The Hacker’s use of DoS/DDoS
For individuals studying Computer Networking Security or Systems Administration and Security, the Denial of Service and Distributed Denial of Service attacks are common attacks that must be addressed. The basic idea behind a DoS attack is to get a server to go down at a site (think: Amazon.com or Walmart.com) and make the resource unavailable to users/customers. Building on this, the Distributed Denial of Service (DDoS) ramps up the DoS attack by having a network of systems (also know as a bot net) perform the attack simultaneously against the victim network. A DoS (think 1-to-1 attack) or DDoS (think 1-to-Many attack) is typically accomplished by overloading the resources of the server so that it cannot process or provide service to the intended users. Denial-of-service attacks are written to deny users legitimate access to system resources. There are many ways that a denial of service attack can happen. A few common themes exist as noted below:
- Manipulating existing vulnerabilities. Known vulnerabilities to software and operating systems are exploited by the attacker. These are commonly known as Common Vulnerabilities and Exploits. A list of CVEs can be found here: https://cve.mitre.org/
- DoS/DDoS exploits use up resources such as memory, processing power, and disc space. This overconsumption will lock up a network or a system, due to the volume of information ‘in the pipeline’ for the system to process.
- Algorithmic attacks are more sophisticated attacks and are intended to consume resources.
- Bandwidth consumption is the overloading of data into the system.
Each of these attacks can be executed different ways but the main goal is to prevent a legitimate user from being able to use the program or service, or at a minimum, the intention is to at least degrading service quality.
There are four basic types of DoS/DDoS attacks that overload the system until the system becomes unusable. The types of denial-of-service attacks take many forms, but are primarily applications or malicious applets that take more processes or memory allocation area than they should use, such as filling up a file system or allocating all of a system’s memory. DoS/DDoS attacks result in loss of service; either a host or a server system is rendered inoperable or a network is rendered inaccessible. DoS/DDoS attacks are launched deliberately by an intruder (the preferred term for attacker in this context). Systems and networks that are compromised are referred to as the victims. And while DoS attacks can be launched from the intruder’s system, they often are launched by an automated process that allows the intruder to start the attack remotely with a few keystrokes. These pro-grams are known as daemons, and they are often placed on another system that the hacker has already compromised. There are four basic types or categories of DoS/DDoS attack:
- Saturation. This type of attack seeks to deprive computers and networks of scarce, limited, or nonrenewable resources that are essential in order for the computers or networks to operate. Resources of this type include CPU time, disk space, memory, data structures, network bandwidth, access to other networks and computers, and environmental resources such as cool air and power.
- Misconfiguration. This type of attack destroys or alters configuration information in host systems, servers, or routers. Because poor or improperly configured computers may fail to operate or operate inadequately, this type of attack can be very severe.
- Destruction. This type of attack results in network components being physically destroyed or altered. To guard against this type of attack, it is necessary to have good physical security to safeguard the computers and other network components.
- Disruption. This attack interrupts the communications between two devices by altering state information such as the state of a TCP virtual connection such that effective data transfer is impossible.
DoS/DDoS attacks are best prevented; handling them in real time (while the attack is occurring) is much more difficult. The most important way to protect a system is to harden the operating systems. Here are a few of the main ways to address the DoS/DDoS (out of many ways):
- Install software with security in mind.
- Monitor sites to be aware of security vulnerabilities.
- Maintain the latest versions of software where possible.
- Install all relevant security patches.
A large measure of the prevention consists of packet filtering at network routers. Because attackers frequently hide the identity of the machines used to carry out the attacks by falsifying the source address of the network connection, techniques — known as egress filtering and ingress filtering — are commonly used as protective measures. Egress and ingress filtering are methods of preventing packets from leaving or entering the network, respectively, with an invalid source address. Blocking addresses that do not fit the criteria for legitimate source addresses and making certain that all packets leaving an organization’s site contain legitimate addresses can thwart many DoS/DDoS attacks.
Also, load balancing is another option for handling DoS/DDoS attacks. The software vendor “F5” (as one example of a vendor that can do this) can be used for load balancing and geographic failover. F5 can do a “round robin” of load balancing on multiple web front ends so that the organization will have increased capacity and bandwidth. This may give time to the network administrator to divert suspicious traffic.
The future may also unfold additional DoS/DDoS attacks. The coming fifth generation (5G) wireless broadband technology will likely increase the ability of hackers to execute DoS attacks (Paez, 2018). Interwoven with 5G, IoT (Internet of Things) devices can be problematic. The 2016 Dyn DDoS attack was accomplished by hackers taking over thousands of IoT devices, such as cameras, printers, and baby monitors to create a “botnet” that was then used to bring down the Dyn servers by overloading their resources. The author argues that with the much greater speeds available with 5G technology devices will be able to use far greater resources and it will take much fewer IoT devices to execute a similar attack (Paez, 2018).
The DoS/DDoS attacks are one of the many tools that attackers use to overwhelm systems. We will continue, as systems and network administrators, working with mitigating the issues surrounding the DoS/DDoS attack, which promise to escalate as newer technologies are introduced in the market.
Bosworth, Seymour & Kabay, Michel E. & (eds), Eric Whyne. (2014). Computer security handbook, sixth edition. [Books24x7 version] Available from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=63501
Mitigating DDoS Attacks with F5 Technology. (n.d.). Retrieved from https://www.f5.com/services/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
Paez, D. (2018, August 22). With 5G, Cybersecurity Researchers See a Hotbed of Security Risks. Retrieved from Inverse.com Web Site: https://www.inverse.com/article/48293-5g-future-cybersecurity-risks
Tipton, Harold F. & Krause, Micki. (2007). Information security management handbook, sixth edition, volume 1. [Books24x7 version] Available from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=26438
About the author.
Dr. Ron McFarland, CISSP, PMP is the Dean of Applied Technologies at the College of the Canyons in Valencia, California on temporary assignment as the Cyber Security Program Manager working to support a regional cyber security educational initiative for the South Central Coast Regional Consortium (SCCRC) in California. He also teaches as a Part-Time Associate Professor in Cyber Security Studies and a post-doctoral scholar for the University of Maryland University College. He received his doctorate from Nova Southeastern University’s School of Engineering and Computer Science and a graduated certificate in Cyber Security Technology from the University of Maryland University College. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several CISCO certifications. He is a guest blogger at Wrinkled Brain Net (http://www.wrinkledbrain.net), a blog dedicated to Cyber Security and Computer Forensics. Dr. McFarland can be reached at his College of the Canyons email: firstname.lastname@example.org or his UMUC email: email@example.com