Understanding Distributed Denial of Service (DDoS) Attacks and Countermeasures

Distributed Denial of Service (DDoS) refers to an intentional attack on a network with the aim of causing it to cease functioning. This is achieved by flooding a specific service or port on a server with useless traffic. The sheer volume of traffic overwhelms the service, resulting in legitimate traffic being dropped or ignored.

DDoS attacks have evolved from the basic Denial of Service (DoS) attacks that emerged in 1997. Unlike their predecessors, DDoS attacks originate from multiple sources, sometimes spanning hundreds of locations worldwide. Notable instances include the high-profile attacks in February 2000, where major websites such as eBay, Amazon, Yahoo, CNN, Buy.Com, Datek, and ZDNet had to cope with massive amounts of spoofed traffic. More recently, attacks on Cisco have caused significant downtime, while public blacklists have been targeted by spammers, forcing them out of business.

The following are different types of DDoS attacks:

Smurfing: The attacker sends a large volume of ICMP echo traffic to IP Broadcast addresses, all with a spoofed source address of the victim, multiplying the traffic by the number of hosts.

Fraggle: Similar to the smurf attack, this method uses UDP echo packets instead of ICMP echo traffic.

Ping Flood: The attacker disrupts service by bombarding the victim with ping requests.

Syn Flood: Exploiting a flaw in the TCP three-way handshake, the attacker floods the victim with connection requests using unreachable source addresses. The victim’s server/device struggles to complete the connections, consuming a majority of its network resources in acknowledging each SYN.

Land: The attacker sends a forged packet with the same source and destination IP address, causing confusion and crashes/reboots on the victim’s system.

Teardrop: By manipulating the offset value of two packet fragments, the attacker sends them in a way that cannot be properly reassembled, leading to system reboots or halts.

Bonk: Typically affecting Windows OS machines, this attack involves sending corrupted UDP packets to DNS port 53, causing system crashes.

Boink: Similar to the Bonk attack, but targeting multiple ports instead of just port 53.

Worming: The attacker sends a large volume of data to remote servers and verifies connectivity by attempting to contact an external website. If successful, an attack is initiated, often accompanied by mass-mailing.

Preventing DDoS attacks is challenging with the current TCP/IP implementation. However, companies can take proactive measures, such as patching systems, running only necessary services, implementing egress/ingress filtering, and enabling logging on routers to mitigate certain DDoS attacks.

Egress filtering involves examining packet headers leaving a subnet for address validity. If the packet’s source IP address is within the served subnet, it is forwarded; otherwise, it is dropped. This process incurs minimal overhead, preserving network performance.

New hardware appliances are being developed specifically to combat DDoS attacks. In some cases, dedicated server providers may temporarily disconnect the attacked server until the attack subsides, but this approach is considered a temporary fix. To hold the culprits accountable, immediate engagement with upstream providers is recommended once an attack is detected.

In conclusion, DDoS attacks pose significant challenges in terms of traceability and prevention. While countermeasures are being developed, it is crucial for hosts to actively engage with their upstream providers to mitigate the impact of such attacks.