There are two types of DDoS services addressed in the article; one is when the attacker floods the internet’s bandwidth so it cannot perform as normal, the other is when the attacker targets vulnerabilities on the server so it cannot handle legitimate requests.
When a DDoS attack happens, the zombie computers that are using the spoofed IP address of the victim server overload the DNS servers. These zombie computers all simultaneously query the DNS server, as the DNS server tries to respond back, it takes up all available bandwidth of the victim server. For example, they used was a Syn Flood attack, these zombie devices is able to open up multiple connections to the server using syn requests. These devices have to respond with “ACK” when prompted by the server’s “SYN-ACK” acknowledgment, because there is no response, the victim server is unable to close down that connection. When the DDoS targets vulnerabilities in applications on the server, they are able to cripple the server’s CPU, RAM, buffer memory. This renders the server unable to process legitimate requests.
Hi Mei,
I agree with your point. When I think of the actual working principle of DDoS, I usually think of drowning and destroying the network. Obviously, there are more ways to “refuse to serve”, but we usually associate DDoS with network traffic.
Hi Mei,
I find the second type difficult to defend against especially since the zombie computers spoof the IP address of the target victim. The attack can be further sophisticated by encryption of traffic between the attacker ad the zombies making it hard to trace back and identify the attacker.
Distributed denial of service attacks can cause many computers to be attacked simultaneously, making the target of the attack unusable. Distributed denial of service attacks has occurred many times, causing many large websites to be unable to operate. This will not only affect the regular use of users but also cause huge economic losses. Distributed denial-of-service attacks can forge the source IP address when attacking. The concealment of this kind of attack is excellent, and it is also challenging to detect the attack. This type of attack has also become a complicated attack to prevent.
A complete DDoS attack system consists of four parts: the attacker, the master, the agent, and the target. The primary control end and the proxy end are respectively used to control and actually launch an attack. The direct control ends only issues commands and does not participate in the actual attack, and the proxy end sends out the actual DDoS attack package. The attacker has control or partial control of the computers on the host and agent. During the attack, it will use various means to hide from being discovered by others. Once the real attacker sends the attack command to the host, the attacker can shut down or leave the network. The master issues the command to each agent host. This way, the attacker can evade tracking. Each attacking proxy host sends a large number of service request data packets to the target host. These data packets are disguised and cannot be identified from their source. Moreover, the services requested by these data packets often consume a lot of system resources, making the target host unable to do so. Users provide regular services. It even causes the system to crash.
Hi, Zibai
Thanks for your sharing. One way to prevent distributed denial of service attack is to implement multi-level protection strategy. This includes advanced intrusion prevention and threat management system composed of firewall, VPN, anti spam, content filtering, load balancing and other DDoS Defense Technologies. Together, they provide consistent network protection against DDoS attacks. Most standard network devices have limited DDoS mitigation options, so companies can outsource some other services.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS is usually difficult to detect and mitigate, it may result in website unavailable, server and hosting issues, website vulnerability and so on. The document list 7 steps to preventing DDoS attacks. By filtering systems, user can identify and filter illegitimate traffic while simultaneously allowing legitimate traffic and to identification of statistical patterns of DDoS attacks. Having a alternate network paths can handled more traffic and help to reduce the risk posed by DDoS attacks. Rate-Limiting or throttling can controlled the maximum incoming traffic and any additional traffic could be throttled to prevent the server from going down. Honeypots, aggressive caching, hosting / DDoS mitigation for the website, zombie computers are also the positive preventing methods to the DDoS.
A distributed denial of service (DDoS) attack is executed by overloading a system internet bandwidth or hardware with tons of requests and ultimately affects the system’s performance and availability. These attacks are performed by infecting computers through malicious software, which adds them to a botnet. The botnet can be controlled through a command and control server (C2) server to coordinate an attack. Once an attacker has a botnet large enough to disrupt a system, they’re ready to attack. The article mentions, the misuse of the TCP/IP network protocol as one method of performing a DDoS attack. For example, a botnet computer will initiate the TCP three-way handshake with the target by sending a SYN. The target will respond with a SYN-ACK, however, the botnet computer will not finish the connection by sending an ACK. This leaves the TCP connection still open, and the protocol will always try to resend the SYN-ACK to finish and close the connection. As many connections remains open, that is internet bandwidth and CPU resource being consumed. Another method of DDoS that was not mentioned in the article is called a Ping Flood, which misuses the ICMP protocol. One mitigation for DDoS attacks is by monitoring the network traffic and establishing a baseline for what is considered normal/standard traffic. Once the baseline is established, anomalies discovered in the network traffic can be filtered and blocked.
Hi Anthony,
I also noticed the Ping flood was not included in the article yet it is the most simple and common DDoS attack. However this only works for small network attacks since it requires the attacker to match or exceed the target/victims network bandwidth.
I learned from this article why it is difficult to detect DDoS attacks and how to mitigate them. What I find interesting is that there are many ways to mitigate this type of attack, but organizations rarely use them. Honeypot, for example, is an interesting technology, which is basically a set of traps for detecting attack intentions and sources. Honeypot lures the attacker into the system, so that the administrator can monitor the attacker’s exploitation of system vulnerabilities, so as to find out the existing vulnerabilities and the vulnerabilities that need to be repaired.
A key point is that although it is difficult to detect and mitigate this problem, organizations must take control measures to protect and detect DDoS. Applying alternate network paths is an example of reducing attack risk.
One key point I took away from this reading is as to why DDoS attacks are difficult to detect and mitigate. As per this article, the attacker uses unsuspecting user’s computers to carry out the attacks against the victim server which makes it difficult to trace down the actual attacker. This article mentions various ways to mitigate the DDos attacks and one of them is honeypots which is baiting a trap for hackers. It basically attracts cyber attacks like a decoy. Honeypot involves setting up of dummy servers with maximum vulnerabilities that are exposed to hackers as legitimate servers. When the hackers attack these systems, it’s possible to study the attack patterns, attack intentions and even find out attack sources. A honeypot acts as a information tool that can help understand existing threats and spot the emergence of new threats.
I like your summary about the honeypots. One thing organizations have to avoid is making the honeypot too easy to attack. This can often be a red flag for the attacker and makes them realize they are attacking a honeypot. When this happens, they will stop attacking.
The goal of distributed denial of service attack is to pour large amounts of information into the target server so that it can no longer allow the actual user to access it. This is achieved by hackers using multiple computer controls. The difference between denial of service attacks and distributed denial of service attacks is that for DDoS, there are processors/control computers, proxy/zombie computers, and reflection/amplification networks, rather than typical attackers / main computers and victim/attack servers. DDoS attacks are harder to detect because there are multiple IP addresses associated with the zombie computer – they may even use the IP address of the victim server to attack. There are many ways to mitigate DDoS attacks, such as filtering illegal traffic, load balancing, throttling, using honeypot, active caching, and cloud infrastructure hosting.
Hi, Haozhe. I agree that DDoS is more complicated to detect because it is not easy to find the fixed IP or IP sequence from the zombie computers. Although someone can identify where the zombie computer is attacking the Internet, the attacker will summon more computers to shut down the Internet.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks can look like many of the non-malicious things that can cause availability issues – such as a downed server or system, too many legitimate requests from legitimate users, or even a cut cable. It often requires traffic analysis to determine what is precisely occurring. The most common DDos Attack is Ping of Death, SYN Flood and UDP Flood. The Ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. This causes the system to become overwhelmed and crash. SYN Flood aims to make a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets. UDP Flood is an attack in which a large number of User Datagram Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond.
DDoS attacks are very serious and hard to mitigate. If an attacker has a large enough network, they can have 1000’s of computers attempting to SYN flood or ping a network or specific target. Users can sometimes block that particular IP to help prevent the DDoS but it’s often a losing battle. This causes availability issues for the end users and is often very frustrating. Depending on the level of attack, it could cause the service to completely shut down due to the inability to keep up with the requests. Because of this, many organizations are forced to create countermeasures and preventions to combat these attacks. The article shows many of the mitigations you can use at the very end, such as honeypots, load balancing, rate limiting and many other options. At our organization, we had to enable load balancing and rate limiting to account for regular use by customers. Attackers often push these limits even further.
The steps for prevention and mitigation of DDoS stood out to me from this reading. It states that while these attacks are difficult to prevent/mitigate but with the proper techniques can greatly assist a security team in the event that one does occur. Observing statistical patterns of DDoS attacks and comparing them to live traffic patterns can provide a team crucial information on identifying these early on. The document stresses that it is possible to identify and filter illegitimate traffic while simultaneously allowing legit traffic through. The use of filtering systems, whether automated or manually conducted would assist a team in this situation. Honeypots are also used as a mitigation technique as these are set up as ‘dummy servers’ including maximum vulnerabilities that are exposed to entice hackers to believe they are true servers. This allows a security team to analyze the way that the attackers conduct their attack and notate those findings for further use to protect the legitimate severs. It is noted that not many organizations use these, however due to the information that you can obtain from an attacker hitting one of these could provide much more important information, and therefore I would say is an underutilized technique.
It is complicated to detect the DDoS attacker because the network administrators cannot find any fixed IP address or IP address sequence from the zombie computers that use to attack the Internet. Even though you can identify where the zombie computer is attacking the Internet, the attacker will summon more computers to shut down the Internet. Moreover, I found that Amazon Web Services occurred a DDoS attack in February 2020. According to Security Boulevard, the attacker targeted an unidentified AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection, and it is a third-party CLDAP server. I think that the company should have alternate network paths and apply load balancing to run the network and reduce the DDoS attacks. These methods work efficiently in small DDoS attacks and the traffic can be in control. https://securityboulevard.com/2020/09/top-five-most-infamous-ddos-attacks/#:~:text=Amazon%20Web%20Services%2C%20the%20800,Access%20Protocol%20(CLDAP)%20Reflection.
Distributed Denial of Service (DDoS) attacks are a constant problem that many organizations face working in the modern Internet-based world. Thankfully, this reading pointed out ways to prevent or lessen the chance of a DDoS attack occurring. The first step was to view other DDoS attacks to find patterns and use that data to filter out illegitimate traffic. Another step was to create other paths to your network to decrease traffic, such as make redundant servers. The next step was to artificially throttle traffic to your server to make sure that your server isn’t overloaded when lots of traffic comes through. Step four is to create honeypots with many vulnerabilities to trick attackers, as well as study how they got in to implement patches to those exploits in your main server. Another step is to have aggressive caching in place to make the most common parts of your server ready to display on the web so users can still access the information, keeping availability somewhat intact. Lastly, the reading recommends using a cloud provider who has dedicated servers and resources to prevent common DDoS attacks from occurring. Unfortunately, for smaller businesses, the cost may be to great to consider this route.
This article mainly illustrate the DDoS(Distributed Denial of Service Attack). The DDoS use a lot of zombie computer or infected computers which under the control of the attacker to make a flood attack to targeted victim servers and prevent legitimate users to access the server.
DDoS attack is difficult to detect and mitigate is because following two reason: Firstly, most zombie computer don not use the fix IP address. Secondly, the zombie computer send request to reflector computer which make the reflector send huge reply packets to victim server. Thirdly, these attack has a high transmission speed faster than individual organization’s.
It’s hard to prevent the DDoS attack, but can take the following method to mitigate the risk of DDoS.
1. Identification of statistical pattern of DDoS attacks
2. Having alternate network path and applying load balancing for incoming traffic.
3. Controlling and limiting the maximum incoming traffic
4. Using Honeypot to study the pattern of the hackers’ attack.
5. Using Aggressive Caching not occupy the timing of the CPU resource.
6. Host the cloud infrastructure to let the professional security professionals to manage DDoS attacks.
It is imperative for a team to leverage those mitigation strategies, as they can not only help prevent current attacks, but provide insight for future attacks. Also something that struck me from this reading was that honeypots are not used very often. For me, I felt like not only do they help in prevention but they provide info on how the attackers conducted their attack. My guess is that attackers have become smart enough to know when there is a “dummy server”, otherwise it would not be smart to not include one in your security.
I found it particularly interesting how easy a DDoS attack can be accomplished and remain completely untraceable to the source. Spoofed IP in DNS attacks use “zombie” computers to query the victim’s servers simultaneously. SYN Flood attacks opening connections again using “zombie” computers to force the victim server to send acknowledgement receipts. All managed but handler computers. Encryption protects attackers from detection.
Key take away is to identify patterns in the traffic, have alternate network paths, use configuration in rate-limiting or throttling, have honeypots to lure attackers.
This article delves deeper into DoS attacks with an explanation of a DDoS attack or distributed denial of service attack. The difference between a DoS and a DDoS attack are the zombie computers involved. An attacker will compromise numerous victim computers by installing what is know as a zombie agent or bot. These bots can then receive instructions via the attacker at their master computer or command and control server. The attacker sends or commands that are initiated by the bots. This traffic can be difficult to track as more times than not, the traffic containing the instructions will be encrypted. With DDos attacks, the attacker instructs the zombies to DoS a specific IP. That way the source IP of the attack are the bots IP and not the attackers IP. Many times these botnets are even rented out for higher on the black market.
Hi Anthony…
I agree with you. This article helped me see how simple a DDoS attack is and how the method of using zombie servers and bots in a network completely obscure the identity of the hacker. Hackers don’t even have to go through the hassle of finding vulnerable servers to run their botnets off of because it is so easy to buy botnets on the black market.
Distributed denial of service attack can make a lot of computer to attack at the same time, make the target unable to normal use, distributed denial of service attacks there are already many times, has caused many large websites are appeared unable to operate, so it will not only affect the normal use of the user, at the same time, the economic loss is very large. Distributed Denial of Service (DDOS) attack can forge the source IP address during the attack, which makes the concealment of this attack very good when it happens. At the same time, it is very difficult to detect the attack. Therefore, this attack has become a very difficult attack to prevent. For a DDoS attack, an attacker probably needs to go through three main steps: knowing the target, capturing the puppet machine, and actually attacking. Not only to DDoS, but also for all network attacks, we should take as careful as possible defense measures, strengthen the detection of the system, and establish a rapid and effective response strategy.
Hi, Junhan, I totally agree with your points. I also think DDoS attack is difficult to detect and mitigate is because following two following three reason: Firstly, most zombie computer don not use the fix IP address. Secondly, the zombie computer send request to reflector computer which make the reflector send huge reply packets to victim server. Thirdly, these attack has a high transmission speed faster than individual organization’s.
This reading focused on Distributed Denial of Service attacks. What I found interesting was the countermeasures that can be used to mitigate the risk of DDoS attack. One of the methods of mitigation included honeypots. They are a less common mitigation where dummy servers are set up with vulnerabilities to study the attack patterns, intentions and possibly attack sources. I have observed honeypots being used for external hackers as well as threats from internal sources. Honeypots are used after a user has exhibited unusual behavior in their day to day work accessing information that was not relevant to their jobs. An image of their workstation and fake files and objects on an offline server to complete forensics and identify more evidence of wrongdoing. It is interesting to watch the behaviors and accumulation of methods.
This article was very informative about the DDoS attacks. DDoS is an acronym for Distributed Denial of Service Attack. In this attack a lot of “zombie” or infected computers that are under the control of the attacker are used to either directly or indirectly to flood the targeted server. I just thought this is really notorious way to leverage the infected computers to expand and infect more computers.
Hi Prince. This is interesting. There are a lot of zomnie or infected computers that are under the control of the attacker to flood the target’s server, so it is overload and are not able to take in more requests.
In this reading, it is apparent that DDoS attacks are not easy to defend against. What makes it difficult is the fact that there are layers between the attacker and the target/victim server. The attack can be further sophisticated by encryption of traffic, making it difficult to trace/identify the attacker. Another obstacle to detecting DDoS attacks is an instance where zombie computers spoof the IP address of the target/victim. In such a case the attack happens without a clear path linking back to the attacker, hence almost impossible to defend against.
On the methods of defense highlighted in this article, most can only defend against small DDoS attacks. When the number of zombies is increased, there is little to no chance of completely defending against the attack. However, some defense is better than none, and applying alternate network paths and load balancing, rate-limiting/throttling are more effective at defense against DDoS attacks in most cases.
DDoS stands for Distributed Denial of Service attack. It is a form of attack where a lot of zombie computers are used to either directly or indirectly to flood the targeted server victim, with a huge amount of information and choke it in order to prevent legitimate users from accessing them. The reason why this kind of attack is hard to detect and mitigate is because unsuspecting user’s computers are used as zombies to carry out the attacks against the victim server, it is difficult to trace down the actual attacker. And sometimes, the conbie computer do not directly communicate with the victim servers-instead they spppf the IP address of the victim server and send request to large number of reflector computers. Some of these attacks are in the rage of multiple Gigabits per second.
There are two types of DDoS services addressed in the article; one is when the attacker floods the internet’s bandwidth so it cannot perform as normal, the other is when the attacker targets vulnerabilities on the server so it cannot handle legitimate requests.
When a DDoS attack happens, the zombie computers that are using the spoofed IP address of the victim server overload the DNS servers. These zombie computers all simultaneously query the DNS server, as the DNS server tries to respond back, it takes up all available bandwidth of the victim server. For example, they used was a Syn Flood attack, these zombie devices is able to open up multiple connections to the server using syn requests. These devices have to respond with “ACK” when prompted by the server’s “SYN-ACK” acknowledgment, because there is no response, the victim server is unable to close down that connection. When the DDoS targets vulnerabilities in applications on the server, they are able to cripple the server’s CPU, RAM, buffer memory. This renders the server unable to process legitimate requests.
Hi Mei,
I agree with your point. When I think of the actual working principle of DDoS, I usually think of drowning and destroying the network. Obviously, there are more ways to “refuse to serve”, but we usually associate DDoS with network traffic.
Hi Mei,
I find the second type difficult to defend against especially since the zombie computers spoof the IP address of the target victim. The attack can be further sophisticated by encryption of traffic between the attacker ad the zombies making it hard to trace back and identify the attacker.
Distributed denial of service attacks can cause many computers to be attacked simultaneously, making the target of the attack unusable. Distributed denial of service attacks has occurred many times, causing many large websites to be unable to operate. This will not only affect the regular use of users but also cause huge economic losses. Distributed denial-of-service attacks can forge the source IP address when attacking. The concealment of this kind of attack is excellent, and it is also challenging to detect the attack. This type of attack has also become a complicated attack to prevent.
A complete DDoS attack system consists of four parts: the attacker, the master, the agent, and the target. The primary control end and the proxy end are respectively used to control and actually launch an attack. The direct control ends only issues commands and does not participate in the actual attack, and the proxy end sends out the actual DDoS attack package. The attacker has control or partial control of the computers on the host and agent. During the attack, it will use various means to hide from being discovered by others. Once the real attacker sends the attack command to the host, the attacker can shut down or leave the network. The master issues the command to each agent host. This way, the attacker can evade tracking. Each attacking proxy host sends a large number of service request data packets to the target host. These data packets are disguised and cannot be identified from their source. Moreover, the services requested by these data packets often consume a lot of system resources, making the target host unable to do so. Users provide regular services. It even causes the system to crash.
Hi, Zibai
Thanks for your sharing. One way to prevent distributed denial of service attack is to implement multi-level protection strategy. This includes advanced intrusion prevention and threat management system composed of firewall, VPN, anti spam, content filtering, load balancing and other DDoS Defense Technologies. Together, they provide consistent network protection against DDoS attacks. Most standard network devices have limited DDoS mitigation options, so companies can outsource some other services.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS is usually difficult to detect and mitigate, it may result in website unavailable, server and hosting issues, website vulnerability and so on. The document list 7 steps to preventing DDoS attacks. By filtering systems, user can identify and filter illegitimate traffic while simultaneously allowing legitimate traffic and to identification of statistical patterns of DDoS attacks. Having a alternate network paths can handled more traffic and help to reduce the risk posed by DDoS attacks. Rate-Limiting or throttling can controlled the maximum incoming traffic and any additional traffic could be throttled to prevent the server from going down. Honeypots, aggressive caching, hosting / DDoS mitigation for the website, zombie computers are also the positive preventing methods to the DDoS.
A distributed denial of service (DDoS) attack is executed by overloading a system internet bandwidth or hardware with tons of requests and ultimately affects the system’s performance and availability. These attacks are performed by infecting computers through malicious software, which adds them to a botnet. The botnet can be controlled through a command and control server (C2) server to coordinate an attack. Once an attacker has a botnet large enough to disrupt a system, they’re ready to attack. The article mentions, the misuse of the TCP/IP network protocol as one method of performing a DDoS attack. For example, a botnet computer will initiate the TCP three-way handshake with the target by sending a SYN. The target will respond with a SYN-ACK, however, the botnet computer will not finish the connection by sending an ACK. This leaves the TCP connection still open, and the protocol will always try to resend the SYN-ACK to finish and close the connection. As many connections remains open, that is internet bandwidth and CPU resource being consumed. Another method of DDoS that was not mentioned in the article is called a Ping Flood, which misuses the ICMP protocol. One mitigation for DDoS attacks is by monitoring the network traffic and establishing a baseline for what is considered normal/standard traffic. Once the baseline is established, anomalies discovered in the network traffic can be filtered and blocked.
Hi Anthony,
I also noticed the Ping flood was not included in the article yet it is the most simple and common DDoS attack. However this only works for small network attacks since it requires the attacker to match or exceed the target/victims network bandwidth.
I learned from this article why it is difficult to detect DDoS attacks and how to mitigate them. What I find interesting is that there are many ways to mitigate this type of attack, but organizations rarely use them. Honeypot, for example, is an interesting technology, which is basically a set of traps for detecting attack intentions and sources. Honeypot lures the attacker into the system, so that the administrator can monitor the attacker’s exploitation of system vulnerabilities, so as to find out the existing vulnerabilities and the vulnerabilities that need to be repaired.
A key point is that although it is difficult to detect and mitigate this problem, organizations must take control measures to protect and detect DDoS. Applying alternate network paths is an example of reducing attack risk.
One key point I took away from this reading is as to why DDoS attacks are difficult to detect and mitigate. As per this article, the attacker uses unsuspecting user’s computers to carry out the attacks against the victim server which makes it difficult to trace down the actual attacker. This article mentions various ways to mitigate the DDos attacks and one of them is honeypots which is baiting a trap for hackers. It basically attracts cyber attacks like a decoy. Honeypot involves setting up of dummy servers with maximum vulnerabilities that are exposed to hackers as legitimate servers. When the hackers attack these systems, it’s possible to study the attack patterns, attack intentions and even find out attack sources. A honeypot acts as a information tool that can help understand existing threats and spot the emergence of new threats.
I like your summary about the honeypots. One thing organizations have to avoid is making the honeypot too easy to attack. This can often be a red flag for the attacker and makes them realize they are attacking a honeypot. When this happens, they will stop attacking.
The goal of distributed denial of service attack is to pour large amounts of information into the target server so that it can no longer allow the actual user to access it. This is achieved by hackers using multiple computer controls. The difference between denial of service attacks and distributed denial of service attacks is that for DDoS, there are processors/control computers, proxy/zombie computers, and reflection/amplification networks, rather than typical attackers / main computers and victim/attack servers. DDoS attacks are harder to detect because there are multiple IP addresses associated with the zombie computer – they may even use the IP address of the victim server to attack. There are many ways to mitigate DDoS attacks, such as filtering illegal traffic, load balancing, throttling, using honeypot, active caching, and cloud infrastructure hosting.
Hi, Haozhe. I agree that DDoS is more complicated to detect because it is not easy to find the fixed IP or IP sequence from the zombie computers. Although someone can identify where the zombie computer is attacking the Internet, the attacker will summon more computers to shut down the Internet.
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks can look like many of the non-malicious things that can cause availability issues – such as a downed server or system, too many legitimate requests from legitimate users, or even a cut cable. It often requires traffic analysis to determine what is precisely occurring. The most common DDos Attack is Ping of Death, SYN Flood and UDP Flood. The Ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. This causes the system to become overwhelmed and crash. SYN Flood aims to make a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets. UDP Flood is an attack in which a large number of User Datagram Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond.
DDoS attacks are very serious and hard to mitigate. If an attacker has a large enough network, they can have 1000’s of computers attempting to SYN flood or ping a network or specific target. Users can sometimes block that particular IP to help prevent the DDoS but it’s often a losing battle. This causes availability issues for the end users and is often very frustrating. Depending on the level of attack, it could cause the service to completely shut down due to the inability to keep up with the requests. Because of this, many organizations are forced to create countermeasures and preventions to combat these attacks. The article shows many of the mitigations you can use at the very end, such as honeypots, load balancing, rate limiting and many other options. At our organization, we had to enable load balancing and rate limiting to account for regular use by customers. Attackers often push these limits even further.
The steps for prevention and mitigation of DDoS stood out to me from this reading. It states that while these attacks are difficult to prevent/mitigate but with the proper techniques can greatly assist a security team in the event that one does occur. Observing statistical patterns of DDoS attacks and comparing them to live traffic patterns can provide a team crucial information on identifying these early on. The document stresses that it is possible to identify and filter illegitimate traffic while simultaneously allowing legit traffic through. The use of filtering systems, whether automated or manually conducted would assist a team in this situation. Honeypots are also used as a mitigation technique as these are set up as ‘dummy servers’ including maximum vulnerabilities that are exposed to entice hackers to believe they are true servers. This allows a security team to analyze the way that the attackers conduct their attack and notate those findings for further use to protect the legitimate severs. It is noted that not many organizations use these, however due to the information that you can obtain from an attacker hitting one of these could provide much more important information, and therefore I would say is an underutilized technique.
It is complicated to detect the DDoS attacker because the network administrators cannot find any fixed IP address or IP address sequence from the zombie computers that use to attack the Internet. Even though you can identify where the zombie computer is attacking the Internet, the attacker will summon more computers to shut down the Internet. Moreover, I found that Amazon Web Services occurred a DDoS attack in February 2020. According to Security Boulevard, the attacker targeted an unidentified AWS customer using a technique called Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection, and it is a third-party CLDAP server. I think that the company should have alternate network paths and apply load balancing to run the network and reduce the DDoS attacks. These methods work efficiently in small DDoS attacks and the traffic can be in control.
https://securityboulevard.com/2020/09/top-five-most-infamous-ddos-attacks/#:~:text=Amazon%20Web%20Services%2C%20the%20800,Access%20Protocol%20(CLDAP)%20Reflection.
Distributed Denial of Service (DDoS) attacks are a constant problem that many organizations face working in the modern Internet-based world. Thankfully, this reading pointed out ways to prevent or lessen the chance of a DDoS attack occurring. The first step was to view other DDoS attacks to find patterns and use that data to filter out illegitimate traffic. Another step was to create other paths to your network to decrease traffic, such as make redundant servers. The next step was to artificially throttle traffic to your server to make sure that your server isn’t overloaded when lots of traffic comes through. Step four is to create honeypots with many vulnerabilities to trick attackers, as well as study how they got in to implement patches to those exploits in your main server. Another step is to have aggressive caching in place to make the most common parts of your server ready to display on the web so users can still access the information, keeping availability somewhat intact. Lastly, the reading recommends using a cloud provider who has dedicated servers and resources to prevent common DDoS attacks from occurring. Unfortunately, for smaller businesses, the cost may be to great to consider this route.
This article mainly illustrate the DDoS(Distributed Denial of Service Attack). The DDoS use a lot of zombie computer or infected computers which under the control of the attacker to make a flood attack to targeted victim servers and prevent legitimate users to access the server.
DDoS attack is difficult to detect and mitigate is because following two reason: Firstly, most zombie computer don not use the fix IP address. Secondly, the zombie computer send request to reflector computer which make the reflector send huge reply packets to victim server. Thirdly, these attack has a high transmission speed faster than individual organization’s.
It’s hard to prevent the DDoS attack, but can take the following method to mitigate the risk of DDoS.
1. Identification of statistical pattern of DDoS attacks
2. Having alternate network path and applying load balancing for incoming traffic.
3. Controlling and limiting the maximum incoming traffic
4. Using Honeypot to study the pattern of the hackers’ attack.
5. Using Aggressive Caching not occupy the timing of the CPU resource.
6. Host the cloud infrastructure to let the professional security professionals to manage DDoS attacks.
Zhen,
It is imperative for a team to leverage those mitigation strategies, as they can not only help prevent current attacks, but provide insight for future attacks. Also something that struck me from this reading was that honeypots are not used very often. For me, I felt like not only do they help in prevention but they provide info on how the attackers conducted their attack. My guess is that attackers have become smart enough to know when there is a “dummy server”, otherwise it would not be smart to not include one in your security.
I found it particularly interesting how easy a DDoS attack can be accomplished and remain completely untraceable to the source. Spoofed IP in DNS attacks use “zombie” computers to query the victim’s servers simultaneously. SYN Flood attacks opening connections again using “zombie” computers to force the victim server to send acknowledgement receipts. All managed but handler computers. Encryption protects attackers from detection.
Key take away is to identify patterns in the traffic, have alternate network paths, use configuration in rate-limiting or throttling, have honeypots to lure attackers.
This article delves deeper into DoS attacks with an explanation of a DDoS attack or distributed denial of service attack. The difference between a DoS and a DDoS attack are the zombie computers involved. An attacker will compromise numerous victim computers by installing what is know as a zombie agent or bot. These bots can then receive instructions via the attacker at their master computer or command and control server. The attacker sends or commands that are initiated by the bots. This traffic can be difficult to track as more times than not, the traffic containing the instructions will be encrypted. With DDos attacks, the attacker instructs the zombies to DoS a specific IP. That way the source IP of the attack are the bots IP and not the attackers IP. Many times these botnets are even rented out for higher on the black market.
Hi Anthony…
I agree with you. This article helped me see how simple a DDoS attack is and how the method of using zombie servers and bots in a network completely obscure the identity of the hacker. Hackers don’t even have to go through the hassle of finding vulnerable servers to run their botnets off of because it is so easy to buy botnets on the black market.
Distributed denial of service attack can make a lot of computer to attack at the same time, make the target unable to normal use, distributed denial of service attacks there are already many times, has caused many large websites are appeared unable to operate, so it will not only affect the normal use of the user, at the same time, the economic loss is very large. Distributed Denial of Service (DDOS) attack can forge the source IP address during the attack, which makes the concealment of this attack very good when it happens. At the same time, it is very difficult to detect the attack. Therefore, this attack has become a very difficult attack to prevent. For a DDoS attack, an attacker probably needs to go through three main steps: knowing the target, capturing the puppet machine, and actually attacking. Not only to DDoS, but also for all network attacks, we should take as careful as possible defense measures, strengthen the detection of the system, and establish a rapid and effective response strategy.
Hi, Junhan, I totally agree with your points. I also think DDoS attack is difficult to detect and mitigate is because following two following three reason: Firstly, most zombie computer don not use the fix IP address. Secondly, the zombie computer send request to reflector computer which make the reflector send huge reply packets to victim server. Thirdly, these attack has a high transmission speed faster than individual organization’s.
This reading focused on Distributed Denial of Service attacks. What I found interesting was the countermeasures that can be used to mitigate the risk of DDoS attack. One of the methods of mitigation included honeypots. They are a less common mitigation where dummy servers are set up with vulnerabilities to study the attack patterns, intentions and possibly attack sources. I have observed honeypots being used for external hackers as well as threats from internal sources. Honeypots are used after a user has exhibited unusual behavior in their day to day work accessing information that was not relevant to their jobs. An image of their workstation and fake files and objects on an offline server to complete forensics and identify more evidence of wrongdoing. It is interesting to watch the behaviors and accumulation of methods.
This article was very informative about the DDoS attacks. DDoS is an acronym for Distributed Denial of Service Attack. In this attack a lot of “zombie” or infected computers that are under the control of the attacker are used to either directly or indirectly to flood the targeted server. I just thought this is really notorious way to leverage the infected computers to expand and infect more computers.
Hi Prince. This is interesting. There are a lot of zomnie or infected computers that are under the control of the attacker to flood the target’s server, so it is overload and are not able to take in more requests.
In this reading, it is apparent that DDoS attacks are not easy to defend against. What makes it difficult is the fact that there are layers between the attacker and the target/victim server. The attack can be further sophisticated by encryption of traffic, making it difficult to trace/identify the attacker. Another obstacle to detecting DDoS attacks is an instance where zombie computers spoof the IP address of the target/victim. In such a case the attack happens without a clear path linking back to the attacker, hence almost impossible to defend against.
On the methods of defense highlighted in this article, most can only defend against small DDoS attacks. When the number of zombies is increased, there is little to no chance of completely defending against the attack. However, some defense is better than none, and applying alternate network paths and load balancing, rate-limiting/throttling are more effective at defense against DDoS attacks in most cases.
DDoS stands for Distributed Denial of Service attack. It is a form of attack where a lot of zombie computers are used to either directly or indirectly to flood the targeted server victim, with a huge amount of information and choke it in order to prevent legitimate users from accessing them. The reason why this kind of attack is hard to detect and mitigate is because unsuspecting user’s computers are used as zombies to carry out the attacks against the victim server, it is difficult to trace down the actual attacker. And sometimes, the conbie computer do not directly communicate with the victim servers-instead they spppf the IP address of the victim server and send request to large number of reflector computers. Some of these attacks are in the rage of multiple Gigabits per second.