A main point I took away from this article was the difficulty often found when trying to pinpoint the origin of distributed denial of service attacks. This first begins when zombies or botnets are used to carry out the attacks, which covers the true attacker’s computer. Also, if any of the zombie computers’ IP addresses are discovered, the attacker can easily summon more zombie computers to carry out the attacks. The issue gets amplified when reflector computers are used, which cause the zombie computers to not need to directly interact with the victim computers. This is done by having the reflector computers send reply packets to the victim servers. Given the magnitude at which distributed denial of service attacks can affect networks, not being able to identify the origin becomes a huge issue. Being able to identify the origin helps companies resolve the attack a lot quicker, as it gives them necessary information required to stop the attack.
The main goal of distributed denial of service (DDoS) attacks is to disrupt traffic to a web server and make it difficult or impossible for legitimate users to access the server. This is done by flooding the web server with an excessive amount of traffic which can either use all of the bandwidth used by the web server or use all of the server’s resources such as CPU and RAM. It is difficult to prevent DDoS attacks because the attacker is usually using a botnet of computers to send requests to the victim server or is making large amounts of DNS queries with a spoofed IP address of the victim server, so when the DNS server responds to the request it goes to the victim server. There are some ways to help mitigate DDoS attacks such as caching as much content on the server as possible (HTML pages), rate-limiting/throttling on how many requests can be accepted over a specific timeframe, load balancing to distribute incoming traffic across multiple servers, and more.
One key point I got from this reading was the difference between a Denial of Service Attack and a Distributed Denial of Service Attack, from the perspective of the components that would be involved in each attack. I was familiar with the difference from prior reading and experience, but I thought it was a good way to break down the elements of an attack: attacker/master and victim/attacked server which would be the only elements you see in a Denial of Service Attack versus the additional components you could see in a DDoS attack (zombies/botnets, handlers/controlling computers, and reflectors). I thought the corresponding diagram of these five elements was really helpful. One thing I was not familiar with before reading this was the role the reflector layer could play and how that could magnify the attack to make it more effective. The complexity involved in the different elements of the DDoS attack in particular highlights how challenging it is to defend against.
DDoS attacks are an attempt by the attacker to create so much traffic or congestion to a target internet application, that it delays the traffic flow for the application user. What they will experience as a result of this attack is a drastic drop in speed, or even a complete outage that they don’t normally see on a daily basis. The attacker may have access to a network of hacked or compromised computers across the internet (i.e. IoT devices, personal computers, other servers on the internet). All of these attacks are at the control of the attacker which is called a Botnet, because now the attacker can remotely control this network of hacked computers as if they were an actual robot.
I thought you did a fantastic job summarizing the reading in a paragraph. You hit all the points and details. . Your explanation and observations were much appreciated.
The Distributed Denial of Service Attack (DDoS) is a form of attack that uses many zombie computers to inject a large amount of information into the target server and cause a blockage. Most of the time, the zombie computers’ users do not aware that they are being utilized by attackers. It might also lead the web servers to degrade their services. It is hard to detect and mitigate the DDoS by trace down the actual attacker. There are two types of DDoS attacks, attacks that target the network and choke the internet bandwidth used by the victim server. Those can weaken server resources (such as CPU, RAM, buffer memory, etc.) and make the server unable to process any legitimate requests. There are a couple of ways to prevent or mitigate DDoS, for example, throttling, honeypots aggressive cashing, and so on.
I learned about DDOS which is an attack that controls multiple infected computers into directly or indirectly flooding the targeted servers. I learned that Distributed Denial of Service attacks are difficult to detect and mitigate because the user’s computers are being used unknowingly to attack against its own server. The owner of the computer itself is not aware of any attacks being done. Also, there are no IP addresses for zombie computers that use broadband. The attacker can always summon more computers, this attack can then overwhelm the server and cause it to crash. This attack is very sophisticated in that they can spoof IP addresses of infected computers and send requests to reflector computers that arent infected to in turn, automatically send huge replies to the victim servers, causing it to crash. This would result in if the IP addresses are identified and blocked, it would be blocking the reflector computers which are not the ones truly infected.
One thing I learned form this article is how simple but danger the DDoS attacks is. It is a form of attack where a lot of zombie computers are used to either directly or indirectly to flood the targeted server. The flood of incoming requests to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems. There are two basis categories of DDoS attacks. Network-centric attacks overload a targeted resource by consuming available bandwidth with packet floods. And application layer attacks overload application services or databases with a high volume of application calls. The most extreme recent DDoS attack is the AWS DDoS Attack in 2020. A 2.3 terabytes-per-second distributed denial-of-service attack, the largest DDoS attack ever recorded.
Hi Wei, I like how you mention that the attack is dangerous, yet simple. 2.3 tbps is actually an insane amount of traffic. The fastest available internet speed in the USA for a normal consumer is 1 gbps. That means that the attack was 2,335.2x more traffic than the fastest normal consumer could have.
An interesting takeaway from this reading is the steps for prevention/mitigation of Denial-of-Service attacks (DDoS) specifically the honeypot option. This approach serves to identify DDoS attacks by setting up dummy servers with maximum vulnerabilities, which is used to lure unsuspecting hackers. While this is all in an effort to study the attack patterns that hopefully results in the reduced likelihood and magnitude of such events. The option is seemingly costly as it would require a significant involvement of technical subject matter experts to study these attack patterns and there is also the possibility that these honeypots could be used as a resource to launch attacks, be it internally or externally. Perhaps, this explains the reason many organizations do not use honeypots.
I found the prevention/ mitigation steps most interesting, and more specifically, the idea of using honeypots. This seems like a bad idea to me unless implemented perfectly, so I understand why few companies use this. The last thing you would want is for a hacker to be caught in the “honeypot,” but actually gain insights into your network, which may lead to future attacks. This also seems like it would be expensive and potentially a waste of money, as the dummy servers may never be used. I also think hackers may be able to identify a honeypot network more easily. Overall, I do think it can be productive, but it has to be implemented perfectly and cannot be the only method of identifying DDoS attacks.
Hi Charlie,
That is an interesting point that you bring up about prevention particularly honeypots. With honeypots, data security organizations can learn how cybercriminals were able to penetrate the victim’s network. This is vital information since cyber attackers are changing and developing new ways of infiltrating some of the strongest networks such as the government’s networks since just a few weeks ago the US government became a victim of cyberattacks.
I was a little disappointed in the lack of detail on mitigation or prevention techniques. What I’ve realized is there’s no one overall best way to prevent DoS or DDoS attacks. Each attack can be different and need different remedies to alleviate. I thought the last two mitigation techniques were not very helpful. Hosting your website on the cloud just passes the burden of mitigating the DDoS attack to the cloud provider. I have seen cloud DDoS protection solutions available for locally hosted web servers, though I don’t know much about them. Also mentioning zombie computers being protected before they become zombies isn’t very helpful. There are already millions of infected computers. There are steps that individual users should take, but that won’t help an organization survive a DDoS attack.
I agreed Jon, I thought the article didn’t go into the level of detail that would help us understand the mitigation techniques further. I reached a similar conclusion to you, it’s hard to say which mitigation technique is best, just because every organization is different, so it’s hard to say which technique will work the best. I also like your point on the last 2 techniques not being great, after looking back at the article I agree with you.
This article exapnded on the Distributed Denial of Service (DDoS) attacks I read about in Boyle Chapter 4. The diagram was helpful in understanding the difference between a DoS attack vs the DDoS attack. I did not realize how difficult it can be to detect and mitigate DDoS attacks and depending on the level of the attack, can cause widespread service outages due to the the inabilitiy to respond to all of the requests. In order to prevent these attacks, organizations have to create and implement countermeasures and detction techniques. The article references many mitigations strategies organizations can use such as honeypots, agressive caching load balancing, rate limiting and other options.
I hit reply too soon…and before I had a chance to proofread!
It was interesting that while there are numerous mitigation strategies mentioned there do not seem to be many prevention and identification strategies available. As an auditor, the prevention controls are always better to have in place than the detection controls.
DDoS attacks are easy to detect and difficult to defend against. Attackers usually use botnets that are usually unsecured, unpatched IoT devices. There are a number of ways to defend against a DDoS attack and all ways have their own pros and cons. Dedicated hardware can be expensive to implement. Service providers are available to carry the load, deflect the attacks and protect the servers and resources.
Hi Jim,
It’s true that IoT devices – which are not as stringently patched or managed as workstations or mobile devices – serve as the best base of attack for someone looking to launch a DDoS against a target. It will probably always be a struggle for organizations to defend against DDoS attacks due to the decentralized nature and wealth of launch points available to would-be attackers.
It’s important to understand from the reading why it’s so difficult to respond to a distributed denial of service (DDoS) attack. They are particularly difficult to detect because of the sheer number of bot machines that are often used to carry out the attack. In a DDoS, a huge collection of machines sends a relatively small number of requests each to the target. Depending on the magnitude of the service degradation, it might seem to the target’s administrators that they are simply experiencing higher-than-usual traffic, and they may even decide to dedicate more resources to increasing the available output from the target. The decentralized nature of the attack is also what makes it difficult to respond to – it’s much harder to block many attack sources than a limited number. Finally, attackers can often activate more bots if some get blocked, and can use reflector machines to carry out the DDoS.
DDoS is an attack that’s actually very simple in theory. All you have to do is flood the server with more traffic than it can handle. Obviously, some of these websites’ servers are so massive that you’d need tens of thousands, if not more, bots to flood these servers. I’ve had some servers before that had minimal ram, approximately 2GB. Whenever I had a handful of friends on them the server usage % would spike up really high and it would slow down drastically. I’d be interested to see how big some of these servers are.
An important key that I took from this article, An Introduction to (DDoS) or Distributed Denial of Service Attack, is that DDoS attacks can cause great damage to a system and that they are very difficult to mitigate. Organizations can sometimes block the particular IP to help prevent a DDoS attack, but usually, this mitigant fails. The attack can cause availability issues for the customers or users. According to the article, a more effective method of mitigating this risk is by implementing load balancing, honeypots, or rate-limiting. The articles also suggest that organizations do research in selecting cloud providers who have committed servers and resources in preventing DDoS attacks from happening.
A key takeaway from this reading was understanding why DDOS attacks are difficult to detect and mitigate. The reading emphasizes that they are difficult to detect as unsuspecting user’s computers are used as zombies to carry out the attacks against the victim server. Also, once an attack computer is identified, ore computers can always be summoned by the attacker. While these attacks are difficult to mitigate, its assuring to know that there are steps that can be taken to prevent and mitigate the risk of a DDOS attack. Some of these include honeypots, aggressive caching, and having alternate network paths.
Flooding the network with botnets from zombie computers will make it harder to identify where the attack is coming from. DDOS attacks seem common and and unfortunately are difficult to identify. This is why proper prevention and a security plan could mitigate some of the risk.
A main point I took away from this article was the difficulty often found when trying to pinpoint the origin of distributed denial of service attacks. This first begins when zombies or botnets are used to carry out the attacks, which covers the true attacker’s computer. Also, if any of the zombie computers’ IP addresses are discovered, the attacker can easily summon more zombie computers to carry out the attacks. The issue gets amplified when reflector computers are used, which cause the zombie computers to not need to directly interact with the victim computers. This is done by having the reflector computers send reply packets to the victim servers. Given the magnitude at which distributed denial of service attacks can affect networks, not being able to identify the origin becomes a huge issue. Being able to identify the origin helps companies resolve the attack a lot quicker, as it gives them necessary information required to stop the attack.
The main goal of distributed denial of service (DDoS) attacks is to disrupt traffic to a web server and make it difficult or impossible for legitimate users to access the server. This is done by flooding the web server with an excessive amount of traffic which can either use all of the bandwidth used by the web server or use all of the server’s resources such as CPU and RAM. It is difficult to prevent DDoS attacks because the attacker is usually using a botnet of computers to send requests to the victim server or is making large amounts of DNS queries with a spoofed IP address of the victim server, so when the DNS server responds to the request it goes to the victim server. There are some ways to help mitigate DDoS attacks such as caching as much content on the server as possible (HTML pages), rate-limiting/throttling on how many requests can be accepted over a specific timeframe, load balancing to distribute incoming traffic across multiple servers, and more.
One key point I got from this reading was the difference between a Denial of Service Attack and a Distributed Denial of Service Attack, from the perspective of the components that would be involved in each attack. I was familiar with the difference from prior reading and experience, but I thought it was a good way to break down the elements of an attack: attacker/master and victim/attacked server which would be the only elements you see in a Denial of Service Attack versus the additional components you could see in a DDoS attack (zombies/botnets, handlers/controlling computers, and reflectors). I thought the corresponding diagram of these five elements was really helpful. One thing I was not familiar with before reading this was the role the reflector layer could play and how that could magnify the attack to make it more effective. The complexity involved in the different elements of the DDoS attack in particular highlights how challenging it is to defend against.
DDoS attacks are an attempt by the attacker to create so much traffic or congestion to a target internet application, that it delays the traffic flow for the application user. What they will experience as a result of this attack is a drastic drop in speed, or even a complete outage that they don’t normally see on a daily basis. The attacker may have access to a network of hacked or compromised computers across the internet (i.e. IoT devices, personal computers, other servers on the internet). All of these attacks are at the control of the attacker which is called a Botnet, because now the attacker can remotely control this network of hacked computers as if they were an actual robot.
Christopher,
I thought you did a fantastic job summarizing the reading in a paragraph. You hit all the points and details. . Your explanation and observations were much appreciated.
The Distributed Denial of Service Attack (DDoS) is a form of attack that uses many zombie computers to inject a large amount of information into the target server and cause a blockage. Most of the time, the zombie computers’ users do not aware that they are being utilized by attackers. It might also lead the web servers to degrade their services. It is hard to detect and mitigate the DDoS by trace down the actual attacker. There are two types of DDoS attacks, attacks that target the network and choke the internet bandwidth used by the victim server. Those can weaken server resources (such as CPU, RAM, buffer memory, etc.) and make the server unable to process any legitimate requests. There are a couple of ways to prevent or mitigate DDoS, for example, throttling, honeypots aggressive cashing, and so on.
I learned about DDOS which is an attack that controls multiple infected computers into directly or indirectly flooding the targeted servers. I learned that Distributed Denial of Service attacks are difficult to detect and mitigate because the user’s computers are being used unknowingly to attack against its own server. The owner of the computer itself is not aware of any attacks being done. Also, there are no IP addresses for zombie computers that use broadband. The attacker can always summon more computers, this attack can then overwhelm the server and cause it to crash. This attack is very sophisticated in that they can spoof IP addresses of infected computers and send requests to reflector computers that arent infected to in turn, automatically send huge replies to the victim servers, causing it to crash. This would result in if the IP addresses are identified and blocked, it would be blocking the reflector computers which are not the ones truly infected.
One thing I learned form this article is how simple but danger the DDoS attacks is. It is a form of attack where a lot of zombie computers are used to either directly or indirectly to flood the targeted server. The flood of incoming requests to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems. There are two basis categories of DDoS attacks. Network-centric attacks overload a targeted resource by consuming available bandwidth with packet floods. And application layer attacks overload application services or databases with a high volume of application calls. The most extreme recent DDoS attack is the AWS DDoS Attack in 2020. A 2.3 terabytes-per-second distributed denial-of-service attack, the largest DDoS attack ever recorded.
Hi Wei, I like how you mention that the attack is dangerous, yet simple. 2.3 tbps is actually an insane amount of traffic. The fastest available internet speed in the USA for a normal consumer is 1 gbps. That means that the attack was 2,335.2x more traffic than the fastest normal consumer could have.
An interesting takeaway from this reading is the steps for prevention/mitigation of Denial-of-Service attacks (DDoS) specifically the honeypot option. This approach serves to identify DDoS attacks by setting up dummy servers with maximum vulnerabilities, which is used to lure unsuspecting hackers. While this is all in an effort to study the attack patterns that hopefully results in the reduced likelihood and magnitude of such events. The option is seemingly costly as it would require a significant involvement of technical subject matter experts to study these attack patterns and there is also the possibility that these honeypots could be used as a resource to launch attacks, be it internally or externally. Perhaps, this explains the reason many organizations do not use honeypots.
I found the prevention/ mitigation steps most interesting, and more specifically, the idea of using honeypots. This seems like a bad idea to me unless implemented perfectly, so I understand why few companies use this. The last thing you would want is for a hacker to be caught in the “honeypot,” but actually gain insights into your network, which may lead to future attacks. This also seems like it would be expensive and potentially a waste of money, as the dummy servers may never be used. I also think hackers may be able to identify a honeypot network more easily. Overall, I do think it can be productive, but it has to be implemented perfectly and cannot be the only method of identifying DDoS attacks.
Hi Charlie,
That is an interesting point that you bring up about prevention particularly honeypots. With honeypots, data security organizations can learn how cybercriminals were able to penetrate the victim’s network. This is vital information since cyber attackers are changing and developing new ways of infiltrating some of the strongest networks such as the government’s networks since just a few weeks ago the US government became a victim of cyberattacks.
I was a little disappointed in the lack of detail on mitigation or prevention techniques. What I’ve realized is there’s no one overall best way to prevent DoS or DDoS attacks. Each attack can be different and need different remedies to alleviate. I thought the last two mitigation techniques were not very helpful. Hosting your website on the cloud just passes the burden of mitigating the DDoS attack to the cloud provider. I have seen cloud DDoS protection solutions available for locally hosted web servers, though I don’t know much about them. Also mentioning zombie computers being protected before they become zombies isn’t very helpful. There are already millions of infected computers. There are steps that individual users should take, but that won’t help an organization survive a DDoS attack.
I agreed Jon, I thought the article didn’t go into the level of detail that would help us understand the mitigation techniques further. I reached a similar conclusion to you, it’s hard to say which mitigation technique is best, just because every organization is different, so it’s hard to say which technique will work the best. I also like your point on the last 2 techniques not being great, after looking back at the article I agree with you.
This article exapnded on the Distributed Denial of Service (DDoS) attacks I read about in Boyle Chapter 4. The diagram was helpful in understanding the difference between a DoS attack vs the DDoS attack. I did not realize how difficult it can be to detect and mitigate DDoS attacks and depending on the level of the attack, can cause widespread service outages due to the the inabilitiy to respond to all of the requests. In order to prevent these attacks, organizations have to create and implement countermeasures and detction techniques. The article references many mitigations strategies organizations can use such as honeypots, agressive caching load balancing, rate limiting and other options.
I hit reply too soon…and before I had a chance to proofread!
It was interesting that while there are numerous mitigation strategies mentioned there do not seem to be many prevention and identification strategies available. As an auditor, the prevention controls are always better to have in place than the detection controls.
DDoS attacks are easy to detect and difficult to defend against. Attackers usually use botnets that are usually unsecured, unpatched IoT devices. There are a number of ways to defend against a DDoS attack and all ways have their own pros and cons. Dedicated hardware can be expensive to implement. Service providers are available to carry the load, deflect the attacks and protect the servers and resources.
Hi Jim,
It’s true that IoT devices – which are not as stringently patched or managed as workstations or mobile devices – serve as the best base of attack for someone looking to launch a DDoS against a target. It will probably always be a struggle for organizations to defend against DDoS attacks due to the decentralized nature and wealth of launch points available to would-be attackers.
It’s important to understand from the reading why it’s so difficult to respond to a distributed denial of service (DDoS) attack. They are particularly difficult to detect because of the sheer number of bot machines that are often used to carry out the attack. In a DDoS, a huge collection of machines sends a relatively small number of requests each to the target. Depending on the magnitude of the service degradation, it might seem to the target’s administrators that they are simply experiencing higher-than-usual traffic, and they may even decide to dedicate more resources to increasing the available output from the target. The decentralized nature of the attack is also what makes it difficult to respond to – it’s much harder to block many attack sources than a limited number. Finally, attackers can often activate more bots if some get blocked, and can use reflector machines to carry out the DDoS.
DDoS is an attack that’s actually very simple in theory. All you have to do is flood the server with more traffic than it can handle. Obviously, some of these websites’ servers are so massive that you’d need tens of thousands, if not more, bots to flood these servers. I’ve had some servers before that had minimal ram, approximately 2GB. Whenever I had a handful of friends on them the server usage % would spike up really high and it would slow down drastically. I’d be interested to see how big some of these servers are.
An important key that I took from this article, An Introduction to (DDoS) or Distributed Denial of Service Attack, is that DDoS attacks can cause great damage to a system and that they are very difficult to mitigate. Organizations can sometimes block the particular IP to help prevent a DDoS attack, but usually, this mitigant fails. The attack can cause availability issues for the customers or users. According to the article, a more effective method of mitigating this risk is by implementing load balancing, honeypots, or rate-limiting. The articles also suggest that organizations do research in selecting cloud providers who have committed servers and resources in preventing DDoS attacks from happening.
A key takeaway from this reading was understanding why DDOS attacks are difficult to detect and mitigate. The reading emphasizes that they are difficult to detect as unsuspecting user’s computers are used as zombies to carry out the attacks against the victim server. Also, once an attack computer is identified, ore computers can always be summoned by the attacker. While these attacks are difficult to mitigate, its assuring to know that there are steps that can be taken to prevent and mitigate the risk of a DDOS attack. Some of these include honeypots, aggressive caching, and having alternate network paths.
Flooding the network with botnets from zombie computers will make it harder to identify where the attack is coming from. DDOS attacks seem common and and unfortunately are difficult to identify. This is why proper prevention and a security plan could mitigate some of the risk.