DDoS Attack

Introduction

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.

Core Mechanisms

DDoS attacks are characterized by an explicit attempt by attackers to prevent legitimate users from accessing a targeted online service. The attack is distributed because it uses multiple sources to generate the attack traffic, making it difficult to stop by simply blocking a single source.

• Botnets: A botnet is a network of private computers infected with malicious software and controlled as a group without the owners' knowledge. Botnets are often used to launch DDoS attacks.
• Amplification: This technique involves sending a small query that elicits a large response from the target, effectively amplifying the attack traffic.
• Reflection: Attackers send forged requests to a large number of computers, which then send responses to the target, overwhelming it with traffic.

Attack Vectors

DDoS attacks can be executed using various vectors, each exploiting different protocols and weaknesses in the network.

1. Volumetric Attacks: These attacks aim to consume the bandwidth of the target network or service. Common methods include:
   • UDP Flood: Saturates the target with UDP packets, consuming available bandwidth.
   • ICMP Flood: Similar to UDP floods but uses ICMP packets.
2. Protocol Attacks: These attacks consume actual server resources or those of intermediate communication equipment, such as firewalls and load balancers.
   • SYN Flood: Exploits the TCP handshake process by sending initial connection requests (SYN packets) without completing the handshake.
   • Ping of Death: Sends malformed or oversized packets to a target, causing the system to crash or behave unpredictably.
3. Application Layer Attacks: These attacks target the application layer, making them more difficult to detect and mitigate.
   • HTTP Flood: Sends HTTP GET or POST requests to a web server, trying to exhaust the server's resources.
   • Slowloris: Holds many connections open to the target web server and keeps them open as long as possible.

Defensive Strategies

Mitigating a DDoS attack involves a combination of strategies and technologies designed to detect and respond to the attack in real-time.

• Traffic Analysis: Continuous monitoring of network traffic to identify abnormal patterns that may indicate an ongoing attack.
• Rate Limiting: Restricting the number of requests a user can make to a server over a specified time period.
• Web Application Firewalls (WAFs): Protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet.
• Anycast Network Diffusion: Distributes traffic across a network of servers, making it harder for the attack to target a single point.

Real-World Case Studies

• GitHub Attack: In February 2018, GitHub was hit by a DDoS attack that peaked at 1.35 Tbps, making it one of the largest DDoS attacks recorded. The attack used a Memcached-based reflection technique.
• Dyn Attack: In October 2016, the DNS provider Dyn was attacked, affecting major services like Twitter, Netflix, and Reddit. This attack utilized a botnet primarily composed of IoT devices infected by the Mirai malware.

Architecture Diagram

This diagram illustrates the typical flow of a DDoS attack, showing how attackers use a botnet to overwhelm a target server, leading to service disruption for legitimate users.