What are the dangers of DoS and DDoS attacks? DoS and DDoS attacks: meaning and differences How the concept of dos attack is translated.

On a computer system with the aim of bringing it to failure, that is, creating conditions under which legal (legitimate) users of the system cannot access the resources (servers) provided by the system, or this access is difficult. The failure of an “enemy” system can also be a step towards mastering the system (if in an emergency situation the software produces any critical information - for example, a version, part of a program code, etc.). But more often this is a measure of economic pressure: downtime of a revenue-generating service, bills from the provider and measures to avoid an attack significantly hit the “target” in the pocket.

If an attack is carried out simultaneously from a large number of computers, we speak of DDoS attack(from English Distributed Denial of Service, distributed denial of service attack). In some cases, an actual DDoS attack is caused by an unintentional action, for example, placing on a popular Internet resource a link to a site hosted on a not very productive server (slashdot effect). A large influx of users leads to exceeding the permissible load on the server and, consequently, a denial of service to some of them.

Types of DoS attacks

There are various reasons why a DoS condition may occur:

  • Error in program code, leading to access to an unused fragment of the address space, execution of an invalid instruction, or other unhandled exception when the server program - the server program - crashes. A classic example is reversal by zero. null) address.
  • Insufficient verification of user data, leading to an endless or long cycle or increased long-term consumption of processor resources (up to the exhaustion of processor resources) or the allocation of a large amount of RAM (up to the exhaustion of available memory).
  • Flood(English) flood- “flood”, “overflow”) - an attack associated with a large number of usually meaningless or incorrectly formatted requests to computer system or network equipment, intended to or leading to system failure due to exhaustion system resources- processor, memory or communication channels.
  • Attack of the second type- an attack that seeks to cause a false alarm of the security system and thus lead to the unavailability of a resource.

If an attack (usually a flood) is carried out simultaneously with large quantity IP addresses - from several computers dispersed on the network - then in this case it is called distributed denial of service attack ( DDoS).

Exploitation of errors

Exploit is a program, a piece of software code, or a sequence of software commands that exploits vulnerabilities in software and is used to carry out an attack on a cyber system. Of the exploits that lead to a DoS attack, but are unsuitable, for example, for seizing control of an “enemy” system, the best known are WinNuke and Ping of death.

Flood

On flooding as a violation of netiquette, see flooding.

Flood call a huge stream of meaningless requests from different computers in order to occupy the “enemy” system (processor, RAM or communication channel) with work and thereby temporarily disable it. The concept of “DDoS attack” is almost equivalent to the concept of “flood”, and in everyday life both are often interchangeable (“flood the server” = “DDoS the server”).

To create a flood, both ordinary network utilities like ping can be used (for example, the Internet community “Upyachka” is known for this), as well as special programs. The possibility of DDoS is often “hardwired” into botnets. If a site with high traffic is found to have a cross-site scripting vulnerability or the ability to include images from other resources, this site can also be used for a DDoS attack.

Flooding of the communication channel and TCP subsystem

Any computer that has a connection with the outside world via the TCP/IP protocol is susceptible to the following types of flooding:

  • SYN flood - with this type of flood attack, a large number of SYN packets are sent to the attacked node via TCP protocol(requests to open a connection). In this case, after a short time the number of sockets (software network sockets, ports) available for opening is exhausted on the attacked computer and the server stops responding.
  • UDP flood - this type of flood does not attack the target computer, but its communication channel. Providers reasonably assume that UDP packets should be delivered first, and TCP can wait. Big amount UDP packets of different sizes clog the communication channel, and the server running the TCP protocol stops responding.
  • ICMP flood is the same thing, but using ICMP packets.

Application level flood

Many services are designed in such a way that a small request can cause a large consumption of computing power on the server. In this case, it is not the communication channel or the TCP subsystem that is attacked, but the service itself - a flood of similar “sick” requests. For example, web servers are vulnerable to HTTP flooding; either a simple GET / or a complex database request like GET /index.php?search= can be used to disable a web server.<случайная строка> .

Detection of DoS attacks

There is an opinion that special means are not required to detect DoS attacks, since the fact of a DoS attack cannot be ignored. In many cases this is true. However, quite often successful DoS attacks were observed, which were noticed by victims only after 2-3 days. It happened that the negative consequences of the attack ( flood-attacks) resulted in unnecessary costs for paying for excess Internet traffic, which became clear only when receiving an invoice from the Internet provider. In addition, many attack detection methods are ineffective near the attack target, but are effective on network backbones. In this case, it is advisable to install detection systems there, rather than wait until the user who has been attacked notices it himself and seeks help. In addition, to effectively counter DoS attacks, it is necessary to know the type, nature and other characteristics of DoS attacks, and detection systems allow you to quickly obtain this information.

Methods for detecting DoS attacks can be divided into several large groups:

  • signature - based on qualitative traffic analysis.
  • statistical - based on quantitative analysis of traffic.
  • hybrid (combined) - combining the advantages of both of the above methods.

Protection against DoS attacks

Measures to counter DoS attacks can be divided into passive and active, as well as preventive and reactionary.

Below is a short list of the main methods.

  • Prevention. Prevention of the reasons that prompt certain individuals to organize and launch DoS attacks. (Very often, cyber attacks are generally the result of personal grievances, political, religious and other disagreements, provoking behavior of the victim, etc.)
  • Filtration and blackholing. Blocking traffic coming from attacking machines. The effectiveness of these methods decreases as you get closer to the target of attack and increases as you get closer to the attacking machine.
  • Reverse DDOS- redirection of traffic used for an attack to the attacker.
  • Elimination of vulnerabilities. Doesn't work against flood-attacks for which the “vulnerability” is the finiteness of certain system resources.
  • Increasing resources. Naturally, it does not provide absolute protection, but it is a good background for using other types of protection against DoS attacks.
  • Dispersal. Building distributed and redundant systems that will not stop serving users, even if some of their elements become unavailable due to a DoS attack.
  • Evasion. Moving the immediate target of the attack (domain name or IP address) away from other resources that are often also exposed along with the immediate target of the attack.
  • Active response. Impact on the sources, organizer or control center of the attack, both technological and organizational-legal means.
  • Using equipment to repel DoS attacks. For example, DefensePro® (Radware), Perimeter (MFI Soft), Arbor Peakflow® and from other manufacturers.
  • Purchasing a service to protect against DoS attacks. Relevant in case of excess flood bandwidth network channel.

see also

Notes

Literature

  • Chris Kaspersky Computer viruses inside and out. - Peter. - St. Petersburg. : Peter, 2006. - P. 527. - ISBN 5-469-00982-3
  • Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederik. Analysis of typical security violations in networks = Intrusion Signatures and Analysis. - New Riders Publishing (English) St. Petersburg: Williams Publishing House (Russian), 2001. - P. 464. - ISBN 5-8459-0225-8 (Russian), 0-7357-1063-5 ( English)
  • Morris, R. T.= A Weakness in the 4.2BSD Unix TCP/IP Software. - Computing Science Technical Report No.117. - AT&T Bell Laboratories, Feb 1985.
  • Bellovin, S. M.= Security Problems in the TCP/IP protocol Suite. - Computer Communication Review, Vol. 19, No.2. - AT&T Bell Laboratories, April 1989.
  • =daemon9/route/infinity "IP-spooling Demystified: Trust Realization Exploitation." - Phrack Magazine, Vol.7, Issue 48. - Guild Production, July 1996.
  • =daemon9/route/infinity "Project Neptune". - Phrack Magazine, Vol.7, Issue 48. - Guild Production, July 1996.

Links

  • DoS attack in the Open Directory Project link directory (

Recently, we have been able to see that DDoS attacks are quite a powerful weapon in the information space. Using high-power DDoS attacks, you can not only shut down one or more sites, but also disrupt the operation of an entire network segment or shut down the Internet in a small country. These days, DDoS attacks are happening more and more often and their power is increasing every time.

But what is the essence of such an attack? What happens on the network when it is performed, where did the idea to do this come from and why is it so effective? You will find answers to all these questions in our article today.

DDoS or distributed denial-of-service is an attack on a specific computer on a network that causes it, by overloading it, to not respond to requests from other users.

To understand what a ddos ​​attack means, let's imagine a situation: a web server gives site pages to users, let's say it takes half a second to create a page and completely transfer it to the user's computer, then our server will be able to operate normally at a frequency of two requests per second. If there are more such requests, they will be queued and processed as soon as the web server is free. All new requests are added to the end of the queue. Now let’s imagine that there are a lot of requests, and most of them are sent only to overload this server.

If the rate at which new requests arrive exceeds the processing rate, then over time the request queue will be so long that no new requests will actually be processed. This is the main principle of a ddos ​​attack. Previously, such requests were sent from one IP address and this was called a denial of service attack - Dead-of-Service, in fact, this is the answer to the question of what dos is. But such attacks can be effectively combated by simply adding the source IP address or several to the blocking list; moreover, due to network bandwidth limitations, several devices cannot physically generate a sufficient number of packets to overload a serious server.

Therefore, attacks are now carried out from millions of devices at once. The word Distribed was added to the name, it turned out - DDoS. Alone, these devices mean nothing, and may not have a very high speed Internet connection, but when they all start sending requests to one server at the same time, they can reach a total speed of up to 10 Tb/s. And this is already quite a serious indicator.

It remains to figure out where the attackers get so many devices to carry out their attacks. These are ordinary computers or various IoT devices that attackers were able to gain access to. This could be anything, video cameras and routers with firmware that has not been updated for a long time, control devices, and ordinary computers of users who somehow caught the virus and do not know about its existence or are in no hurry to remove it.

Types of DDoS attacks

There are two main types of DDoS attacks, some are aimed at overloading a specific program and attacks aimed at overloading the network channel itself to the target computer.

Attacks on overloading a program are also called attacks 7 (in the OSI network model there are seven levels and the last one is the levels of individual applications). An attacker attacks a program that uses a lot of server resources by sending a large number of requests. In the end, the program does not have time to process all connections. This is the type we discussed above.

DoS attacks on the Internet channel require much more resources, but they are much more difficult to cope with. If we draw an analogy with osi, then these are attacks on the 3-4 level, namely on the channel or data transfer protocol. The fact is that any Internet connection has its own speed limit at which data can be transferred over it. If there is a lot of data, then the network equipment, just like the program, will queue it for transmission, and if the amount of data and the speed at which it arrives greatly exceeds the speed of the channel, it will be overloaded. The data transfer rate in such cases can be calculated in gigabytes per second. For example, in the case of the small country of Liberia being disconnected from the Internet, the data transfer speed was up to 5 TB/sec. However, 20-40 Gb/s is enough to overload most network infrastructures.

Origin of DDoS attacks

Above we looked at what DDoS attacks are, as well as methods of DDoS attacks, it’s time to move on to their origin. Have you ever wondered why these attacks are so effective? They are based on military strategies that have been developed and tested over many decades.

In general, many of the approaches to information security based on military strategies of the past. Exist Trojan viruses, which are reminiscent of the ancient Battle of Troy, ransomware viruses that steal your files for ransom and DDoS attacks that limit the enemy's resources. By limiting your opponent's options, you gain some control over his subsequent actions. This tactic works very well for both military strategists. and for cybercriminals.

In the case of military strategy, we can think very simply about the types of resources that can be limited to limit an enemy's capabilities. Limiting water, food and building materials would simply destroy the enemy. With computers everything is different; there are various services, for example, DNS, web server, servers Email. They all have different infrastructure, but there is something that unites them. This is a network. Without a network, you will not be able to access the remote service.

Warlords can poison water, burn crops, and set up checkpoints. Cybercriminals can send incorrect data to the service, cause it to consume all memory, or completely overload the entire network channel. Defense strategies also have the same roots. The server administrator will have to monitor incoming traffic to find malicious traffic and block it before it reaches the target network channel or program.

conclusions

DDoS attacks are becoming more common and more powerful every time. This means that the services we use will increasingly come under attack. One of the ways in which we can reduce the number of attacks is by ensuring that our devices are not infected with any viruses and receive updates on time. Now you know what a DDoS attack is and know the basics of protection, in one of the following articles we will look at the last point in more detail.

To conclude, I offer a lecture on DDoS attacks:

The goal of a DDoS attack can be either to block a competitor’s project or a popular resource, or to gain complete control over the system. When promoting a site, take into account that DoS conditions arise for the following reasons:

  • due to errors in program code, which lead to the execution of illegal instructions, access to an unused part of the address space, etc.;
  • due to insufficient verification of user data, which can lead to a long (or endless) cycle, increased consumption of processor resources, memory exhaustion, etc.;
  • due to flooding - an external attack through a large number of incorrectly formed or meaningless requests to the server. There are floods of the TCP subsystem, communication channels and application level
  • due to external influence, the purpose of which is to cause a false alarm of the protective system and, as a result, lead to the unavailability of the resource.

Protection

DDoS attacks are complicated because if the server is down for a long enough time, pages fall out of the index. To detect threats, signature, statistical and hybrid methods are used. The first are based on qualitative analysis, the second - on quantitative, and the third combine the advantages of previous methods. Countermeasures can be passive and active, preventive and reactionary. The following methods are mainly used:

  • eliminating personal and social reasons that motivate people to organize DDoS attacks,
  • blackholing and traffic filtering,
  • elimination of code vulnerabilities during search engine optimization site,
  • increasing server resources, building redundant and distributed systems for backup user services,
  • technical and organizational-legal impact on the organizer, sources or control center of the attack,
  • installation of equipment to repel DDoS attacks (Arbor Peakflow®, DefensePro®, etc.),
  • purchasing a dedicated server for website hosting.

Almost any web resource, be it a website or a service, is open to access by ordinary users. Just open your browser and type in the desired address. However, this availability comes with some security concerns, in particular the possibility of attacks such as Denial of Service (DoS) and Distributed Denial of Service (DDoS).

What is a Denial of Service (DoS) attack?

Before answering the question “what is a Denial of Service (DoS) attack,” you need to look at how data is exchanged on the Internet and what power is provided to web resources. For easier understanding, let's consider the most common option.

Websites and services (hereinafter referred to as website or site) are located on separate computers, also called servers. On these servers they are allocated a certain part of the resources for functioning ( disk space, RAM, CPU time). Every time a user opens a web page in a browser, it means for the website that it needs to take up a certain portion of these resources to generate that page. Therefore, over a certain period of time, a site can only generate a limited number of pages. This means that if the site is opened by more users than the number for which the website is designed, then some users will receive in response either an error about the inability to open the site (for example, the site is not available) or a warning about the site being overloaded with a request to wait ( for example, the site is temporarily unavailable, try opening it in 5-10 minutes).

The essence of a Denial of Service (DoS) attack is what its name suggests, namely that the attack results in the website being unavailable to users. Technically, this is achieved by the attacker constantly opening big number web pages, which takes up almost all the resources of the site and does not allow other users to access the site. This process can be compared to fishing next to a person who scatters food for the fish in handfuls. IN in this case, no matter how much you throw a fishing rod into the river, the chances of catching a fish will be almost zero.

Today, this type attacks are rare, since it is very easy to find and identify an attacker - this is the one from whom a large number of requests to open pages are constantly coming. Therefore, quite often, when you hear the words “DoS attack” or read a text where the word “DoS” is used, we are talking about a DDoS attack.

What is a Distributed Denial of Service (DDoS) attack?

A Distributed Denial of Service (DDoS) attack uses the same idea as a DoS attack, but is technically different. The essence of the attack also follows from its name - many attacker computers simultaneously contact the site with a request to receive pages, which ultimately leads to the same consequences as with a DoS attack. This process can be compared to the same fishing, but in a park where crowds of people walk around and take turns throwing food into the water. Due to the fact that there are many such people, casting a fishing rod will lead to the same results as in the previous comparison. However, implement this attack more difficult, since it requires quite a lot of computers. For this reason, to implement this attack, they most often resort to using botnet networks.

Note: Sometimes a DDoS attack occurs unintentionally when a huge number of users accidentally access a website. For example, when announcing a small site on portals with huge traffic, such a site may simply not cope with the influx of users and be temporarily unavailable.

A botnet network is a logically organized network of many infected user computers (such computers are also called zombies), which is controlled by one or more attackers and which will perform the actions desired by the attackers. In the case of DDoS, we are talking about sending requests to open website pages by all or part of the zombie computers of the botnet network. Technically, the creation of botnet networks occurs through infection of computers ordinary users Trojans, worms and other malicious programs. Which, after infection, send information about themselves to the control links, thereby adding to the network. Typically, such malware rarely exhibits any visible malicious activity on user computers in order to avoid unnecessary system checks by antiviruses and other security tools. This allows them to remain in the botnet network for a long time.

Note: For most users of such infected computers, the maximum effect will be only periodic jumps in network activity, which, if previously could be easily noticed (especially in the days of modems), today, if there are high speed internet, such activity is difficult to determine without special means.

Today, this type of attack is becoming more common, because in addition to being more difficult to track, in the case of large botnet networks, it is simply impossible to quickly neutralize it.

Note: The main reason for the growth in the number of DDoS attacks is the rapid increase in the number of computers, the expansion of the software, development of data exchange speeds and a number of other factors.

Final words about DoS and DDoS

A website outage, even for a short period of time, can affect not only performance, but also the number of users. For example, the lack of access to a large project with multimillion-dollar traffic, even for a few hours, may well mean an outflow of users to competing projects (taking into account the period of time, this will mainly affect users who have relatively recently started using the resource).