DoS/DDoS attack essentials 101
First, off lets begin by understanding the intent of DoS(Denial of Service) attack.
Intent of DoS is to make the webserver unavailable for legitimate traffic from hosts trying to access resources from the webserver. So essentially, it makes a service unavailable to legitimate users.
Now, lets understand how DoS can be carried out. What are the different ways?
1. ICMP flooding via Ping
ICMP is an internet layer protocol used by network devices to communicate. An ICMP request requires some server resources to process each request and to send a response. By sending many ICMP requests from many hosts, an attacker can exhaust the webserver's network resources by overwhelming it with bogus traffic, since it tries to respond to all ICMP requests.
For more info on the same, refer to below link
https://www.cloudflare.com/learning/ddos/ping-icmp-flood-ddos-attack
2. HTTP requests to web server
Essentially, this is a layer 7 technique which overwhelms the webserver with tons of HTTP requests simulated from bots. The attack type could be either HTTP GET or HTTP POST.
In HTTP GET flood attack, bots request for many files, images, etc and inundate the target webserver.
In HTTP POST, bots submit many forms. The webserver has to push data to the database for achieving persistence and this process takes some time. By sending more POST requests to the target than it can handle, bots inundate the webserver.
For more info, refer to the following link
https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
Essentially what is the difference between DoS and DDoS?
DoS originates from a single source, where DDoS originates from a cluster of computers(botnets) that are infected by an attacker's malware.
Nowadays, single origin DOS attacks are detected easily by firewall.
How is DDoS implemented?
To answer this question, we need to understand the intent for launching a DDoS attack.
Was it launched to exhaust the target computer's resources or was it intended to exhaust the network resources?
An example each for both :
1. HTTP request flooding exhausts computer's resources(10k requests per second)
2. SYN flooding exhausts network resources(unacknowledged packets)
SYN flooding exploits the TCP Connection Handshake principle. A bot spoofs an IP address and sends SYN packet. The server responds with a SYN-ACK and waits for an ACK from the source(here, the bot). But the bot keeps the server waiting and never responds. The server waits with a port listening for an ACK and a half open connection.
The bot repeatedly spoofs IP addresses and exhausts the target's network resources over time.
For more info on SYN flooding, please refer to the link below
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/
That's it for today folks. We will be back with more interesting content on Denial of Service.
The next post will elaborate on other ways to implement DDoS/DoS attack and some countermeasures for the attack.
Intent of DoS is to make the webserver unavailable for legitimate traffic from hosts trying to access resources from the webserver. So essentially, it makes a service unavailable to legitimate users.
Now, lets understand how DoS can be carried out. What are the different ways?
1. ICMP flooding via Ping
ICMP is an internet layer protocol used by network devices to communicate. An ICMP request requires some server resources to process each request and to send a response. By sending many ICMP requests from many hosts, an attacker can exhaust the webserver's network resources by overwhelming it with bogus traffic, since it tries to respond to all ICMP requests.
For more info on the same, refer to below link
https://www.cloudflare.com/learning/ddos/ping-icmp-flood-ddos-attack
2. HTTP requests to web server
Essentially, this is a layer 7 technique which overwhelms the webserver with tons of HTTP requests simulated from bots. The attack type could be either HTTP GET or HTTP POST.
In HTTP GET flood attack, bots request for many files, images, etc and inundate the target webserver.
In HTTP POST, bots submit many forms. The webserver has to push data to the database for achieving persistence and this process takes some time. By sending more POST requests to the target than it can handle, bots inundate the webserver.
For more info, refer to the following link
https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
Essentially what is the difference between DoS and DDoS?
DoS originates from a single source, where DDoS originates from a cluster of computers(botnets) that are infected by an attacker's malware.
Nowadays, single origin DOS attacks are detected easily by firewall.
How is DDoS implemented?
To answer this question, we need to understand the intent for launching a DDoS attack.
Was it launched to exhaust the target computer's resources or was it intended to exhaust the network resources?
An example each for both :
1. HTTP request flooding exhausts computer's resources(10k requests per second)
2. SYN flooding exhausts network resources(unacknowledged packets)
SYN flooding exploits the TCP Connection Handshake principle. A bot spoofs an IP address and sends SYN packet. The server responds with a SYN-ACK and waits for an ACK from the source(here, the bot). But the bot keeps the server waiting and never responds. The server waits with a port listening for an ACK and a half open connection.
The bot repeatedly spoofs IP addresses and exhausts the target's network resources over time.
For more info on SYN flooding, please refer to the link below
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/
That's it for today folks. We will be back with more interesting content on Denial of Service.
The next post will elaborate on other ways to implement DDoS/DoS attack and some countermeasures for the attack.
Comments
Post a Comment