DoS (Denial of Service) Attack
DoS (Denial of Service) is the act, where an attacker makes a computer or network un-available to the users. It is done by flooding the computer or network with huge traffic which depletes the available resources which are CPU, Memory for a computing system and bandwidth for a network and thus makes the system or network un-available to the users which can be either permanent or temporary.
DDoS (Distributed Denial of Service) Attack
DDoS (Distributed Denial-of-Service) attack is a DoS attack done in a larger scale using compromised computers known as botnet. The botnet is a compromised network of computer controlled by the attacker. The botnet floods the computer or network and deplete the resources. Here the attacker doesn’t attack the target directly rather it is done through the zombies.
There are many categories of DoS/DDoS attack which uses different techniques. Each category of the attack can be performed as either DoS or DDoS which is decided by the attacker depending on the tools, resources that attacker uses and then the objective of the attack. For a massive scale attack, DDoS is done using Botnets or Reflectors.
The following are the categories of DoS/DDoS attack.
Volumetric Attack is where the attacker targets the bandwidth of the network or the capacity of the target which causes congestion, so that users can’t access the network through which the computing service can be accessed. The attack is measured in Bits Per Second (BPS)
There are two types of Volumetric DoS attack:
Flood Attack – Large number of packets are sent to the victim and deplete the bandwidth and resources causing denial of services.
Amplification/Reflection Attack – This is a DDoS attack in which apart from attacker and victim, a reflector is also present. The attacker doesn’t attack the victim directly. The attacker sends spoofed packets to the reflector which can be a single system or network of systems. The reflector/reflectors respond (reflection process) back to the victim’s IP address causing Denial of Service. Amplification/Reflection attack are specific to UDP as TCP requires 3-way handshake and the reflected TCP packets from the reflectors will be out of sync with the victim and hence victim will drop the packets by TCP design as there should be proper TCP 3-way handshake before accepting further TCP packets but still there is an impact on the TCP/IP stack as enormous TCP packets causes some depletion as the resources like CPU and memory are consumed for processing before dropping them.
The following are the various types of volumetric attacks:
UDP Flood Attack – Attacker floods the target with spoofed UDP packets at a high rate on random UDP ports of a target system which are non-existent (not active ports). This will consume resources like CPU, memory and cause the target to stop responding to legitimate UDP requests to coming to server.
ICMP Flood Attack – Attacker floods the target with high number of spoofed ICMP echo packets for which the target system responds with ICMP echo-reply packets. This will cause depletion of resources like CPU and Memory and makes the system stop responding to any requests coming to it.
Smurf Attack – Attacker sends large number of ICMP echo from the spoofed IP address of the victim to broadcast network. All the systems in the broadcast network will send replies back to the victim causing the depletion of resources and lead to Denial of Service.
NTP Amplification Attack – Attacker sends large of spoofed NTP packets from victim’s IP address to a NTP server. The NTP server responds back to victim with multiple NTP packets which leads to congestion of the victim’s system resources and network causing denial of service.
DNS Attack – Attacker sends large number of DNS requests to the DNS server from multiple spoofed IP address and exhausting the DNS server resources leading to DNS Denial of Service.
Switch MAC Flooding – Attacker floods the switch with multiple MAC addresses which fills the CAM table and thus making the switch to not learn new MAC address and makes the switch move to broadcast mode where all the frames in the switch are broadcasted. MAC flooding is the initial phase of Sniffing Attack.
Protocol Attack is where the attacker targets the weakness of the network protocol stack of a system by exhausting the protocol resources. TCP/IP is the most used network stack for any device connected to the Internet. In the OSI Layer, TCP & UDP works at the Transport Layer and IP works at the Network Layer. The attack is measured in Packets Per Second (BPS).
The following are various types of Protocol attacks:
TCP SYN Flood Attack – Attacker exploits the vulnerability of TCP 3-way handshake by sending lot of SYN packets with multiple spoofed IP address to the victim. The victim replies back with SYN/ACK to the spoofed IP address and won’t get ACK response back. For each TCP SYN packet, a certain amount of memory is reserved waiting for the response of ACK. This leads to TCP stack denial of service and the victim can’t accept anymore TCP connections till it clears the memory.
Fragmentation Attack – Attacker sends multiple fragmented packets to the victim. Fragmentation is the process of breaking down large packets when being sent on the network. Each type of network has a MTU (Maximum Transmission Unit). If the packet size is larger than the MTU, fragmentation should be done and sent. The receiver reassembles back the fragmented packet to get the original packet. The attacker exploits this process where multiple fragmented packets are sent and resources of the victim like CPU & Memory are consumed to re-assemble these fragmented packets resulting in Denial of Service of the IP stack.
Ping Of Death Attack – Attacker sends oversized packet to the target. The maximum size of packet is 65,535 bytes. The system’s TCP/IP stack can’t handle oversize packet, as it’s not designed to handle and will lead to system crash.
Application Attack – The vulnerabilities in the application are exploited which leads to crashing of the application and make it unavailable to the users. The attack is measured in Requests Per Second (RPS).
The following are various types of Application attacks:
HTTP GET/POST Attack – Attacker exploits the vulnerability in HTTP application that works in the Application layer of the OSI Layer. A client uses a web browser and connects to the web server. Through HTTP, the user through the system’s client browser uploads data or downloads data from the web server. A web server is a server that host web server and in the backend of the web server there is an application that processes the request and all data are stored in the database which is behind the application server. This is known as 3 tier architecture (Web <-> App <-> Database). HTTP uses commands to handle data. GET command to get data from the web server and POST command is to upload data.
In HTTP GET Attack, the attacker sends multiple time delayed GET requests from multiple spoofed IP address thus saturating the web server consuming resources which leads to Denial of Service of the Web Server.
In HTTP POST Attack, the attacker sends multiple POST requests from multiple spoofed IP address with complete header but no HTTP body. The HTTP body should have the data to be posted. Hence the web server keeps waiting which consumes resources which leads to Denial of Service of the Web Server.
Slowloris Attack – Attacker sends multiple HTTP requests to the web server but doesn’t complete it. The web server reserves resource for each partial request and this leads to Denial of Service to the web server.
DHCP Attack – Attacker sends large number of DHCP requests to the DHCP server exhausting the IP pool address which leads to DHCP Denial of Service.
References
Network Denial of Service, Technique T1498 – Enterprise | MITRE ATT&CK®
Endpoint Denial of Service, Technique T1499 – Enterprise | MITRE ATT&CK®