoS Attack Strike #3 - Attacks Peak
The third strike peaked at nearly four times that of the second strike, reaching 28
Gbps. This time, the attackers made multiple attempts to penetrate the hospital's
network through direct DDoS attacks on exposed ports and services. The attackers
also used "spear phishing" emails to try to lure recipients into clicking embedded
links or opening attachments, thereby granting access to part of the network
behind the hospital's firewall.

DDoS Attack Mitigation:

The Response to the DDoS Attacks:

As soon as it became aware of the initial threat, Boston Children's Hospital

activated its multidisciplinary incident response team. The team had to quickly
assess what services would be compromised or lost if the hospital were to lose
Internet connectivity. (The hospital had not conducted such an assessment prior to
the DDoS attacks.) The team quickly identified three critical potential impacts:

Inability to route prescriptions electronically to pharmacies

Email downtime for departments where email supports critical processes

Inability to access remotely hosted electronic health records

The Boston Children's Hospital team invoked Radware's Emergency Response Team
to perform DDoS attack mitigation, and used Radware's scrubbing center to handle
the massive rate of DDoS attacks. Because Boston Children's Hospital shares an ISP
with other hospitals, seven other health care institutions also faced potential
impacts to their network and operations.

DDoS Prevention Techniques

Peer to peer
Peer-to-Peer servers present an opportunity for attackers. What happens is
instead of using a botnet to siphon traffic towards the target, a peer-topeer server is exploited to route traffic to the target website. When done
successfully, people using the file-sharing hub are instead sent to the
target website until the website is overwhelmed and sent offline.